Chain Reactor: open source framework for composing executables

Chain Reactor

Chain Reactor is an open-source framework for composing executables that can simulate adversary behaviors and techniques on Linux endpoints. Executables can perform sequences of actions like process creation, network connections and more, through the simple configuration of a JSON file.

It assumes no prior engineering experience and can easily leverage tests or techniques from Atomic Red Team and MITRE ATT&CK.

How does it work?

It is responsible for running a reaction, which is composed of a list of objectives, called atoms. Each atom can contain one or many actions, called quarks. Quarks specify the action to take and the subsequent arguments to use.

While this might sound complex at first, this structure helps with pre-stage setup, multi-stage objectives, and post-stage cleanup.

Install

Install dependencies:

Debian:

sudo apt install musl-tools

RPM:

sudo yum install musl-tools

Clone the repo

git clone https://github.com/redcanaryco/chain-reactor.git
cd chain-reactor
make

Use

An illustrative example

Let’s start with a basic chain reaction:

reaction.json

{

    "name": "simple_reaction",

    "atoms": [

        "HIDDEN-PROCESS-EXEC"

    ]

}

atoms.json

{

    "name" : "HIDDEN-PROCESS-EXEC",

    "execve" : [ "mkdir”, “-p”, “/tmp/.hidden” ],

    "copy" : [ “/proc/self/exe", "/tmp/.hidden/.chain_reactor_hidden" ],

    "execveat" : [ "/tmp/.hidden/.chain_reactor_hidden", "exit" ],

    "remove" : [ "/tmp/.hidden" ]

}

To build the ELF executable, we run the following:

python3 compose_reaction atoms.json reaction.json <output_name_for_executable>

The details:

• The chain reaction simple_reaction is composed of one objective (atom) called HIDDEN-PROCESS-EXEC.
• This atom is composed of four actions (quarks).
• The first quark utilizes the execve system call to create a hidden directory.
• The second quark utilizes a built-in function to copy the current running chain reactor process (/proc/self/exe) to the newly created hidden directory as a hidden file.
• The third quark utilizes a different system call, execveat, to execute the hidden chain reactor binary. The exit argument instructs the newly created chain reactor process to exit without performing additional operations.
• The fourth quark deletes the hidden directory and hidden file.

Here are some questions this chain reaction can help you answer:

• Visibility: Does my endpoint security product collect telemetry for all four quarks? Does it handle one, many, or all system calls that can be used to execute a binary?
• Detection: Does my endpoint security product alert me to the execution of a hidden binary in a hidden directory?

Tutorial

Copyright (c) 2020 Red Canary, Inc.