diff --git a/docs/administration/enterprise.md b/docs/administration/enterprise.md
index a2555126..5217e0a5 100644
--- a/docs/administration/enterprise.md
+++ b/docs/administration/enterprise.md
@@ -42,34 +42,34 @@ Be able to use AI for content generation including emails, media pressure articl
### CrowdStrike Falcon Agent
-The CrowdStrike Falcon Agent can be leveraged to execute implants as detached processes that will then execute payloads
+The CrowdStrike Falcon Agent can be leveraged to execute implants as detached processes that will then execute threat arsenal actions
according to the [OpenAEV architecture](../deployment/platform/overview.md#architecture)
### Tanium Agent
-The Tanium Agent can be leveraged to execute implants as detached processes that will then execute payloads
+The Tanium Agent can be leveraged to execute implants as detached processes that will then execute threat arsenal actions
according to the [OpenAEV architecture](../deployment/platform/overview.md#architecture)
### SentinelOne Agent
-The SentinelOne Agent can be leveraged to execute implants as detached processes that will then execute payloads
+The SentinelOne Agent can be leveraged to execute implants as detached processes that will then execute threat arsenal actions
according to the [OpenAEV architecture](../deployment/platform/overview.md#architecture)
### Palo Alto Cortex Agent
-The Palo Alto Cortex Agent can be leveraged to execute implants as detached processes that will then execute payloads
+The Palo Alto Cortex Agent can be leveraged to execute implants as detached processes that will then execute threat arsenal actions
according to the [OpenAEV architecture](../deployment/platform/overview.md#architecture).
-On Windows, because Palo Alto Cortex whitelists its own process tree, OpenAEV creates a scheduled task to detach the process that will execute the payloads.
+On Windows, because Palo Alto Cortex whitelists its own process tree, OpenAEV creates a scheduled task to detach the process that will execute the threat arsenal actions.
## Remediations in CVES
More detail: [CVES](taxonomies.md) and [Findings view](../usage/findings.md)
.
-## Detection Remediation in Payloads and Injects
+## Detection Remediation in Threat Arsenal Actions and Injects
-More detail: [Detection remediations in payloads](../usage/payloads/payloads.md)
+More detail: [Detection remediations in threat arsenal actions](../usage/threat-arsenals/threat-arsenals.md)
and [Atomic testing remediations](../usage/atomic.md).
## More to come
diff --git a/docs/administration/taxonomies.md b/docs/administration/taxonomies.md
index 8771133a..fa565c85 100644
--- a/docs/administration/taxonomies.md
+++ b/docs/administration/taxonomies.md
@@ -35,7 +35,7 @@ OpenAEV supports the following attack pattern models:
- **MITRE ATT&CK Framework (Enterprise, PRE, Mobile, and ICS)**
-You can add, edit, or delete attack patterns in the settings page and assign them to payloads or injectors.
+You can add, edit, or delete attack patterns in the settings page and assign them to threat arsenal actions or injectors.
## CVEs (EE)
@@ -43,7 +43,7 @@ CVEs (Common Vulnerabilities and Exposures) are standardized identifiers for pub
vulnerabilities. Each CVE provides a unique reference, enabling consistent communication and tracking across tools and
teams.
-In OpenAEV, CVEs are used to associate known vulnerabilities with assets, payloads, and injects. This allows users to
+In OpenAEV, CVEs are used to associate known vulnerabilities with assets, threat arsenal actions, and injects. This allows users to
simulate attacks based on real-world flaws, enhancing the relevance and precision of security testing.
You can add, edit, or delete CVEs.
diff --git a/docs/administration/users-and-rbac.md b/docs/administration/users-and-rbac.md
index b78366a6..8f2c26f3 100644
--- a/docs/administration/users-and-rbac.md
+++ b/docs/administration/users-and-rbac.md
@@ -64,49 +64,49 @@ Capabilities in OpenAEV are organized hierarchically. A parent capability (e.g.
Below is a full list of capabilities in OpenAEV
-| Capability | Description |
-|:-----------|:------------|
-| `Bypass (user has all rights)` | Grants unconditional access to all platform features, bypassing every individual capability check and any data segregation enforcement. |
-| **Assessments: Scenarios, simulations and atomic testings** | |
-| `Access assessment` | Read-only access to assessments, including scenarios, simulations and atomic tests. |
-| `Manage assessment` | Create and update assessments (scenarios, simulations, atomic tests). Requires *Access assessment*. |
-| `Delete assessment` | Permanently delete assessments. Requires *Manage assessment*. |
-| `Launch assessment` | Execute / run an assessment against defined targets. Requires *Access assessment*. |
-| **Targets** | |
-| `Access teams & players` | Read-only access to teams and player definitions used as assessment targets. |
-| `Manage teams & players` | Create and update teams and players. Requires *Access teams & players*. |
-| `Delete teams & players` | Permanently delete teams and players. Requires *Manage teams & players*. |
-| `Access assets` | Read-only access to asset inventory (hosts, endpoints, and other infrastructure targets). |
-| `Manage assets` | Create and update assets in the inventory. Requires *Access assets*. |
-| `Delete assets` | Permanently delete assets from the inventory. Requires *Manage assets*. |
-| `Access security platforms` | Read-only access to integrated security platform configurations (e.g. SIEM, EDR, firewall connectors). |
-| `Manage security platforms` | Create and update security platform integrations. Requires *Access security platforms*. |
-| `Delete security platforms` | Permanently delete security platform integrations. Requires *Manage security platforms*. |
-| **Payloads** | |
-| `Access payloads` | Read-only access to the payload library (attack scripts, tools, and techniques used in simulations). |
-| `Manage payloads` | Create and update payloads in the library. Requires *Access payloads*. |
-| `Delete payloads` | Permanently delete payloads from the library. Requires *Manage payloads*. |
-| **Dashboards** | |
-| `Access dashboards` | Read-only access to platform dashboards and their visualizations. |
-| `Manage dashboards` | Create, update, and configure dashboards. Requires *Access dashboards*. |
-| `Delete dashboards` | Permanently delete dashboards. Requires *Manage dashboards*. |
-| **Findings** | |
-| `Access findings` | Read-only access to assessment findings and results generated from simulations and atomic tests. |
-| **Content** | |
-| `Access documents` | Read-only access to documents stored in the platform (reports, attachments, playbooks). |
-| `Manage documents` | Upload, create, and update documents. Requires *Access documents*. |
-| `Delete documents` | Permanently delete documents. Requires *Manage documents*. |
-| `Access channels` | Read-only access to communication channels used to deliver exercise injects to players. |
-| `Manage channels` | Create and update channels. Requires *Access channels*. |
-| `Delete channels` | Permanently delete channels. Requires *Manage channels*. |
-| `Access challenges` | Read-only access to challenges (CTF-style tasks or objectives assigned to players during exercises). |
-| `Manage challenges` | Create and update challenges. Requires *Access challenges*. |
-| `Delete challenges` | Permanently delete challenges. Requires *Manage challenges*. |
-| `Access lessons learned` | Read-only access to lessons learned records captured after assessments or exercises. |
-| `Manage lessons learned` | Create and update lessons learned entries. Requires *Access lessons learned*. |
-| `Delete lessons learned` | Permanently delete lessons learned entries. Requires *Manage lessons learned*. |
-| **Platform Settings** | |
-| `Access Platform Settings` | Read-only access to platform-wide configuration and administration settings. |
+| Capability | Description |
+|:-----------|:------------------------------------------------------------------------------------------------------------------------------------------|
+| `Bypass (user has all rights)` | Grants unconditional access to all platform features, bypassing every individual capability check and any data segregation enforcement. |
+| **Assessments: Scenarios, simulations and atomic testings** | |
+| `Access assessment` | Read-only access to assessments, including scenarios, simulations and atomic tests. |
+| `Manage assessment` | Create and update assessments (scenarios, simulations, atomic tests). Requires *Access assessment*. |
+| `Delete assessment` | Permanently delete assessments. Requires *Manage assessment*. |
+| `Launch assessment` | Execute / run an assessment against defined targets. Requires *Access assessment*. |
+| **Targets** | |
+| `Access teams & players` | Read-only access to teams and player definitions used as assessment targets. |
+| `Manage teams & players` | Create and update teams and players. Requires *Access teams & players*. |
+| `Delete teams & players` | Permanently delete teams and players. Requires *Manage teams & players*. |
+| `Access assets` | Read-only access to asset inventory (hosts, endpoints, and other infrastructure targets). |
+| `Manage assets` | Create and update assets in the inventory. Requires *Access assets*. |
+| `Delete assets` | Permanently delete assets from the inventory. Requires *Manage assets*. |
+| `Access security platforms` | Read-only access to integrated security platform configurations (e.g. SIEM, EDR, firewall connectors). |
+| `Manage security platforms` | Create and update security platform integrations. Requires *Access security platforms*. |
+| `Delete security platforms` | Permanently delete security platform integrations. Requires *Manage security platforms*. |
+| **threat arsenal actions** | |
+| `Access threat arsenal actions` | Read-only access to the threat arsenal action library (attack scripts, tools, and techniques used in simulations). |
+| `Manage threat arsenal actions` | Create and update threat arsenal actions in the library. Requires *Access threat arsenal actions*. |
+| `Delete threat arsenal actions` | Permanently delete threat arsenal actions from the library. Requires *Manage threat arsenal actions*. |
+| **Dashboards** | |
+| `Access dashboards` | Read-only access to platform dashboards and their visualizations. |
+| `Manage dashboards` | Create, update, and configure dashboards. Requires *Access dashboards*. |
+| `Delete dashboards` | Permanently delete dashboards. Requires *Manage dashboards*. |
+| **Findings** | |
+| `Access findings` | Read-only access to assessment findings and results generated from simulations and atomic tests. |
+| **Content** | |
+| `Access documents` | Read-only access to documents stored in the platform (reports, attachments, playbooks). |
+| `Manage documents` | Upload, create, and update documents. Requires *Access documents*. |
+| `Delete documents` | Permanently delete documents. Requires *Manage documents*. |
+| `Access channels` | Read-only access to communication channels used to deliver exercise injects to players. |
+| `Manage channels` | Create and update channels. Requires *Access channels*. |
+| `Delete channels` | Permanently delete channels. Requires *Manage channels*. |
+| `Access challenges` | Read-only access to challenges (CTF-style tasks or objectives assigned to players during exercises). |
+| `Manage challenges` | Create and update challenges. Requires *Access challenges*. |
+| `Delete challenges` | Permanently delete challenges. Requires *Manage challenges*. |
+| `Access lessons learned` | Read-only access to lessons learned records captured after assessments or exercises. |
+| `Manage lessons learned` | Create and update lessons learned entries. Requires *Access lessons learned*. |
+| `Delete lessons learned` | Permanently delete lessons learned entries. Requires *Manage lessons learned*. |
+| **Platform Settings** | |
+| `Access Platform Settings` | Read-only access to platform-wide configuration and administration settings. |
| `Manage platform settings` | Modify platform-wide settings including security configuration, integrations, and system parameters. Requires *Access Platform Settings*. |
@@ -167,7 +167,7 @@ Beyond global **capabilities** defined in roles, OpenAEV also allows assigning m
- Scenarios
- Organizations
- Atomic testings
- - Payloads
+ - threat arsenal actions
4. Select the specific items you want the group to access and assign the appropriate grant level.
@@ -214,7 +214,7 @@ They do not need all capabilities — only access to the resources explicitly gr
A user can access these either through specific **grants**, or globally if the group has the **ASSESSMENT** capability (which overrides individual grants).
