Skip to content

Injects

Injects are fundamental elements of simulations within OpenAEV, each representing a discrete action to be executed during a Scenario. Managed and facilitated by various injectors, each inject type serves a distinct purpose, contributing to the comprehensive evaluation of defenses.

Create an inject

Whether intended for Atomic testing or for a Simulation, the process for creating injects remains consistent within OpenAEV.

Capture of a filtered list of inject during selection process

For Atomic testing

To create an inject for atomic testing, navigate to the "Atomic testing" section located in the left-hand banner. Click on the "+" icon in the bottom right corner to initiate the inject creation process.

For Scenarios and Simulations

For injects intended for use within simulations, access the desired Scenario or Simulation and navigate to the "Injects" tab. Click on the "+" icon in the bottom right corner of the screen to open the inject creation panel.

Note that an inject defined in a Scenario will be used in all the scenario's subsequent simulations. An Inject defined at the simulation level will not be replicated into the Scenario itself, thus it will not be replicated in future scenario's simulations.

Inject creation process

Once the inject creation panel is open, you can proceed to configure the inject according to your requirements. Key steps in the creation process include:

1. Choose the type of inject

You first need to select an inject in the list of available ones (on the left of the creation screen). Logos on the left of each line indicates which Injector is associated with each inject. Depending on your integrations, this list can be long.

To facilitate the selection into this possibly very long list, you can search injects by name and filter the list by selecting a precise MITRE ATT&CK techniques for instance.

2. Set inject parameters

When selecting an inject on the left, the form on the right populates itself with a by-default title and propose you to define:

  • Descriptive information: Fill in details such as the title, description, and relevant tags to categorize the inject effectively.
  • Execution timing: If you are creating your inject in the context of a scenario or simulation, you have to set the timing for when the inject should be executed within the simulation timeline, ensuring it aligns with the overall scenario progression.

By clicking on "Inject content", you can define now or later:

  • Inject targets: Specify the targets for the inject, which may include players and teams or assets and assets groups depending on the inject chosen.
  • Expectations: Define the expected outcomes or responses to the inject, outlining the desired actions or behaviors by players.
  • Attachments: Attach any relevant documents or resources to provide additional context or information related to the inject.
  • Additional fields: Depending on the type of Inject selected, you may have access to additional fields specific to that inject type. These fields may include the subject and body of an email, channel pressure settings for public communications, obfuscation options, and more.

The "available variables" button helps you to use already defined variables into compatible fields.

screenshot of the inject creation panel

By following these steps and providing the necessary information, you can create injects tailored to your specific testing or simulation objectives.

Output Parsing

  • The injector captures and parses the JSON output of Nuclei, and returns:

  • Confirmed findings (if any) with severity and CVE IDs

  • Other lines as unstructured output

Target Selection

The targets vary based on the provided input type:

If target type is Assets:

Targeted Property Source Property
Seen IP Seen IP address
Local IP (first) IP Addresses (first)
Hostname Hostname

If target type is Manual:

  • Hostnames or IP addresses are provided directly as comma-separated values.

Results

Scan results are categorized into:

  • CVEs (based on template classifications)
  • Other vulnerabilities (general issues found)

If no vulnerabilities are detected, the injector will clearly indicate this with a "Nothing Found" message.

Resources

Inject tests

You can test direct contact injects in simulations and scenarios.

Warning

For now, only email and sms inject are concerned by this feature.

Note

Only the latest test is displayed for each inject.

Unit test

You can test injects one at a time.

Inject test in a Simulation

In the injects list of your simulation/scenario, open the contextual menu of an email or sms inject. Click on "Test". A confirmation dialog appears, you can confirm the test or cancel it.

Inject test result in a Simulation

After launching the test, an alert appears at the top of the page. You can click on the "dedicated page" link. You are redirected to the tests list, a drawer with the execution details of the test opens.

Inject test details in a Simulation

Warning

The option is disabled if your inject doesn't have any teams.

Bulk test

You can test injects in bulk.

Inject test in bulk in a Simulation

Select the injects you want to test then click on the bug icon. A confirmation dialog appears, you can cancel or confirm the launch of the test.

Inject test in bulk in a Simulation

As mentioned in the dialog, only sms and emails injects will be tested. The emails/sms are sent to the current user.

After the launch of the test, you are redirected to the tests list page.

Replay tests

Each test in the list has a menu allowing users to delete or replay the test.

Inject test replay

After confirming the replay of the test, the details are updated.

The user can also replay all the tests in the list. An icon similar to the one in the injects toolbar is available at the top of the list. After clicking on it, the user confirms the tests launch and the details are updated.

Inject status

Inject status using the OpenAEV agent

All targets that are selected for the inject are available on the Targets panel on the left side of the screen. There is a tab for each target type (Asset group, Endpoint, Agent, Team and Player), and only the tabs that have at least one active target are visible on the screen.

Since there may be a large number of targets of the same type (depending on your selection), a pagination utility with various filters is provided to help skim through the list.

Viewing Execution Traces

When you create a technical Inject, you assign it to endpoints, each of which may have one or multiple agents. As the inject executes, agents communicate their progress to the OBAS Server, which logs detailed execution traces.

