Skip to content

📄 Generation file

This is the main advantage of the tool. You can define in a file every trace you want to generate. This way, you can easily create complex behavior or link the traces you want to detect.

🥷 Quick example

Let's look at a simple example that tricks the parent process identifier for Cargo:

cargo_spoofing.toml
[metadata]
name = "Cargo Parent Process Identifier Spoofing"
version = "0.0.1"
references = []

[[metadata.authors]]
name = "AntwortEinesLebens"
email = "AntwortEinesLebens@proton.me"

[[metadata.authors]]
name = "frack113"

[[traces]] # (1)!
[traces.spoofing]
executable = "cargo.exe"
parent_executable = "explorer.exe"
  1. You've got to put this line in before you declare a trace. It tells you about an array of tables called "traces".

The "metadata" section includes useful information for readers of this file. The tool doesn't use it, but it displays it. The most important part is the "traces." It's a list of the traces that will be generated. Before each trace declaration, the [[traces]] line must be present. It tells to toml that "traces" is an array of tables. For more information, check out the TOML specification. After this required line, we provide the trace we want to generate, along with its parameters.

Order of execution

Keep in mind that [traces][trace] are created top to bottom, as defined in their
generation file.

Automatic API

The good news is that the configuration of the traces is the same as
defined in the [CLI].

Now you can easily generate your traces with the following command:

mtg generate cargo_spoofing.toml

This example will help you make your own generation file. For all the details about this file, look at the suit on this page.

📄 Specification

This will show you all the information about the generation file.

🗃 Metadata

This section has all the information that maintainers and consumers of this file may need. The software doesn't use it; it just displays it.

🏷 Name

This field is used to show either the name of the file or the malware being imitated.

[metadata]
name = "WannaCry"

📌 Version

This field is used to indicate either the version of the file or the version of the malware being imitated.

[metadata]
version = "0.1.0"

🔗 References

This field is used to provide a list of links that are used as references when creating the traces.

[metadata]
references = [
  "https://shaquibizhar.medium.com/parent-process-spoofing-and-how-to-detect-them-7fb1ec8182e2",
  "https://systemweakness.com/byovd-a-kernel-attack-stealthy-threat-to-endpoint-security-ec809272e505",
]

👥 Authors

This part is optional. Use it when you want to define one or multiple authors to the generation file.

[[metadata.authors]]
name = "AntwortEinesLebens"
email = "AntwortEinesLebens@proton.me"

[[metadata.authors]]
name = "frack113"
🏷 Name

This field is used to give an author a name or a pseudonym.

[[metadata.authors]]
name = "frack113"
📧 Email

This field is optional. Use it when you want to provide an email address for an author.

[[metadata.authors]]
email = "AntwortEinesLebens@proton.me"

👣 Traces

This is the main section. This is where you declared all the traces you want to generate. Here's how you pass the trace you want to generate:

[[traces]] # (1)!
[traces.trace_to_generate]
first_parameter = true
second_parameter = ["This is a string :)"]
  1. You've got to put this line in before you declare a trace. It tells you about an array of tables called "traces".

The names of the traces and of the parameters are automatically linked to the names and parameters used by the CLI. If the parameter type or name changes, you'll need to update this file because it won't match the trace anymore.