-!!! tip "Payloads"
+!!! tip "threat arsenal actions"
Access is given either through specific **grants**, or globally if the group has the **PAYLOAD** capability.
diff --git a/docs/deployment/configuration.md b/docs/deployment/configuration.md
index 843488c5..9b0c68de 100644
--- a/docs/deployment/configuration.md
+++ b/docs/deployment/configuration.md
@@ -147,7 +147,7 @@ reindex.
#### Agents (executors)
To be able to use the power of the OpenAEV platform on endpoints, you need at least one **neutral executor** that will
-be in charge of executing implants as detached processes. Implants will then execute payloads.
+be in charge of executing implants as detached processes. Implants will then execute threat arsenal actions.
##### OpenAEV Agent
diff --git a/docs/deployment/ecosystem/executors.md b/docs/deployment/ecosystem/executors.md
index 787f5eba..6a66fac0 100644
--- a/docs/deployment/ecosystem/executors.md
+++ b/docs/deployment/ecosystem/executors.md
@@ -3,12 +3,12 @@
## Introduction
To be able to use the power of the OpenAEV platform on endpoints, you need at least one **neutral executor** that will
-be in charge of executing implants as detached processes. Implants will then execute payloads.
+be in charge of executing implants as detached processes. Implants will then execute threat arsenal actions.
The platform manages different executors which can be installed on Windows, Linux and MacOS using x86_64 or arm64
architectures. This table below summarizes the information about each agent.
-| Executor | Type | Installation mode | Installation type | Run As | Payload execution | Multi agents for an endpoint |
+| Executor | Type | Installation mode | Installation type | Run As | Threat arsenal action execution | Multi agents for an endpoint |
|:-----------------------------------|:--------------|:--------------------------------------------------|:------------------|:---------------------------------------|:-----------------------------------------------|:-------------------------------------------------|
| **OpenAEV Agent (native/default)** | Open source | As a user session, user service or system service | Script | A standard or admin background process | As a user standard, user admin or system admin | Yes, depending on the user and installation mode |
| **Tanium Agent** | Under license | As a system service | Executable | An admin background process | As a system admin | No, always the same agent |
@@ -20,7 +20,7 @@ architectures. This table below summarizes the information about each agent.
## OpenAEV Agent
The OpenAEV agent is available for Windows, Linux and MacOS, it is the native / default way to execute implants and
-payloads on endpoints.
+threat arsenal actions on endpoints.
[Learn More](../../usage/openaev-agent.md)
@@ -28,7 +28,7 @@ payloads on endpoints.
## Tanium Agent
-The Tanium agent can be leveraged to execute implants as detached processes that will then execute payloads, according
+The Tanium agent can be leveraged to execute implants as detached processes that will then execute threat arsenal actions, according
to the [OpenAEV architecture](https://docs.openaev.io/latest/deployment/platform/overview/).
The implants will be downloaded to these folders on the different assets:
@@ -82,18 +82,18 @@ Once configured and imported, retrieve the package IDs from the URL:
To use the Tanium executor, fill the following configuration in the Integrations (Executors) tab from OpenAEV menu.
-| Parameter | Environment variable | Default value | Description |
-|:------------------------------------------------------|:------------------------------------------------------|:---------------|:--------------------------------------------------------------------------------------------------------------------------------------------------|
-| executor.tanium.enable | EXECUTOR_TANIUM_ENABLE | `false` | Enable the Tanium executor |
-| executor.tanium.url | EXECUTOR_TANIUM_URL | | Tanium API URL |
-| executor.tanium.api-key | EXECUTOR_TANIUM_API-KEY | | Tanium API key |
-| executor.tanium.api-register-interval | EXECUTOR_TANIUM_API_REGISTER_INTERVAL | 1200 | Tanium API interval to register/update the computer groups/endpoints in OpenAEV (in seconds) |
-| executor.tanium.api-batch-execution-action-pagination | EXECUTOR_TANIUM_API_BATCH_EXECUTION_ACTION_PAGINATION | 100 | Tanium API pagination per 5 seconds to set for endpoints batch executions (number of endpoints sent per 5 seconds to Tanium to execute a payload) |
-| executor.tanium.clean-implant-interval | EXECUTOR_TANIUM_CLEAN_IMPLANT_INTERVAL | 8 | Tanium clean old implant interval (in hours) |
-| executor.tanium.computer-group-id | EXECUTOR_TANIUM_COMPUTER_GROUP_ID | `1` | Tanium Computer Group or Computer Groups to be used in simulations separated with commas |
-| executor.tanium.action-group-id | EXECUTOR_TANIUM_ACTION_GROUP_ID | `4` | Tanium Action Group to apply actions to |
-| executor.tanium.windows-package-id | EXECUTOR_TANIUM_WINDOWS_PACKAGE_ID | | ID of the OpenAEV Tanium Windows package |
-| executor.tanium.unix-package-id | EXECUTOR_TANIUM_UNIX_PACKAGE_ID | | ID of the OpenAEV Tanium Unix package |
+| Parameter | Environment variable | Default value | Description |
+|:------------------------------------------------------|:------------------------------------------------------|:---------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| executor.tanium.enable | EXECUTOR_TANIUM_ENABLE | `false` | Enable the Tanium executor |
+| executor.tanium.url | EXECUTOR_TANIUM_URL | | Tanium API URL |
+| executor.tanium.api-key | EXECUTOR_TANIUM_API-KEY | | Tanium API key |
+| executor.tanium.api-register-interval | EXECUTOR_TANIUM_API_REGISTER_INTERVAL | 1200 | Tanium API interval to register/update the computer groups/endpoints in OpenAEV (in seconds) |
+| executor.tanium.api-batch-execution-action-pagination | EXECUTOR_TANIUM_API_BATCH_EXECUTION_ACTION_PAGINATION | 100 | Tanium API pagination per 5 seconds to set for endpoints batch executions (number of endpoints sent per 5 seconds to Tanium to execute a threat arsenal action) |
+| executor.tanium.clean-implant-interval | EXECUTOR_TANIUM_CLEAN_IMPLANT_INTERVAL | 8 | Tanium clean old implant interval (in hours) |
+| executor.tanium.computer-group-id | EXECUTOR_TANIUM_COMPUTER_GROUP_ID | `1` | Tanium Computer Group or Computer Groups to be used in simulations separated with commas |
+| executor.tanium.action-group-id | EXECUTOR_TANIUM_ACTION_GROUP_ID | `4` | Tanium Action Group to apply actions to |
+| executor.tanium.windows-package-id | EXECUTOR_TANIUM_WINDOWS_PACKAGE_ID | | ID of the OpenAEV Tanium Windows package |
+| executor.tanium.unix-package-id | EXECUTOR_TANIUM_UNIX_PACKAGE_ID | | ID of the OpenAEV Tanium Unix package |
!!! note "Tanium API Key"
@@ -120,13 +120,13 @@ Endpoints from the selected computer groups should now appear in the **OpenAEV E
!!! success "Installation done"
- You are now ready to leverage your Tanium platform to run OpenAEV payloads!
+ You are now ready to leverage your Tanium platform to run OpenAEV threat arsenal actions!
---
## CrowdStrike Falcon Agent
-The CrowdStrike Falcon agent can be leveraged to execute implants as detached processes that will then execute payloads
+The CrowdStrike Falcon agent can be leveraged to execute implants as detached processes that will then execute threat arsenal actions
according to the [OpenAEV architecture](https://docs.openaev.io/latest/deployment/platform/overview/).
The implants will be downloaded to these folders on the different assets:
@@ -229,7 +229,7 @@ To create a host group, go to `Host setup and management` > `Host groups`.
#### Create/Update response policies for your targeted platforms
-As OpenAEV will ask CrowdStrike to create implants in order to execute payloads as scripts, you need to allow the
+As OpenAEV will ask CrowdStrike to create implants in order to execute threat arsenal actions as scripts, you need to allow the
execution of custom scripts on your assets. To do so, you need to create a new response policy or update an existing one
for your assets' platforms.
@@ -260,18 +260,18 @@ applied.
To use the CrowdStrike executor, just fill the following configuration in the Integrations (Executors) tab from OpenAEV menu.
