Skip to content


Folders and files

Last commit message
Last commit date

Latest commit



38 Commits

Repository files navigation


A set of scripts using PyMISP to extend MISP for automated payload testing.

User Documentation, click on the mind-map topics/nodes to explore further.

Demo of CVE2017-0199 payload youtube link

Sh0ut 0utz

Big thank you to the awesome folks @ & Harvard-IT-security

Under-the-hood (TL;DR)

APTC overview

  • Assuming (test-case & targets) events are setup properly, tagging a test-case event with test-start tag will launch
  • in turn launches to query graylog with pre-defined query statement to find indicator of success
  • It is up to you to decide what you mean by success/hit, typically a Product-under-Test will emit logs when it catches a payload. When the query can't find the indicators after a certain amount of time, it will deemed as 'miss'

Installation steps for MISP host

  1. git clone
  2. Edit /Controller/EventsController.php
  3. Find Tag added, you should locate "return new CakeResponse(array('body'=> json_encode(array('saved' => true, 'success' => 'Tag added..."

Add the line below above the return statement

if ($tag['Tag']['name']=="aptc:test-start") shell_exec("python3 /var/www/MISP/tools/aptc/ -id ".$id." > /dev/null 2>/dev/null &");
  1. Create aptc folder under MISP tools directory
  2. Copy all the aptc scripts to that folder & adjust permission accordingly (eg. readable for www-data, chmod +x *.py)
  3. Create aptc folder under /var/www/MISP/app/files/taxonomies/ (or equivalent)
  4. Copy machinetag.json into that folder, update your tags & enable all of them
  5. Edit to set misp_url & key
  6. Create target paths (samba mount point) to write payloads to (give appropriate permissions for read/write)
  7. Install Samba & setup share for targets to mount (by default APTC writes to /opt/aptc/targets/HOSTNAME, ie. share /opt/aptc/targets. You can change it by editing Refer to to understand how this whole thing works)

Installation steps for Windows target(s)

  1. Mount the samba shared folder in your Windoze
  2. Copy filemonitor.vbs to the target(s), make it auto-run upon login (target should auto-login)

Useful links

Most convenient way to setup the latest MISP:


No releases published


No packages published