In the "Execution details" tab, you can see the traces related to the overall execution of the inject. On the " Execution" tab found in the inject’s overview page, you’ll find the traces for each individual target, including both endpoints and agents. This helps you easily track the progress of the execution at both the agent and endpoint levels. Each agent produces several traces, which represent different steps of the execution process such as:

  • Prerequisite checks (validation before execution)
  • Prerequisite retrieval (only if the check fails)
  • Attack command
  • Cleanup commands

Inject execution details

Warning

If a prerequisite check succeeds, the prerequisite retrieval step is skipped. However, the UI always marks prerequisite checks as "SUCCESS"—to verify execution results, you must inspect the stderr logs.

Trace Statuses

Each execution step reports a status:

  • âś… SUCCESS – Command executed successfully
  • ⚠️ WARNING – Executed with minor issues
  • âť“MAYBE_PREVENTED – A generic error occurred, possibly due to firewall restrictions
  • đźš« COMMAND_CANNOT_BE_EXECUTED – Found but couldn't execute (e.g., permission issues)
  • ❌COMMAND_NOT_FOUND – Executor couldn’t find the command
  • 🛑 ERROR – General failure

All execution logs are stored on the OBAS Server, which later processes them to determine agent and inject statuses.

Agent Status Computation

When an agent completes execution, the server retrieves all traces and computes an agent status based on the following rules:

  • All traces SUCCESS → Agent status = INJECT EXECUTED
  • All traces ERROR → Agent status = ERROR
  • All traces MAYBE_PREVENTED → Agent status = MAYBE_PREVENTED
  • At least one SUCCESS trace → Agent status = PARTIAL
  • Otherwise → Agent status = MAYBE_PARTIAL_PREVENTED

Inject Status Computation

After all agents have completed their execution, the system calculates the Inject status using the same logic applied to compute the agent status.

Alert Details

Once an inject have been executed, it is possible to access the alerts' details on the different security platforms (SIEM or EDR) linked to the EDRs present on the tested assets.

Inject execution traces details

By selecting an agent on the Targets panel, you can access the traces details that were retrieved by OpenAEV.

On the above example, we can see that there are 2 agents on the vm3.obas.lan asset. We can see there are detections on the OpenAEV agent, while the Crowdstrike agent hasn't had any yet (it can take several minutes for the traces to show up in OpenAEV).

By clicking on the OpenAEV agent, we can see that the inject's payload was already detected by the CrowdStrike Falcon EDR while more detections might arrive at a later point. We can also see that there was one alert identified on CrowdStrike Falcon EDR.

To get the details of this alert, you can click on the CrowdStrike line to see this:

Inject execution traces alert details

On this new panel, you can click on the alert name, and you will be redirected to the alert details on the corresponding security platform.

Warning

It can take some time for the details to appear after the execution of an inject, sometime up to several minutes.

Adding manual results

In some cases, or for some kinds of injects, it may not be possible to automate results retrieval. In this case, you can manually add results to an inject by clicking on the shield icon named Add a result.

Adding a manual result

This will open the following popup:

Adding a manual result popup

You can then fill the form with the result you want to add.

Conditional execution of injects

You can add conditions to an inject, ensuring it is triggered at a specific time only if the specified conditions are met. These conditions typically relate to whether an expectation is fulfilled or not, but they can also pertain to the success or failure of an execution. There are several methods to achieve this.

Using the update form

You can set conditions when updating an inject. In the inject update form, there is a tab "Logical Chains" for that.

Logical chains form

As you can see, you can assign a Parent and multiple Children. A Parent indicates that the current inject will only execute if the conditions set on the Parent are met at the time of execution. Similarly, a Child will execute at the specified time only if the conditions set on the current inject are satisfied.

The conditions you can set include the expectations for the inject and whether its execution was successful or not. You can select the desired expectation and Success/Fail status by clicking on them.

Modifying chains value form

You can also toggle whether all conditions must be met or just one by clicking on the small OR/AND cards. Note that these settings are interconnected, so you cannot assign different values to them

Using the timeline

You also have the possibility to quickly create conditions between injects. To do that, you can go to the timeline view of injects and place your cursor on the small point on the left and right of each injects. You can then drag and drop a link from a point to another.

Creating chains in the timeline

The links created in this way will default to an expectation of "Execution is Success" and must be updated using the injects' update form. Additionally, you can reposition links between injects or remove them entirely by dragging them to an empty space.

Export & Import Injects

The Export & Import functionality allows users to transfer injects between *simulations, scenarios, and atomic testings *. Injects are exported along with their configuration details and can be imported across different instances.

Export Injects

Users can export injects from simulations, scenarios, or atomic tests. The exported injects will retain their configuration details, which include:

  • Arguments
  • Content
  • Tags
  • Expectations

Export Rules

  • Multiple injects can be exported at once for scenarios and simulations.
  • Atomic testing restriction: Only one atomic test can be exported at a time.
  • Teams/Players can be optionally included in the export.
  • Assets are never exported.
  • Permissions Required: Read privileges are required on the Scenario or Simulation to perform an export. Atomic testings require Admin privileges.

Export in atomic Export in atomic Export in simulation Export in simulation menu Export in scenario Export in scenario menu

Import Injects

Users can import injects into simulations, scenarios, or atomic tests, regardless of the instance from which they were originally exported.

Import Rules

  • Injects from any source (atomic testing, scenarios, or simulations) can be imported into any other instance ( scenarios, simulations, or atomic testing).
  • Permissions Required: Write privileges are required on the destination object (Scenario or Simulation) to perform an import. Atomic testings require Admin privileges.

Import in atomic Import in atomic Import in simulation Import in scenario

This feature enables seamless sharing of injects across different environments, ensuring flexibility and efficiency in exercises.