-| Parameter | Environment variable | Default value | Description |
-|:-----------------------------------------------------------|:------------------------------------------------------------|:-----------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------|
-| executor.crowdstrike.enable | EXECUTOR_CROWDSTRIKE_ENABLE | `false` | Enable the Crowdstrike executor |
-| executor.crowdstrike.api-url | EXECUTOR_CROWDSTRIKE_API_URL | `https://api.us-2.crowdstrike.com` | Crowdstrike API url |
-| executor.crowdstrike.api-register-interval | EXECUTOR_CROWDSTRIKE_API_REGISTER_INTERVAL | 1200 | Crowdstrike API interval to register/update the host groups/hosts/agents in OpenAEV (in seconds) |
-| executor.crowdstrike.api-batch-execution-action-pagination | EXECUTOR_CROWDSTRIKE_API_BATCH_EXECUTION_ACTION_PAGINATION | 2500 | Crowdstrike API pagination per 5 seconds to set for hosts batch executions (number of hosts sent per 5 seconds to Crowdstrike to execute a payload) |
-| executor.crowdstrike.clean-implant-interval | EXECUTOR_CROWDSTRIKE_CLEAN_IMPLANT_INTERVAL | 8 | Crowdstrike clean old implant interval (in hours) |
-| executor.crowdstrike.client-id | EXECUTOR_CROWDSTRIKE_CLIENT_ID | | Crowdstrike client id |
-| executor.crowdstrike.client-secret | EXECUTOR_CROWDSTRIKE_CLIENT_SECRET | | Crowdstrike client secret |
-| executor.crowdstrike.host-group | EXECUTOR_CROWDSTRIKE_HOST_GROUP | | Crowdstrike host group id or hosts groups ids separated with commas |
-| executor.crowdstrike.windows-script-name | EXECUTOR_CROWDSTRIKE_WINDOWS_SCRIPT_NAME | `OpenAEV Subprocessor (Windows)` | Name of the OpenAEV Crowdstrike windows script |
-| executor.crowdstrike.unix-script-name | EXECUTOR_CROWDSTRIKE_UNIX_SCRIPT_NAME | `OpenAEV Subprocessor (Unix)` | Name of the OpenAEV Crowdstrike unix script |
+| Parameter | Environment variable | Default value | Description |
+|:-----------------------------------------------------------|:------------------------------------------------------------|:-----------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| executor.crowdstrike.enable | EXECUTOR_CROWDSTRIKE_ENABLE | `false` | Enable the Crowdstrike executor |
+| executor.crowdstrike.api-url | EXECUTOR_CROWDSTRIKE_API_URL | `https://api.us-2.crowdstrike.com` | Crowdstrike API url |
+| executor.crowdstrike.api-register-interval | EXECUTOR_CROWDSTRIKE_API_REGISTER_INTERVAL | 1200 | Crowdstrike API interval to register/update the host groups/hosts/agents in OpenAEV (in seconds) |
+| executor.crowdstrike.api-batch-execution-action-pagination | EXECUTOR_CROWDSTRIKE_API_BATCH_EXECUTION_ACTION_PAGINATION | 2500 | Crowdstrike API pagination per 5 seconds to set for hosts batch executions (number of hosts sent per 5 seconds to Crowdstrike to execute a threat arsenal action) |
+| executor.crowdstrike.clean-implant-interval | EXECUTOR_CROWDSTRIKE_CLEAN_IMPLANT_INTERVAL | 8 | Crowdstrike clean old implant interval (in hours) |
+| executor.crowdstrike.client-id | EXECUTOR_CROWDSTRIKE_CLIENT_ID | | Crowdstrike client id |
+| executor.crowdstrike.client-secret | EXECUTOR_CROWDSTRIKE_CLIENT_SECRET | | Crowdstrike client secret |
+| executor.crowdstrike.host-group | EXECUTOR_CROWDSTRIKE_HOST_GROUP | | Crowdstrike host group id or hosts groups ids separated with commas |
+| executor.crowdstrike.windows-script-name | EXECUTOR_CROWDSTRIKE_WINDOWS_SCRIPT_NAME | `OpenAEV Subprocessor (Windows)` | Name of the OpenAEV Crowdstrike windows script |
+| executor.crowdstrike.unix-script-name | EXECUTOR_CROWDSTRIKE_UNIX_SCRIPT_NAME | `OpenAEV Subprocessor (Unix)` | Name of the OpenAEV Crowdstrike unix script |
### Checks
@@ -290,16 +290,16 @@ Endpoint on the OpenAEV endpoint page.
!!! success "Installation done"
- You are now ready to leverage your CrowdStrike platform to run OpenAEV payloads!
+ You are now ready to leverage your CrowdStrike platform to run OpenAEV threat arsenal actions!
---
## Palo Alto Cortex Agent
-The Palo Alto Cortex agent can be leveraged to execute implants as detached processes that will then execute payloads
+The Palo Alto Cortex agent can be leveraged to execute implants as detached processes that will then execute threat arsenal actions
according to the [OpenAEV architecture](https://docs.openaev.io/latest/deployment/platform/overview/).
-On Windows, because Palo Alto Cortex whitelists its own process tree, OpenAEV creates a scheduled task to detach the process that will execute the payloads.
+On Windows, because Palo Alto Cortex whitelists its own process tree, OpenAEV creates a scheduled task to detach the process that will execute the threat arsenal actions.
The implants will be downloaded to these folders on the different assets:
@@ -353,18 +353,18 @@ To create a group, go to `Inventory` > `Endpoints` > `Groups`.
To use the Palo Alto Cortex executor, just fill the following configuration in the Integrations (Executors) tab from OpenAEV menu.
-| Parameter | Environment variable | Default value | Description |
-|:--------------------------------------------------------------|:--------------------------------------------------------------|:--------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| executor.paloaltocortex.enable | EXECUTOR_PALOALTOCORTEX_ENABLE | `false` | Enable the Palo Alto Cortex executor |
-| executor.paloaltocortex.url | EXECUTOR_PALOALTOCORTEX_URL | | Palo Alto Cortex URL, the API version used is the v1 |
-| executor.paloaltocortex.api-register-interval | EXECUTOR_PALOALTOCORTEX_API_REGISTER_INTERVAL | 1200 | Palo Alto Cortex API interval to register/update the accounts/sites/groups/agents in OpenAEV (in seconds) |
-| executor.paloaltocortex.api-batch-execution-action-pagination | EXECUTOR_PALOALTOCORTEX_API_BATCH_EXECUTION_ACTION_PAGINATION | 100 | Palo Alto Cortex API pagination per 5 seconds to set for endpoints batch executions (number of endpoints sent per 5 seconds to Palo Alto Cortex to execute a payload) |
-| executor.paloaltocortex.clean-implant-interval | EXECUTOR_PALOALTOCORTEX_CLEAN_IMPLANT_INTERVAL | 8 | Palo Alto Cortex clean old implant interval (in hours) |
-| executor.paloaltocortex.api-key-id | EXECUTOR_PALOALTOCORTEX_API_KEY_ID | | Palo Alto Cortex API key id |
-| executor.paloaltocortex.api-key | EXECUTOR_PALOALTOCORTEX_API_KEY | | Palo Alto Cortex API key |
-| executor.paloaltocortex.group-name | EXECUTOR_PALOALTOCORTEX_GROUP_ID | | Palo Alto Cortex group name or groups names separated with commas |
-| executor.paloaltocortex.windows-script-uid | EXECUTOR_PALOALTOCORTEX_WINDOWS_SCRIPT_UID | | Uid of the OpenAEV Palo Alto Cortex Windows script |
-| executor.paloaltocortex.unix-script-uid | EXECUTOR_PALOALTOCORTEX_UNIX_SCRIPT_UID | | Uid of the OpenAEV Palo Alto Cortex Unix script |
+| Parameter | Environment variable | Default value | Description |
+|:--------------------------------------------------------------|:--------------------------------------------------------------|:--------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| executor.paloaltocortex.enable | EXECUTOR_PALOALTOCORTEX_ENABLE | `false` | Enable the Palo Alto Cortex executor |
+| executor.paloaltocortex.url | EXECUTOR_PALOALTOCORTEX_URL | | Palo Alto Cortex URL, the API version used is the v1 |
+| executor.paloaltocortex.api-register-interval | EXECUTOR_PALOALTOCORTEX_API_REGISTER_INTERVAL | 1200 | Palo Alto Cortex API interval to register/update the accounts/sites/groups/agents in OpenAEV (in seconds) |
+| executor.paloaltocortex.api-batch-execution-action-pagination | EXECUTOR_PALOALTOCORTEX_API_BATCH_EXECUTION_ACTION_PAGINATION | 100 | Palo Alto Cortex API pagination per 5 seconds to set for endpoints batch executions (number of endpoints sent per 5 seconds to Palo Alto Cortex to execute a threat arsenal action) |
+| executor.paloaltocortex.clean-implant-interval | EXECUTOR_PALOALTOCORTEX_CLEAN_IMPLANT_INTERVAL | 8 | Palo Alto Cortex clean old implant interval (in hours) |
+| executor.paloaltocortex.api-key-id | EXECUTOR_PALOALTOCORTEX_API_KEY_ID | | Palo Alto Cortex API key id |
+| executor.paloaltocortex.api-key | EXECUTOR_PALOALTOCORTEX_API_KEY | | Palo Alto Cortex API key |
+| executor.paloaltocortex.group-name | EXECUTOR_PALOALTOCORTEX_GROUP_ID | | Palo Alto Cortex group name or groups names separated with commas |
+| executor.paloaltocortex.windows-script-uid | EXECUTOR_PALOALTOCORTEX_WINDOWS_SCRIPT_UID | | Uid of the OpenAEV Palo Alto Cortex Windows script |
+| executor.paloaltocortex.unix-script-uid | EXECUTOR_PALOALTOCORTEX_UNIX_SCRIPT_UID | | Uid of the OpenAEV Palo Alto Cortex Unix script |
### Checks
@@ -383,13 +383,13 @@ Endpoint on the OpenAEV endpoint page.
!!! success "Installation done"
- You are now ready to leverage your Palo Alto Cortex platform to run OpenAEV payloads!
+ You are now ready to leverage your Palo Alto Cortex platform to run OpenAEV threat arsenal actions!
---
## SentinelOne Agent
-The SentinelOne agent can be leveraged to execute implants as detached processes that will then execute payloads
+The SentinelOne agent can be leveraged to execute implants as detached processes that will then execute threat arsenal actions
according to the [OpenAEV architecture](https://docs.openaev.io/latest/deployment/platform/overview/).
The implants will be downloaded to these folders on the different assets:
@@ -453,19 +453,19 @@ To create a wrapper (account/site/group), go to `Settings` > `Accounts/Sites`.
To use the SentinelOne executor, just fill the following configuration in the Integrations (Executors) tab from OpenAEV menu.
