Scripting against the RedMimicry Server

The RedMimicry server exposes much functionality through a HTTP API. This API is accessible on port 8080/tcp on the same interface as the frontend.

Authentication is implemented by a shared secret in the auth-token header field. The authentication token is displayed in the cli output of the RedMimicry server and is the same secret that is used to authenticate on the web frontend.

Currently there is no comprehensive documentation of the API publicly available, however some functionality is implemented in a Python library that is available at https://github.com/GitMirar/RedMimicryPythonScripting and which is expanded step-by-step to cover more functionality.

Actor Emulation Bot

In order to demonstrate a practical use case I implemented a bot which is extending the breach emulation playbook by executing additional commands on the system shell after the emulated Winnti staging has completed.

The bot uses the core/shell endpoint which will show the executed commands and the command output in the webinterface shell view of the respective agents. This endpoint is particularly useful because it provides all the functionality of the agent command shell.

This bot is a template that you can extend to match your own requirements.