Skip to content

fix: add metadata to sftp command in ssh_example.yml#233

Open
DC925928496 wants to merge 1 commit into
ait-testbed:mainfrom
DC925928496:fix/add-metadata-sftp-example
Open

fix: add metadata to sftp command in ssh_example.yml#233
DC925928496 wants to merge 1 commit into
ait-testbed:mainfrom
DC925928496:fix/add-metadata-sftp-example

Conversation

@DC925928496
Copy link
Copy Markdown

@DC925928496 DC925928496 commented May 21, 2026

Problem

The sftp command in examples/ssh_example.yml (line ~77) was the only command in the playbook missing a metadata block. All other commands in the playbook have MITRE ATT&CK mappings, and this inconsistency could cause issues for users/tools that rely on metadata.

Related issue: #232

Fix

Added metadata to the sftp command that uploads linpeas.sh:

# Before:
  - type: sftp
    cmd: put
    local_path: $LINPEAS
    remote_path: /tmp/linpeas.sh
    session: "foothold"
    mode: "777"

# After:
  - type: sftp
    cmd: put
    local_path: $LINPEAS
    remote_path: /tmp/linpeas.sh
    session: "foothold"
    mode: "777"
    metadata:
      description: "Upload linpeas.sh to target via SFTP for privilege escalation enumeration"
      techniques: "T1105"
      tactics: "Execution"

MITRE ATT&CK mapping

  • T1105 (Ingress Tool Transfer) — the sftp command transfers linpeas.sh to the target system
  • Execution tactic — the transferred tool is executed in subsequent steps

Related Issues

Fixes #232

@DC925928496
fix: add metadata to sftp command in ssh_example.yml
188d49c 
Add MITRE ATT&CK mapping for the sftp command that uploads linpeas.
The sftp command was the only one in the playbook missing metadata,
which broke consistency with all other commands.

- Add description documenting the file upload operation
- Map to T1105 (Ingress Tool Transfer) technique
- Map to Execution tactic

Fixes ait-testbed#232
whotwagner
whotwagner approved these changes May 21, 2026
View reviewed changes
Comment thread examples/ssh_example.yml
#
vars:
METASPLOITABLE: 192.168.0.146
PASSWDLIST: /snap/seclists/current/Passwords/Common-Credentials/darkweb2017_top-1000.txt
Copy link
Copy Markdown
Contributor

@whotwagner whotwagner May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would prefer to keep /usr/share. Not only because in our attackbed we download seclists with an ansible role to that directory, but also because this path is available on many distributions and not only on distributions that support snap

whotwagner
whotwagner requested changes May 26, 2026
View reviewed changes
Comment thread examples/ssh_example.yml
#
vars:
METASPLOITABLE: 192.168.0.146
PASSWDLIST: /snap/seclists/current/Passwords/Common-Credentials/darkweb2017_top-1000.txt
Copy link
Copy Markdown
Contributor

@whotwagner whotwagner May 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
PASSWDLIST: /usr/share/seclists/Passwords/darkweb2017-top1000.txt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@whotwagner whotwagner whotwagner requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add metadata to sftp-command in examples

2 participants

@DC925928496 @whotwagner