-| Parameter | Environment variable | Default value | Description |
-|:-----------------------------------------------------------|:-----------------------------------------------------------|:--------------|:------------------------------------------------------------------------------------------------------------------------------------------------------|
-| executor.sentinelone.enable | EXECUTOR_SENTINELONE_ENABLE | `false` | Enable the SentinelOne executor |
-| executor.sentinelone.url | EXECUTOR_SENTINELONE_URL | | SentinelOne URL, the API version used is the 2.1 |
-| executor.sentinelone.api-register-interval | EXECUTOR_SENTINELONE_API_REGISTER_INTERVAL | 1200 | SentinelOne API interval to register/update the accounts/sites/groups/agents in OpenAEV (in seconds) |
-| executor.sentinelone.api-batch-execution-action-pagination | EXECUTOR_SENTINELONE_API_BATCH_EXECUTION_ACTION_PAGINATION | 2500 | SentinelOne API pagination per 5 seconds to set for agents batch executions (number of agents sent per 5 seconds to SentinelOne to execute a payload) |
-| executor.sentinelone.clean-implant-interval | EXECUTOR_SENTINELONE_CLEAN_IMPLANT_INTERVAL | 8 | SentinelOne clean old implant interval (in hours) |
-| executor.sentinelone.api-key | EXECUTOR_SENTINELONE_API_KEY | | SentinelOne API key |
-| executor.sentinelone.account-id | EXECUTOR_SENTINELONE_ACCOUNT_ID | | SentinelOne account id or accounts ids separated with commas (optional if site or group is filled) |
-| executor.sentinelone.site-id | EXECUTOR_SENTINELONE_SITE_ID | | SentinelOne site id or sites ids separated with commas (optional if account or group is filled) |
-| executor.sentinelone.group-id | EXECUTOR_SENTINELONE_GROUP_ID | | SentinelOne group id or groups ids separated with commas (optional if site or account is filled) |
-| executor.sentinelone.windows-script-id | EXECUTOR_SENTINELONE_WINDOWS_SCRIPT_ID | | Id of the OpenAEV SentinelOne Windows script |
-| executor.sentinelone.unix-script-id | EXECUTOR_SENTINELONE_UNIX_SCRIPT_ID | | Id of the OpenAEV SentinelOne Unix script |
+| Parameter | Environment variable | Default value | Description |
+|:-----------------------------------------------------------|:-----------------------------------------------------------|:--------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| executor.sentinelone.enable | EXECUTOR_SENTINELONE_ENABLE | `false` | Enable the SentinelOne executor |
+| executor.sentinelone.url | EXECUTOR_SENTINELONE_URL | | SentinelOne URL, the API version used is the 2.1 |
+| executor.sentinelone.api-register-interval | EXECUTOR_SENTINELONE_API_REGISTER_INTERVAL | 1200 | SentinelOne API interval to register/update the accounts/sites/groups/agents in OpenAEV (in seconds) |
+| executor.sentinelone.api-batch-execution-action-pagination | EXECUTOR_SENTINELONE_API_BATCH_EXECUTION_ACTION_PAGINATION | 2500 | SentinelOne API pagination per 5 seconds to set for agents batch executions (number of agents sent per 5 seconds to SentinelOne to execute a threat arsenal action) |
+| executor.sentinelone.clean-implant-interval | EXECUTOR_SENTINELONE_CLEAN_IMPLANT_INTERVAL | 8 | SentinelOne clean old implant interval (in hours) |
+| executor.sentinelone.api-key | EXECUTOR_SENTINELONE_API_KEY | | SentinelOne API key |
+| executor.sentinelone.account-id | EXECUTOR_SENTINELONE_ACCOUNT_ID | | SentinelOne account id or accounts ids separated with commas (optional if site or group is filled) |
+| executor.sentinelone.site-id | EXECUTOR_SENTINELONE_SITE_ID | | SentinelOne site id or sites ids separated with commas (optional if account or group is filled) |
+| executor.sentinelone.group-id | EXECUTOR_SENTINELONE_GROUP_ID | | SentinelOne group id or groups ids separated with commas (optional if site or account is filled) |
+| executor.sentinelone.windows-script-id | EXECUTOR_SENTINELONE_WINDOWS_SCRIPT_ID | | Id of the OpenAEV SentinelOne Windows script |
+| executor.sentinelone.unix-script-id | EXECUTOR_SENTINELONE_UNIX_SCRIPT_ID | | Id of the OpenAEV SentinelOne Unix script |
### Checks
@@ -484,12 +484,12 @@ Endpoint on the OpenAEV endpoint page.
!!! success "Installation done"
- You are now ready to leverage your SentinelOne platform to run OpenAEV payloads!
+ You are now ready to leverage your SentinelOne platform to run OpenAEV threat arsenal actions!
---
## Caldera Agent
-The Caldera agent can be leveraged to execute implants as detached processes that will then execute payloads according to
+The Caldera agent can be leveraged to execute implants as detached processes that will then execute threat arsenal actions according to
the [OpenAEV architecture](https://docs.openaev.io/latest/deployment/platform/overview/).
!!! note "Caldera already installed"
@@ -568,7 +568,7 @@ OpenAEV has built-in instruction if you want command line examples to deploy the
!!! warning "Caldera AV detection"
- By default, the Caldera agent "Sandcat" is detected and blocked by antivirus. Here, we are using Caldera as a neutral executor that will execute implants that will execute payloads, so you need to add the proper AV exclusions as instructed in the OpenAEV screen.
+ By default, the Caldera agent "Sandcat" is detected and blocked by antivirus. Here, we are using Caldera as a neutral executor that will execute implants that will execute threat arsenal actions, so you need to add the proper AV exclusions as instructed in the OpenAEV screen.
diff --git a/docs/index.md b/docs/index.md
index 15949f2b..0f25d0d9 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -39,7 +39,7 @@ OpenAEV is an open source platform allowing organizations to plan, schedule and
---
Understand how to use the platform, manage assets,
- design scenarios with tailored payloads and integrate with other tools.
+ design scenarios with tailored threat arsenal actions and integrate with other tools.
[:octicons-arrow-right-24:{ .middle } Explore](usage/getting-started.md)
diff --git a/docs/usage/assets/atomic_testing_action_info.png b/docs/usage/assets/atomic_testing_action_info.png
new file mode 100644
index 00000000..10a3fe35
Binary files /dev/null and b/docs/usage/assets/atomic_testing_action_info.png differ
diff --git a/docs/usage/assets/atomic_testing_payload_info.png b/docs/usage/assets/atomic_testing_payload_info.png
deleted file mode 100644
index 2493f8ac..00000000
Binary files a/docs/usage/assets/atomic_testing_payload_info.png and /dev/null differ
diff --git a/docs/usage/atomic.md b/docs/usage/atomic.md
index 9b67ee7a..dfcbff84 100644
--- a/docs/usage/atomic.md
+++ b/docs/usage/atomic.md
@@ -50,5 +50,5 @@ Details of an Atomic testing is composed of three parts:
- [Overview](inject-result.md/#overview)
- [Findings](inject-result.md/#findings)
- [Inject execution details](inject-result.md/#execution-details)
-- [Payload info](inject-result.md/#payload-info)
+- [Threat Arsenal Action info](inject-result.md/#threat-arsenal-action-info)
- [Remediation](inject-result.md/#remediations-ee)
\ No newline at end of file
diff --git a/docs/usage/collectors.md b/docs/usage/collectors.md
index 98a3d02d..140a86a0 100644
--- a/docs/usage/collectors.md
+++ b/docs/usage/collectors.md
@@ -12,7 +12,7 @@ external services for two purposes:
- Collect all alerts, logs and traces related to attacks, incidents or crisis and match them to simulated injects to
evaluate the security posture.
- Collect any data that may help to schedule breach and attack simulations such as list of assets, groups, identities,
- payloads, etc.
+ threat arsenal actions, etc.
### 🛡️ Detection & Prevention (SIEM, XDR, EDR, NDR)
@@ -39,7 +39,7 @@ perform its task.
### 🧬 Threat Intelligence
-Those collectors are used to collect threat intelligence data such as kill chains, scenarios, TTPs, payloads, etc.
+Those collectors are used to collect threat intelligence data such as kill chains, scenarios, TTPs, threat arsenal actions, etc.
### 📺 Endpoint management
diff --git a/docs/usage/components/documents.md b/docs/usage/components/documents.md
index 357d4008..6d83ff67 100644
--- a/docs/usage/components/documents.md
+++ b/docs/usage/components/documents.md
@@ -1,7 +1,7 @@
# Documents
Documents serve as resources for adding content to your table-top injects, helping your animation team and players. They
-can also be utilized in payloads for file dropping purposes.
+can also be utilized in threat arsenal actions for file dropping purposes.
## Create a Document
@@ -19,9 +19,9 @@ will allow you to download it.
## Use a Document
-Documents can be added into table-top injects and payloads.
+Documents can be added into table-top injects and threat arsenal actions.
When creating an table-top inject, you can attach documents to provide context or, in the case of email injects, to
include attachments.
-Additionally, you can create a File Drop payload and include your documents within it.
+Additionally, you can create a File Drop threat arsenal action and include your documents within it.
diff --git a/docs/usage/expectations/validation.md b/docs/usage/expectations/validation.md
index 825294d8..10d6a2c0 100644
--- a/docs/usage/expectations/validation.md
+++ b/docs/usage/expectations/validation.md
@@ -74,7 +74,7 @@ You launch a malware simulation.
Expectation:
-> *Endpoint protection detects the payload.*
+> *Endpoint protection detects the threat arsenal action.*
- The EDR raises an alert
- OpenAEV receives the detection event
diff --git a/docs/usage/getting-started.md b/docs/usage/getting-started.md
index deac0354..3fbefc3b 100644
--- a/docs/usage/getting-started.md
+++ b/docs/usage/getting-started.md
@@ -36,24 +36,24 @@ an alert, who escalates, who reacts according to playbooks.
You can:
-- Deploy an **OpenAEV agent** for agent-based testing (executes payloads, reports telemetry, supports automated checks)
+- Deploy an **OpenAEV agent** for agent-based testing (executes threat arsenal actions, reports telemetry, supports automated checks)
- Use **agentless endpoints** when software installation is not possible
Assets are reused across scenarios and simulations — it’s worth naming and tagging them carefully (OS, owner,
environment).
-## Payloads & Injects
+## Threat arsenal action & Injects
-[Payloads](payloads/payloads.md) are the technical actions: running a command, scanning a network, or checking for a
-vulnerability.
+[Threat arsenal action](threat-arsenals/threat-arsenals.md) are the technical actions: running a command, scanning a network, checking for a
+vulnerability, sending a phishing email, etc.
-[Injects](inject-overview.md) wrap payloads with context:
+[Injects](inject-overview.md) wrap threat arsenal action with context:
- *who* is the target
- *when* it should run
- *what* is expected in return
-OpenAEV includes collectors with ready-to-use payloads: OpenAEV curated payloads and Atomic Red Team.
+OpenAEV includes collectors with ready-to-use threat arsenal actions: OpenAEV curated threat arsenal actions and Atomic Red Team.
## Scenarios & Simulations
@@ -94,7 +94,7 @@ It provides:
- Pre-built scenarios (tabletop, agentless, agent-based)
- Four dashboards
- Injectors (Nmap, Nuclei)
-- Collectors (Atomic Red Team, MITRE ATT&CK, OpenAEV payloads, CVE/NVD feed)
+- Collectors (Atomic Red Team, MITRE ATT&CK, CVE/NVD feed.)
- One agentless endpoint + an asset group
With the Starter Pack, you can launch a complete simulation right after installation.
@@ -103,11 +103,11 @@ With the Starter Pack, you can launch a complete simulation right after installa
## An end-to-end atomic example (with agent)
-Let’s walk through the simplest possible set-up, using only an agent and an atomic payload.
+Let’s walk through the simplest possible set-up, using only an agent and an atomic threat arsenal action.
