Skip to content

Using the Shell

Jump to bottom
David French edited this page Dec 7, 2020 · 3 revisions

Dorothy provides a user-friendly shell interface for navigating between menus and using modules. Use the tab key within the shell while typing a command for auto-completion.

Global Commands

  • list-modules - List all of Dorothy's modules
  • whoami - Get the info for the user that's linked with the current API token
  • clear - Clear the terminal screen
  • manage-config - Manage Dorothy's configuration profiles

Module Commands

  • info - Show available options for the module and their current values
  • set - Set one or more options for the module
  • execute - Execute the module with the configured options
  • reset - Reset the options for the module

Navigation Commands

  • back - Go back to the previous menu
  • main - Go back to the main menu
  • help - Show the help menu for the shell's current context
  • exit - Exit Dorothy

Listing Modules

Dorothy has over 25 modules spanning various MITRE ATT&CK® tactics. Execute list-modules from the main menu to print all of Dorothy's modules.

dorothy > list-modules
+-------------------------+------------------------+---------------------------------------------------------------+
|         Tactics         |      Module Name       |                          Description                          |
+-------------------------+------------------------+---------------------------------------------------------------+
|        Discovery        |         whoami         |        Get info for user linked with current API token        |
|        Discovery        |       get-users        |             Harvest information on all Okta users             |
|        Discovery        |      find-admins       |         Identify Okta users with admin roles assigned         |
|        Discovery        |      get-policies      |   Harvest information on all Okta policies and policy rules   |
|        Discovery        |       get-groups       |            Harvest information on all Okta groups             |
|        Discovery        |        get-user        |     Get an Okta user's profile info and group memberships     |
|        Discovery        |       get-policy       |               Get an Okta policy and its rules                |
|        Discovery        |       get-zones        |         Harvest information on all Okta network zones         |
|        Discovery        |   find-admin-groups    |        Identify Okta groups with admin roles assigned         |
|        Discovery        | find-users-without-mfa |       Identify Okta users with no MFA factors enrolled        |
|        Discovery        |        get-apps        |         Harvest information on all Okta applications          |
| Defense Evasion, Impact |   change-rule-state    |        Deactivate or activate a rule in an Okta policy        |
| Defense Evasion, Impact |   modify-policy-rule   |      Make a temporary change to a rule in an Okta policy      |
| Defense Evasion, Impact |  change-policy-state   |             Deactivate or activate an Okta policy             |
| Defense Evasion, Impact |   change-zone-state    |          Deactivate or activate an Okta network zone          |
| Defense Evasion, Impact |     modify-policy      |           Make a temporary change to an Okta policy           |
| Defense Evasion, Impact |      modify-zone       |        Make a temporary change to an Okta network zone        |
| Defense Evasion, Impact |    change-app-state    |          Deactivate or activate an Okta application           |
|       Persistence       |      create-user       |  Create and activate an Okta user with an assigned password   |
|   Persistence, Impact   |   change-user-state    | Change an Okta user's state by executing lifecycle operations |
|       Persistence       |     reset-factors      |            Reset all MFA factors for an Okta user             |
|       Persistence       | set-recovery-question  |     Set the recovery question and answer for an Okta user     |
|       Persistence       |   create-admin-user    |             Assign an admin role to an Okta user              |
|       Persistence       |     delete-factor      |         Remove a MFA factor for a specified Okta user         |
|       Persistence       |   create-admin-group   |             Assign an admin role to an Okta group             |
|       Persistence       |     reset-password     |     Generate a one-time token to reset a user's password      |
|            -            |     manage-config      |            Manage Dorothy's configuration profiles            |
+-------------------------+------------------------+---------------------------------------------------------------+

Using Modules

Using Dorothy's modules

Loading a Module

To load a module, navigate to the relevant sub-menu (ATT&CK tactic) and enter the name of the module. E.g. To use the create-admin-user module, navigate to the persistence menu and then enter create-admin-user.

Execute help to show the description and help menu for the module.

dorothy > persistence
dorothy > persistence > create-admin-user
dorothy > persistence > create-admin-user > help

create-admin-user
=================
Assign an Okta administrator role to a user.

Only the SUPER_ADMIN role can view, assign, or remove admin roles for administrators.

Module Commands
===============
execute  info  reset  set

Global Commands
===============
clear  list-modules  whoami

Navigation Commands
===================
back  exit  help  main  quit

Setting a Module's Options

Many of Dorothy's modules require that one or more options are set before the module can be executed. Some modules do not need any options set and can simply be run by typing execute.

Execute info to show the available options for the module and their current values. For example, the create-admin-user module needs the id value set, which is the unique ID of the Okta user that you want to assign an admin role to.

The id value has not been set in the example below.

dorothy > persistence > create-admin-user > info
+--------+-------+----------+----------------------------+
| Option | Value | Required |        Description         |
+--------+-------+----------+----------------------------+
|   id   |       |   True   | The unique ID for the user |
+--------+-------+----------+----------------------------+

Use the set command to set one or more values for the module.

dorothy > persistence > create-admin-user > set --id 0e3Dn7rnxyxx2x960v40
dorothy > persistence > create-admin-user > info
+--------+----------------------+----------+----------------------------+
| Option |        Value         | Required |        Description         |
+--------+----------------------+----------+----------------------------+
|   id   | 0e3Dn7rnxyxx2x960v40 |   True   | The unique ID for the user |
+--------+----------------------+----------+----------------------------+

Execute reset within a module to clear the value of all options.

Executing a Module

Use execute to execute a module using the current options.

dorothy > persistence > create-admin-user > execute
[*] Available admin roles:
1. API_ACCESS_MANAGEMENT_ADMIN
2. APP_ADMIN
3. GROUP_MEMBERSHIP_ADMIN
4. HELP_DESK_ADMIN
5. MOBILE_ADMIN
6. ORG_ADMIN
7. READ_ONLY_ADMIN
8. REPORT_ADMIN
9. SUPER_ADMIN
10. USER_ADMIN
[*] Which admin role do you want to assign to the user?: 3
[*] Attempting to assign admin role, GROUP_MEMBERSHIP_ADMIN to user ID, 0e3Dn7rnxyxx2x960v40
[*] Admin role, GROUP_MEMBERSHIP_ADMIN assigned to user 0e3Dn7rnxyxx2x960v40

Overview

  1. Home

Getting Started

  1. Installation
  2. Configuration Profiles
  3. Using the Shell
  4. Logging

Other Useful Info

  1. Elastic Security's Free Detection Rules
  2. Contributing to Dorothy
  3. Questions? Problems? Suggestions?
  4. Disclaimer
Clone this wiki locally