Imagine you deployed an OpenAEV agent on a Linux endpoint named `endpoint-lin-01`.
-### Step 1 — Create the payload
+### Step 1 — Create the threat arsenal action
```
echo "OpenAEV Atomic Test"
@@ -116,20 +116,20 @@ Imagine you deployed an OpenAEV agent on a Linux endpoint named `endpoint-lin-01
### Step 2 — Build the inject
* Create an **atomic testing** in the UI
-* Use the created payload
+* Use the created threat arsenal action
* Target `endpoint-lin-01`
### Step 3 — Run the atomic testing
Click **Launch now**.
-The platform executes the payload via the agent.
+The platform executes the threat arsenal action via the agent.
The result should appear in the atomic testing overview.
---
## Next steps
-* Create custom injects and payloads
+* Create custom injects and threat arsenal actions
* Import threat-informed scenarios from the XTM Hub
* Connect with [OpenCTI](https://filigran.io/solutions/open-cti/)
* Track improvements over time in dashboards
diff --git a/docs/usage/inject-chaining.md b/docs/usage/inject-chaining.md
index 09bc420e..245923a9 100644
--- a/docs/usage/inject-chaining.md
+++ b/docs/usage/inject-chaining.md
@@ -46,7 +46,7 @@ more specific conditions. You can reposition or remove links by dragging them to
You are simulating a multi-stage attack:
1. **Inject 1**: phishing email with a malicious attachment.
-2. **Inject 2**: Payload execution on the endpoint (child of Inject 1, condition: *Prevention expectation = Fail*).
+2. **Inject 2**: Threat arsenal action execution on the endpoint (child of Inject 1, condition: *Prevention expectation = Fail*).
3. **Inject 3**: lateral movement (child of Inject 2, condition: *Execution = Success*).
If the EDR blocks the attachment (Prevention = Success), Inject 2 and 3 are automatically skipped.
diff --git a/docs/usage/inject-result.md b/docs/usage/inject-result.md
index 268c260b..b7924315 100644
--- a/docs/usage/inject-result.md
+++ b/docs/usage/inject-result.md
@@ -21,7 +21,7 @@ execution logs.
### Findings
-The Findings screen displays what was detected during the inject, based on the output parser in the payload. You can
+The Findings screen displays what was detected during the inject, based on the output parser in the threat arsenal action. You can
filter findings by name, type, creation date, target, value, or tag.
@@ -32,20 +32,20 @@ This screen shows the full trace of the inject’s execution, including logs and
-### Payload info
+### Threat arsenal action info
-This screen is available for technical injects only. You can see the details of the payload related to the test.
+This screen is available for technical injects only. You can see the details of the threat arsenal actionrelated to the test.
-
+
### Remediations (EE)
-This screen is available for technical injects only. It displays remediation content related to the executed payload,
+This screen is available for technical injects only. It displays remediation content related to the executed threat arsenal action,
specifically focused on detection logic. You will see one Remediation tab per collector available in the platform.
Ariane can generate AI‑based rules from an executed inject with the following:
-- Payload types: Command, DnsResolution
+- Threat arsenal action types: Command, DnsResolution
- Collectors: Splunk, CrowdStrike
Remediation statuses:
diff --git a/docs/usage/inject-status.md b/docs/usage/inject-status.md
index 82be1868..9a3fdcc1 100644
--- a/docs/usage/inject-status.md
+++ b/docs/usage/inject-status.md
@@ -23,7 +23,7 @@ When an Inject targets [Endpoints](assets.md), each installed Agent reports its
|------|-------------|
| **Prerequisite check** | Validates required conditions before execution |
| **Prerequisite retrieval** | Installs missing prerequisites (only if the check fails) |
-| **Attack command** | Executes the actual Payload |
+| **Attack command** | Executes the actual Threat Arsenal Action|
| **Cleanup** | Removes artifacts left by the attack |
!!! Note
diff --git a/docs/usage/inject-types.md b/docs/usage/inject-types.md
index 11d7faab..b7df9e10 100644
--- a/docs/usage/inject-types.md
+++ b/docs/usage/inject-types.md
@@ -76,7 +76,7 @@ HTTP requests GET, POST, and PUT, can be sent. The corresponding injects are nam
## Technical Injects via the OpenAEV Agent
-Technical Injects execute commands and Payloads directly on target Endpoints through the
+Technical Injects execute commands and threat arsenal actions directly on target Endpoints through the
[OpenAEV Agent](openaev-agent.md). They simulate real-world attack techniques, allowing you to gauge the effectiveness
of your security posture against the actions an attacker would take.
diff --git a/docs/usage/injectors.md b/docs/usage/injectors.md
index 4e61bad2..0bd1dbfe 100644
--- a/docs/usage/injectors.md
+++ b/docs/usage/injectors.md
@@ -11,7 +11,7 @@ third party systems. According to their functionality and use case, they are cat
-### 📡 Endpoint payloads execution
+### 📡 Endpoint threat arsenal actions execution
Those injectors are special as they required an executor (neutral agent) to be launched on endpoints. When they register
to the platform, they inform available executors on how to spawn them on the 3 currently supported platforms: Windows,
diff --git a/docs/usage/openaev-agent.md b/docs/usage/openaev-agent.md
index 19fd0eea..270f74db 100644
--- a/docs/usage/openaev-agent.md
+++ b/docs/usage/openaev-agent.md
@@ -35,7 +35,7 @@ You can access them from OpenAEV by clicking the blue icon in the top-right corn
Antivirus exclusions described in this documentation are **mandatory** for OpenAEV to function correctly.
Exclusions must apply **only** to the `runtimes` subfolder.
- Payloads are intentionally stored elsewhere so that detection and blocking remain possible when relevant.
+ threat arsenal actions are intentionally stored elsewhere so that detection and blocking remain possible when relevant.
---
@@ -119,7 +119,7 @@ If any of these requirements are not met, installation **will fail or behave unp
*[UserSanitized] in the table below means username without special character like "\", "/",...*
-| Installation mode | Installation | Installation type | Execution agent and payload | Verification/Start/Stop agent | Folder path | AV exclusions | Uninstallation |
+| Installation mode | Installation | Installation type | Execution agent and threat arsenal action | Verification/Start/Stop agent | Folder path | AV exclusions | Uninstallation |
|:----------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------------------------------------------------------------|
| **Standard installation (session)** | Asset with GUI and terminal with standard privileges or admin privileges for the logged-in user | User session (standard privileges): start up app `WriteRegStr`
OR
User session (admin privileges): start up task `schtasks` | Background, only when user is logged in, with the user privilege from the powershell elevation and environment | `Get-Process openaev-agent \| Where-Object { $_.Path -eq "[FOLDER_PATH]\openaev-agent.exe" }`
`Get-Process openaev-agent \| Where-Object { $_.Path -eq "[FOLDER_PATH]\openaev-agent.exe" } \| Stop-Process -Force`
`Start-Process "[FOLDER_PATH]\openaev-agent.exe"` | `$HOME\.openaev\OAEVAgent-Session-[UserSanitized]`
OR
`$HOME\.openaev\OAEVAgent-Session-Administrator-[UserSanitized]` | `$HOME\.openaev\OAEVAgent-Session-[UserSanitized]\runtimes`
OR
`$HOME\.openaev\OAEVAgent-Session-Administrator-[UserSanitized]\runtimes` | Stop the agent in background and "uninstall.exe" from the path folder |
| **Advanced installation as User (service)** | Enable the "Service Logon" policy (see above)
Terminal with admin privileges, replace params [USER] and [PASSWORD] in the
bash snippet and in the following commands by the username with domain and password wanted | Service: `sc` (with user and password in service conf) | Background, as soon as the machine powers on, with the user privilege and environment | `Get-Service -Name "OAEVAgent-Service-[UserSanitized]"`
`Start-Service -Name "OAEVAgent-Service-[UserSanitized]"`
`Stop-Service -Name "OAEVAgent-Service-[UserSanitized]"` | `$HOME\.openaev\OAEVAgent-Service-[UserSanitized]` | `$HOME\.openaev\OAEVAgent-Service-[UserSanitized]\runtimes` | "uninstall.exe" from the path folder
Disable the "Service Logon" policy for the user (see above) |
@@ -152,7 +152,7 @@ If any of these requirements are not met, installation **will fail or behave unp
* Installation and execution require **root or sudo privileges**
* User-based services require permission to manage `systemctl --user`
-| Installation mode | Installation | Installation type | Execution agent and payload | Verification/Start/Stop agent | Folder path | AV exclusions | Uninstallation |
+| Installation mode | Installation | Installation type | Execution agent and threat arsenal action | Verification/Start/Stop agent | Folder path | AV exclusions | Uninstallation |
|:----------------------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------------------|:--------------------------------------------------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------|:--------------------------------------------|:-----------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Standard installation (session)** | Asset with GUI and terminal with standard privileges for the logged-in user | User service: `systemctl --user` | Background, only when user is logged in, with the user privilege and environment | `systemctl --user enable openaev-agent-session`
`systemctl --user start openaev-agent-session`
`systemctl --user stop openaev-agent-session` | `$HOME/.local/openaev-agent-session` | `$HOME/.local/openaev-agent-session/runtimes ` | `systemctl --user stop openaev-agent-session & systemctl --user disable openaev-agent-session & systemctl --user daemon-reload & systemctl --user reset-failed & rm -rf $HOME/.local/openaev-agent-session` |
| **Advanced installation as User (service)** | Terminal with sudo privileges, replace params [USER] and [GROUP] in the bash
snippet and in the following commands by the username and group wanted | Service: `systemctl` (with user and group in service conf) | Background, as soon as the machine powers on, with the user privilege and environment | `systemctl enable [USER]-openaev-agent`
`systemctl start [USER]-openaev-agent`
`systemctl stop [USER]-openaev-agent` | `$HOME/.local/openaev-agent-service-[USER]` | `$HOME/.local/openaev-agent-service-[USER]/runtimes` | `sudo systemctl stop [USER]-openaev-agent & sudo systemctl disable [USER]-openaev-agent & sudo systemctl daemon-reload & sudo systemctl reset-failed & sudo rm -rf $HOME/.local/openaev-agent-service-[USER]` |
@@ -160,7 +160,7 @@ If any of these requirements are not met, installation **will fail or behave unp
!!! note
- To allow command payload execution without sudo password prompts, see:
+ To allow command threat arsenal action execution without sudo password prompts, see:
[this tutorial](https://gcore.com/learning/how-to-disable-password-for-sudo-command/)
### macOS
@@ -193,7 +193,7 @@ If any of these requirements are not met, installation **will fail or behave unp
* Installation and execution require **administrator privileges**
-| Installation mode | Installation | Installation type | Execution agent and payload | Verification/Start/Stop agent | Folder path | AV exclusions | Uninstallation |
+| Installation mode | Installation | Installation type | Execution agent and threat arsenal action | Verification/Start/Stop agent | Folder path | AV exclusions | Uninstallation |
|:----------------------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------------|:--------------------------------------------------------------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------------------------------------------|:-------------------------------------------------------|:-----------------------------------------------------------------------------------------------------|
| **Standard installation (session)** | Asset with GUI and terminal with standard privileges for the logged-in user | User service: `launchctl user` | Background, only when user is logged in, with the user privilege and environment | `launchctl enable gui/$(id -u)/openaev-agent-session`
`launchctl bootstrap gui/$(id -u) ~/Library/LaunchAgents/openaev-agent-session.plist`
`launchctl bootout gui/$(id -u) ~/Library/LaunchAgents/openaev-agent-session.plist` | `$HOME/.local/openaev-agent-session` | `$HOME/.local/openaev-agent-session/runtimes` | `launchctl remove openaev-agent-session & rm -rf $HOME/.local/openaev-agent-session` |
| **Advanced installation as User (service)** | Terminal with sudo privileges, replace params [USER] and [GROUP] in the
bash snippet and in the following commands by the username and group wanted | Service: `launchctl user` (as agent, with user and group in service plist) | Background, as soon as the machine powers on, with the user privilege and environment | `launchctl enable gui/[USER-ID]/[USER]-openaev-agent`
`launchctl bootstrap gui/[USER-ID] /Library/LaunchAgents/[USER]-openaev-agent.plist`
`launchctl bootout gui/[USER-ID] ~/Library/LaunchAgents/[USER]-openaev-agent.plist` | `$HOME/.local/openaev-agent-service-[USER]` | `$HOME/.local/openaev-agent-service-[USER]/runtimes` | `sudo launchctl remove [USER]-openaev-agent & sudo rm -rf $HOME/.local/openaev-agent-service-[USER]` |
@@ -201,7 +201,7 @@ If any of these requirements are not met, installation **will fail or behave unp
!!! note
- To allow command payload execution without sudo password prompts, see:
+ To allow command threat arsenal action execution without sudo password prompts, see:
[this tutorial](https://gcore.com/learning/how-to-disable-password-for-sudo-command/)
---
diff --git a/docs/usage/payloads/assets/finding-port-scan.png b/docs/usage/payloads/assets/finding-port-scan.png
deleted file mode 100644
index 52a1df5d..00000000
Binary files a/docs/usage/payloads/assets/finding-port-scan.png and /dev/null differ
diff --git a/docs/usage/payloads/assets/outputparser-inject-detail.png b/docs/usage/payloads/assets/outputparser-inject-detail.png
deleted file mode 100644
index f83714f4..00000000
Binary files a/docs/usage/payloads/assets/outputparser-inject-detail.png and /dev/null differ
diff --git a/docs/usage/payloads/assets/outputparser-inject-findings.png b/docs/usage/payloads/assets/outputparser-inject-findings.png
deleted file mode 100644
index a4508bce..00000000
Binary files a/docs/usage/payloads/assets/outputparser-inject-findings.png and /dev/null differ
diff --git a/docs/usage/payloads/assets/payload-command-view.png b/docs/usage/payloads/assets/payload-command-view.png
deleted file mode 100644
index 85ce538c..00000000
Binary files a/docs/usage/payloads/assets/payload-command-view.png and /dev/null differ
diff --git a/docs/usage/payloads/assets/payload-creation-dns.png b/docs/usage/payloads/assets/payload-creation-dns.png
deleted file mode 100644
index 577630d2..00000000
Binary files a/docs/usage/payloads/assets/payload-creation-dns.png and /dev/null differ
diff --git a/docs/usage/payloads/assets/payload-detection-remediation-view.png b/docs/usage/payloads/assets/payload-detection-remediation-view.png
deleted file mode 100644
index 487730d8..00000000
Binary files a/docs/usage/payloads/assets/payload-detection-remediation-view.png and /dev/null differ
diff --git a/docs/usage/payloads/assets/payload-general-view.png b/docs/usage/payloads/assets/payload-general-view.png
deleted file mode 100644
index 2922f671..00000000
Binary files a/docs/usage/payloads/assets/payload-general-view.png and /dev/null differ
diff --git a/docs/usage/payloads/assets/payload-output-parser-view.png b/docs/usage/payloads/assets/payload-output-parser-view.png
deleted file mode 100644
index 660695b5..00000000
Binary files a/docs/usage/payloads/assets/payload-output-parser-view.png and /dev/null differ
diff --git a/docs/usage/scenario.md b/docs/usage/scenario.md
index 211eb648..d198a161 100644
--- a/docs/usage/scenario.md
+++ b/docs/usage/scenario.md
@@ -70,7 +70,7 @@ Instead of manually creating each inject, the Scenario Assistant automates the p
!!! warning
- To use the Scenario Assistant, you must have attack patterns with associated payloads.
+ To use the Scenario Assistant, you must have attack patterns with associated threat arsenal actions.
### How to Use the Scenario Assistant
- Open the Scenario Assistant
@@ -97,11 +97,11 @@ The Scenario Assistant generates injects based on your selected TTPs, ensuring c
When you select multiple assets with different architectures (for example, Linux x86_64 and Windows x86_64) along with a specific TTP (such as TTP 1072), the Scenario Assistant will:
-- Attempt to find a universal payload that supports the chosen TTP and is compatible with all selected architectures.
-- If no universal payload is available, it will look for individual payloads that match each asset’s specific platform architecture.
-- For asset groups, the Scenario Assistant will try to find a payload that covers all asset platforms architectures within the group.
-- If a perfect match cannot be found, it will prioritize payloads that are compatible with the largest subset of assets in the group.
-- If no suitable payloads are found, the assistant will create an inject with a placeholder for the TTP and targets.
+- Attempt to find a universal threat arsenal action that supports the chosen TTP and is compatible with all selected architectures.
+- If no universal threat arsenal action is available, it will look for individual threat arsenal actions that match each asset’s specific platform architecture.
+- For asset groups, the Scenario Assistant will try to find a threat arsenal action that covers all asset platforms architectures within the group.
+- If a perfect match cannot be found, it will prioritize threat arsenal actions that are compatible with the largest subset of assets in the group.
+- If no suitable threat arsenal actions are found, the assistant will create an inject with a placeholder for the TTP and targets.
diff --git a/docs/usage/scenario/security-coverage.md b/docs/usage/scenario/security-coverage.md
index ee415186..40f8d7e0 100644
--- a/docs/usage/scenario/security-coverage.md
+++ b/docs/usage/scenario/security-coverage.md
@@ -33,7 +33,7 @@ OpenAEV then:
> Attack Patterns
3. Extracts relevant **Attack Patterns references**
-4. Resolves Asset Groups using **Custom Tag Rule** labeled `opencti`, extracting the associated **platforms and architectures** to match compatible payloads.
+4. Resolves Asset Groups using **Custom Tag Rule** labeled `opencti`, extracting the associated **platforms and architectures** to match compatible threat arsenal actions.
5. Generates injects for each extracted entity
6. Schedules the scenario for execution
@@ -71,12 +71,12 @@ After parsing and validating the **Security Coverage STIX** object, OpenAEV foll
- For each **Object Reference** identified:
- If the referenced **Attack Pattern**, **DNS** or **Artifact** exists in OpenAEV
- (matched by **External ID** or **Name**) **and** a related [Payload](../payloads/payloads.md) exists that
+ (matched by **External ID** or **Name**) **and** a related [Threat Arsenal](../threat-arsenals/threat-arsenals.md) exists that
matches the **platforms and architectures** derived from the Asset groups resolved via **Custom Tag Rule
labeled `opencti`**.
=> **Concrete Inject** is created.
- - If the Attack Pattern does **not** exist in OpenAEV, or no compatible payload exists for the resolved
+ - If the Attack Pattern does **not** exist in OpenAEV, or no compatible threat arsenal action exists for the resolved
platforms/architectures.
=> **Placeholder Inject** is created to highlight missing coverage.
@@ -87,22 +87,22 @@ After parsing and validating the **Security Coverage STIX** object, OpenAEV foll
**.
> - Targets are resolved via **Custom Tag Rule labeled `opencti`**, and the corresponding **platforms and architectures
** are extracted from these Asset groups.
-> - Payloads are matched against the Attack Patterns **and** must be compatible with the extracted platforms and
+> - threat arsenal actions are matched against the Attack Patterns **and** must be compatible with the extracted platforms and
architectures.
>
> In other words, inject creation only occurs when:
> 1. The Attack Pattern exists in OpenAEV, and
-> 2. A payload exists that matches both the Attack Pattern **and** the platforms/architectures derived from the Asset groups
+> 2. A threat arsenal action exists that matches both the Attack Pattern **and** the platforms/architectures derived from the Asset groups
defined in the Custom Tag Rules.
>
> If either condition is not met, a **Placeholder Inject** is created to highlight missing coverage.
Inject creation depends on matching the **Object Reference** values between OpenCTI and OpenAEV, example:
-| OpenCTI Attack Pattern
(External ID or Name) | Matching Payload in OpenAEV
(Attack Pattern + Platform + Architecture) | Result |
-|----------------------------------------------------|------------------------------------------------------------------------------|-------------------------|
-| T1059.001 | Yes | Concrete inject created |
-| T1059.001 | No | Placeholder inject |
+| OpenCTI Attack Pattern
(External ID or Name) | Matching Threat Arsenal Action in OpenAEV
(Attack Pattern + Platform + Architecture) | Result |
+|----------------------------------------------------|--------------------------------------------------------------------------------------------|-------------------------|
+| T1059.001 | Yes | Concrete inject created |
+| T1059.001 | No | Placeholder inject |
diff --git a/docs/usage/security-control-validation.md b/docs/usage/security-control-validation.md
index 4855d4c8..4d8ddaff 100644
--- a/docs/usage/security-control-validation.md
+++ b/docs/usage/security-control-validation.md
@@ -1,15 +1,15 @@
# Overview
-Domains provide a classification layer that describes the type of security control involved during the execution of a scenario in OpenAEV. This classification identifies the defensive capability being evaluated and allows scenarios and payloads to be interpreted with clearer operational intent.
+Domains provide a classification layer that describes the type of security control involved during the execution of a scenario in OpenAEV. This classification identifies the defensive capability being evaluated and allows scenarios and threat arsenal actions to be interpreted with clearer operational intent.
## Domains
-A Domain represents the security control category targeted by a payload or injector execution. This classification helps to:
+A Domain represents the security control category targeted by a threat arsenal actions or injector execution. This classification helps to:
- Clarify the objective and security angle of each execution
- Improve visibility when reviewing results based on security control categories
- Align test coverage with the organization's security capabilities (endpoint, network, cloud, email, etc.)
-Domains are currently predefined by the platform and cannot be created or modified by users. They are assigned automatically based on the Payload (and in certain cases the Injector Contract). User-defined management of Domains may be introduced in future releases.
+Domains are currently predefined by the platform and cannot be created or modified by users. They are assigned automatically based on the Threat Arsenal Action (and in certain cases the Injector Contract). User-defined management of Domains may be introduced in future releases.
## Available Domains
@@ -28,12 +28,12 @@ The following Domains are currently supported in OpenAEV:
## How Domains Are Applied
-### Payloads define the Domain
-Domains are primarily defined at the Payload level. Each payload declares one or more Domains that describe the security control category involved in its execution. This ensures consistent and predictable classification across the platform.
+### threat arsenal actions define the Domain
+Domains are primarily defined at the Threat Arsenal Action level. Each threat arsenal action declares one or more Domains that describe the security control category involved in its execution. This ensures consistent and predictable classification across the platform.
### Injector Contracts
In some cases, an Injector Contract may also carry a Domain.
-However, when an injector uses a Payload, the Payload’s Domain always takes precedence. This ensures that the Domain reflects the actual technical behavior of the executed action.
+However, when an injector uses a Threat Arsenal Action, the Threat Arsenal Action’s Domain always takes precedence. This ensures that the Domain reflects the actual technical behavior of the executed action.
## Usage
@@ -48,8 +48,8 @@ Some Injectors and Collectors can define and **manage their own Domains**.
In these cases:
-- The Injectors/Collectors declares the Domain associated with the Injector Contracts/Payloads it produces
-- The Domain attached by the Injector or Collector is then applied to the corresponding Injector Contracts/Payload executions
+- The Injectors/Collectors declares the Domain associated with the Injector Contracts/Threat Arsenal Actions it produces
+- The Domain attached by the Injector or Collector is then applied to the corresponding Injector Contracts/Threat Arsenal Action executions
- This mechanism allows certain integrations to carry a Domain that is closest to their technical and operational behavior, without requiring manual configuration on the platform
## Automatic weekly updates of Domains
@@ -57,7 +57,7 @@ Injectors and Collectors are **updated on a weekly basis**.
During these updates:
-- The list of Domains associated with their Payloads is synchronized with the platform
+- The list of Domains associated with their threat arsenal actions is synchronized with the platform
- If a Domain that should be present, according to the latest Injector or Collector definition, has been removed or modified on the platform, it will be restored to its expected value during the next update
- Domains that have been manually added by the user, in addition to those defined by the Injector or Collector, are preserved. Only missing Domains are re-added; no user-added Domains are removed
diff --git a/docs/usage/threat-arsenals/assets/finding-port-scan.png b/docs/usage/threat-arsenals/assets/finding-port-scan.png
new file mode 100644
index 00000000..800f3d15
Binary files /dev/null and b/docs/usage/threat-arsenals/assets/finding-port-scan.png differ
diff --git a/docs/usage/payloads/assets/outputparser-detail.png b/docs/usage/threat-arsenals/assets/outputparser-detail.png
similarity index 100%
rename from docs/usage/payloads/assets/outputparser-detail.png
rename to docs/usage/threat-arsenals/assets/outputparser-detail.png
diff --git a/docs/usage/threat-arsenals/assets/outputparser-inject-detail.png b/docs/usage/threat-arsenals/assets/outputparser-inject-detail.png
new file mode 100644
index 00000000..86d9ca9a
Binary files /dev/null and b/docs/usage/threat-arsenals/assets/outputparser-inject-detail.png differ
diff --git a/docs/usage/threat-arsenals/assets/outputparser-inject-findings.png b/docs/usage/threat-arsenals/assets/outputparser-inject-findings.png
new file mode 100644
index 00000000..b80d089a
Binary files /dev/null and b/docs/usage/threat-arsenals/assets/outputparser-inject-findings.png differ
diff --git a/docs/usage/threat-arsenals/assets/payload-creation-dns.png b/docs/usage/threat-arsenals/assets/payload-creation-dns.png
new file mode 100644
index 00000000..408f83f6
Binary files /dev/null and b/docs/usage/threat-arsenals/assets/payload-creation-dns.png differ
diff --git a/docs/usage/payloads/assets/payload-execution-workflow.png b/docs/usage/threat-arsenals/assets/payload-execution-workflow.png
similarity index 100%
rename from docs/usage/payloads/assets/payload-execution-workflow.png
rename to docs/usage/threat-arsenals/assets/payload-execution-workflow.png
diff --git a/docs/usage/payloads/assets/payload-to-inject.png b/docs/usage/threat-arsenals/assets/payload-to-inject.png
similarity index 100%
rename from docs/usage/payloads/assets/payload-to-inject.png
rename to docs/usage/threat-arsenals/assets/payload-to-inject.png
diff --git a/docs/usage/payloads/assets/targeted-asset-argument.png b/docs/usage/threat-arsenals/assets/targeted-asset-argument.png
similarity index 100%
rename from docs/usage/payloads/assets/targeted-asset-argument.png
rename to docs/usage/threat-arsenals/assets/targeted-asset-argument.png
diff --git a/docs/usage/payloads/assets/targeted-asset-inject-form.png b/docs/usage/threat-arsenals/assets/targeted-asset-inject-form.png
similarity index 100%
rename from docs/usage/payloads/assets/targeted-asset-inject-form.png
rename to docs/usage/threat-arsenals/assets/targeted-asset-inject-form.png
diff --git a/docs/usage/payloads/assets/text-argument-payload.png b/docs/usage/threat-arsenals/assets/text-argument-payload.png
similarity index 100%
rename from docs/usage/payloads/assets/text-argument-payload.png
rename to docs/usage/threat-arsenals/assets/text-argument-payload.png
diff --git a/docs/usage/threat-arsenals/assets/threat-arsenal-command-view.png b/docs/usage/threat-arsenals/assets/threat-arsenal-command-view.png
new file mode 100644
index 00000000..b5b43b8a
Binary files /dev/null and b/docs/usage/threat-arsenals/assets/threat-arsenal-command-view.png differ
diff --git a/docs/usage/threat-arsenals/assets/threat-arsenal-detection-remediation-view.png b/docs/usage/threat-arsenals/assets/threat-arsenal-detection-remediation-view.png
new file mode 100644
index 00000000..dd062ac7
Binary files /dev/null and b/docs/usage/threat-arsenals/assets/threat-arsenal-detection-remediation-view.png differ
diff --git a/docs/usage/threat-arsenals/assets/threat-arsenal-general-view.png b/docs/usage/threat-arsenals/assets/threat-arsenal-general-view.png
new file mode 100644
index 00000000..b4119e06
Binary files /dev/null and b/docs/usage/threat-arsenals/assets/threat-arsenal-general-view.png differ
diff --git a/docs/usage/threat-arsenals/assets/threat-arsenal-output-parser-view.png b/docs/usage/threat-arsenals/assets/threat-arsenal-output-parser-view.png
new file mode 100644
index 00000000..09bb0696
Binary files /dev/null and b/docs/usage/threat-arsenals/assets/threat-arsenal-output-parser-view.png differ
diff --git a/docs/usage/payloads/payloads.md b/docs/usage/threat-arsenals/threat-arsenals.md
similarity index 63%
rename from docs/usage/payloads/payloads.md
rename to docs/usage/threat-arsenals/threat-arsenals.md
index f706fc55..406618b9 100644
--- a/docs/usage/payloads/payloads.md
+++ b/docs/usage/threat-arsenals/threat-arsenals.md
@@ -1,63 +1,50 @@
-# Payloads
+# Threat Arsenals
-In **OpenAEV**, payloads are key components used to build and customize injects.
+In **OpenAEV**, threat arsenal actions are key components used to build and customize injects.
They allow you to enrich your scenarios with dynamic, reusable content tailored to various attack simulations.
-## Payloads List View
+## Threat Arsenal actions — List View
-The **Payloads** view displays a list of all available payloads in the platform. Each entry includes the following
-columns:
+The **Threat Arsenal** view displays all actions available in the platform.
+Actions can either be created by users or inserted through injectors.
-| Column | Description |
-|-----------------|------------------------------------------------------------------------------------------------------------|
-| **Type** | The kind of payload (e.g., Command Line, Executable, File Drop, DNS Resolution). |
-| **Name** | The name assigned to the payload. |
-| **Platforms** | The platforms the payload supports (e.g., Windows, Linux, macOS). |
-| **Description** | A brief explanation of what the payload does. |
-| **Tags** | Tags to help categorize and search for payloads. |
-| **Source** | The origin of the payload (see [**Payload Sources**](#payload-sources)). |
-| **Status** | The reliability or lifecycle state of the payload (see [**Payload Status Logic**](#payload-status-logic)). |
-| **Updated** | The last modification date. |
+Each entry in the list includes the following columns:
-### Payload Status Logic
+| Column | Description |
+|-----------------|------------------------------------------------------------------------------------------------------------------|
+| **Type** | The injector type that supports the action. (User-created actions are supported by the OpenAEV Implant Injector) |
+| **Name** | The name assigned to the action. |
+| **Domains** | The domains on which the action operates (e.g., Endpoint, Network, Web App, E-mail infiltration...). |
+| **Platform** | The platforms of the action supports (e.g., Windows, Linux, macOS) |
+| **Tags** | Tags to help categorize and search for actions. |
+| **Status** | The reliability or lifecycle state of the action (see [**Action Status Logic**](#action-status-logic)). |
+| **Updated** | The last modification date. |
-Payloads can have one of the following statuses:
+### Action Status Logic
+
+threat arsenal actions can have one of the following statuses:
- **Verified** ✅
- OpenAEV has tested the payload and confirmed it works as expected.
+ OpenAEV has tested the action and confirmed it works as expected.
- **Unverified** ⚠️
- The payload has not been tested by OpenAEV. It may or may not work.
+ The action has not been tested by OpenAEV. It may or may not work.
- **Deprecated** ❌
- The original source has marked the payload as deprecated. It’s kept for reference, but functionality is not
+ The original source has marked the action as deprecated. It’s kept for reference, but functionality is not
guaranteed.
-### Payload Sources
-
-Each payload has a source indicating its origin:
-
-- **Community** 🌍
- Submitted by external users. May vary in quality or coverage.
-
-- **Manual** ✍️
- Custom payload created within your OpenAEV instance.
+## Create a Threat Arsenal action
-- **Filigran** 📦
- From the [official Filigran payload library](https://github.com/OpenAEV-Platform/payloads), curated and maintained by
- Filigran.
-
-## Create a Payload
-
-To create a new payload, follow these steps:
+To create a new action, follow these steps:
1. Click the **"+"** button in the bottom right corner of the screen.
-2. In the **General Information** tab, fill in the required details about the payload.
- 2.1. Assign a name to your new payload and provide additional general details such as description, attack patterns
+2. In the **General Information** tab, fill in the required details about the action.
+ 2.1. Assign a name to your new action and provide additional general details such as description, attack patterns
and tags.
- 
+ 
3. In the **Commands** tab:
- 3.1. Choose a **payload type** based on your needs:
+ 3.1. Choose a **threat arsenal actiontype** based on your needs:
- **Command Line**: Executes a command using an executor (e.g., PowerShell, Bash, etc.).
- **Executable**: Runs an executable file on an asset.
- **File Drop**: Drops a file onto an asset.
@@ -65,21 +52,21 @@ To create a new payload, follow these steps:
3.2. Specify the platform and provide additional command details, such as arguments and prerequisites.
3.3. Specify a **cleanup executor and cleanup command** to remove any remnants from execution on the asset.
- 
+ 
4. In the **Output Parsers** tab (optional):
4.1. Add **[Output Parsers](#output-parsers)** to process the raw output of your execution.
4.2. Specify whether to generate **[Findings](../findings.md)** from the output.
- 
+ 
5. In the **Remediation** tab (optional and EE):
- This section allows payload creators to define detection rules to identify payloads that were not
+ This section allows threat arsenal actioncreators to define detection rules to identify threat arsenal actions that were not
blocked or detected by existing security systems (such as EDRs, SIEMs, etc.).
A dedicated Remediation tab is available for each collector integrated into the platform.
- 5.1 Use Ariane, allows payload creators to generate rules using AI, for payload of type Command or DnsResolution and for the collector Splunk or Crowdstrike
+ 5.1 Use Ariane, allows threat arsenal actioncreators to generate rules using AI, for threat arsenal actionof type Command or DnsResolution and for the collector Splunk or Crowdstrike
-
+
### Status of detection remediation rules
@@ -87,7 +74,7 @@ To create a new payload, follow these steps:
|----------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------|
| Rules written by Human | The rules have been written by a human |
| Rules generated by AI | The rules have been generated by AI |
-| Payload changed since rule was edited | The payload has been edited since last AI rules generation **[(relevant fields)](#fields-used-for-ai-rules-generation)** |
+| Threat Arsenal Actionchanged since rule was edited | The threat arsenal actionhas been edited since last AI rules generation **[(relevant fields)](#fields-used-for-ai-rules-generation)** |
### Fields used for AI rules generation
@@ -105,22 +92,22 @@ To create a new payload, follow these steps:
| Hostname (DnsResolution) | Commands |
-Once completed, your new payload will appear in the payload list.
+Once completed, your new threat arsenal actionwill appear in the threat arsenal actionlist.
-### General Payload properties
+### General Threat Arsenal Actionproperties
| Property | Description |
|-----------------|---------------------------------|
-| Name | Payload name |
-| Description | Payload description |
+| Name | Threat Arsenal Actionname |
+| Description | Threat Arsenal Actiondescription |
| Attack patterns | Command-related attack patterns |
| Tags | Tags |
-### Commands Common Payload properties
+### Commands Common Threat Arsenal Actionproperties
| Property | Description |
|------------------|--------------------------------------------------------------------------------------|
-| Type | Type of payload such as Command Line, Executable, File Drop or Dns Resolution |
+| Type | Type of threat arsenal actionsuch as Command Line, Executable, File Drop or Dns Resolution |
| Architecture | Architecture in which the command can be executed (x86_64, arm64, all architectures) |
| Platforms | Compatible platforms (ex. Windows, Linux, MacOS) |
| Prerequisites | Prerequisites required to execute the command |
@@ -141,9 +128,9 @@ For text arguments, you can specify
- Default Value: During execution, this placeholder is replaced with the argument's value. This default value can be
overridden when creating an inject.
-
+
-For targeted asset arguments, you can specify several attributes within the payload:
+For targeted asset arguments, you can specify several attributes within the action:
- Key: This is how you reference the argument in your command using a placeholder.
- Targeted Property: This determines which attribute of each targeted asset to use in the command, such as local IP,
@@ -151,11 +138,11 @@ For targeted asset arguments, you can specify several attributes within the payl
- Separator: This is used to separate multiple values when the command is executed, allowing you to format the arguments
correctly in your script (e.g., using a comma to separate values).
-Let's consider a practical example: If I want to create a payload using 'nuclei' for scanning, I would create a payload
+Let's consider a practical example: If I want to create a threat arsenal action using 'nuclei' for scanning, I would create it
with a command like nuclei -t #{asset-key}. I'd set up a targeted asset argument with the key "asset-key".
-Next, I would create an inject based on this payload. In this inject, I'd designate a source asset, which is where the
+Next, I would create an inject based on this threat arsenal action. In this inject, I'd designate a source asset, which is where the
command will execute (such as the asset where 'nuclei' is installed), and define the targeted assets that will serve as
the scan targets.
@@ -168,14 +155,14 @@ the scan targets.
| Check command | Verifies if specific condition are met | |
| Get command | Run command if check command failed | |
-### Additional Payload properties by type
+### Additional Threat Arsenal Actionproperties by type
#### Command Line
-This payload type executes commands directly on the command line interface (CLI) of the target system
+This threat arsenal actiontype executes commands directly on the command line interface (CLI) of the target system
(e.g., Windows Command Prompt, PowerShell, Linux Shell).
-Command Line payloads are used for remote command execution to simulate common attacker actions like privilege
+Command Line threat arsenal actions are used for remote command execution to simulate common attacker actions like privilege
escalation or data exfiltration.
| Property | Description |
@@ -185,7 +172,7 @@ escalation or data exfiltration.
#### Executable
-An Executable payload involves delivering a binary file (such as .exe on Windows or ELF on Linux) that the system runs
+An Executable threat arsenal actioninvolves delivering a binary file (such as .exe on Windows or ELF on Linux) that the system runs
as an independent process.
Executables can perform a variety of functions, from establishing a backdoor to running complex scripts (mimic malware).
@@ -196,7 +183,7 @@ Executables can perform a variety of functions, from establishing a backdoor to
#### File Drop
-File Drop payloads are designed to deliver files (e.g., scripts, documents, binaries) to the target system without
+File Drop threat arsenal actions are designed to deliver files (e.g., scripts, documents, binaries) to the target system without
immediately executing them.
The goal is typically to simulate scenarios where attackers place files in specific locations for later use, either
@@ -208,7 +195,7 @@ manually or by another process.
#### DNS Resolution
-DNS resolution payloads attempts to resolve hostnames to associated IP address(es).
+DNS resolution threat arsenal actions attempts to resolve hostnames to associated IP address(es).
The goal of DNS resolution is to test if specific hostnames resolve to IP addresses correctly, helping assess network
accessibility, detect issues, and simulate potential attacker behavior.
@@ -232,7 +219,7 @@ Currently, Output Parsers support:
If the extracted data is compatible with a [Finding](../findings.md), you can enable **"Show in Findings"**
option.
-The findings results and the details of the output parser will also be available in the Findings and Payload Info tabs
+The findings results and the details of the output parser will also be available in the Findings and Threat Arsenal ActionInfo tabs
of the [Atomic Testing Detail View](../atomic.md).
@@ -287,26 +274,52 @@ The finding generated would be:
If you want to combine multiple groups in a field, you have to concatenate them like `$n$m` (placing the group
references next to each other). The final value of the field will be a composition of these groups.
-### Payload execution workflow
+### Threat Arsenal Action execution workflow
-
+
-## Use a Payload
+## Use a Threat Arsenal Action
After creation, a new inject type will automatically appear in the inject types list if the implant you're using
supports it (the OpenAEV Implant does).
-
-
+
+
+
+## Update Threat Arsenal Action
+
+As described in the [Threat Arsenal actions — List View](#threat-arsenal-actions-list-view) section,
+threat arsenal actions can be created by users, inserted through injectors, or inserted through collectors.
-## Import / Export Payloads
+Depending on the source of the action, the update process may differ:
+
+- **User-created actions** — You can update them directly from the Threat Arsenal view by clicking on the action and modifying all its properties.
+- **Actions inserted through injectors** — You can only update the domains, attack patterns, and tags linked to the action.
+- **Actions inserted through collectors** (e.g. Atomic Red Team) — You cannot update them from the platform, as they are managed by the collector.
+
+## Delete Threat Arsenal Action
+
+The deletion process of a threat arsenal action depends on its source:
+
+- **User-created actions** — You can delete them directly from the Threat Arsenal view by clicking on the action and selecting the delete option.
+- **Actions inserted through injectors or collectors** — These actions cannot be deleted from the platform.
+
+## Import / Export Threat Arsenal Actions
### Overview
-OpenAEV supports importing and exporting payloads using the [JSON:API](https://jsonapi.org/) specification. This enables
-seamless sharing of payloads across instances or within the community.
+There are two ways to export Threat Arsenal actions:
+
+- **CSV Export**
+ You can filter or search your Threat Arsenal action list and export the current view as a CSV file. The exported file contains the same information displayed in the Threat Arsenal page. This export is available for all types of actions.
+
+- **JSON ZIP Export** — [JSON:API](https://jsonapi.org/)
+ The JSON export is designed to be paired with the import feature — you export to reimport elsewhere. This export is only available for user-created actions, as it contains all the details of the action (including the command, arguments, output parsers, etc.) that are not editable for actions coming from injectors or collectors.
+
+OpenAEV supports importing and exporting threat arsenal actions using the [JSON:API](https://jsonapi.org/) specification.
+This enables seamless sharing of threat arsenal actions across instances or within the community.
### Use Cases
-* Share complex payloads with teammates or the community.
-* Use payloads across dev, test, and production environments.
+- Share complex threat arsenal actions with teammates or the community.
+- Use threat arsenal actions across dev, test, and production environments.
diff --git a/mkdocs.yml b/mkdocs.yml
index f641307a..8d75508e 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -184,7 +184,7 @@ nav:
- Media pressure: usage/components/media-pressure.md
- Challenges: usage/components/challenges.md
- Lessons: usage/components/lessons.md
- - Payloads: usage/payloads/payloads.md
+ - Threat Arsenal: usage/threat-arsenals/threat-arsenals.md
- Share and export:
- Simulations: usage/simulation-reports.md
- Notifications: usage/notifications.md