flare-vm icon indicating copy to clipboard operation
flare-vm copied to clipboard
verified publisher icon mandiant

How to handle Commando VM categories in the installer?

Open Ana06 opened this issue 8 months ago • 5 comments

Details

At the moment we order the categories in the installer alphabetically. This has the issue that some categories that are mainly for Commando VM (and likely never installed in a FLARE-VM installation) like Command and Control, Credential Access, Explotation and Forensic appear at the top. I propose to remove the Commando VM categories completely from the installer, by keeping a list of hardcoded categories in the installer. The Commando VM packages could still be installed in the same way as community packages: https://github.com/mandiant/flare-vm/issues/669. We should also add a link to https://github.com/mandiant/VM-Packages/wiki/Packages in the installer (next to the textbox) to make it easier for user to look for packages.

@mandiant/vms opinions?

Ana06 avatar Apr 30 '25 09:04 Ana06

In my opinion, that would place Commando it a weird spot where it would sort of no longer be its own project and be in the background of FlareVM. There should be a way to sort that list without compromising CommandoVM's importance, unless this sorting only occurs in the Flare VM installer.

Some alternative solutions that would keep everyone happy in case this sorting occurs throughout all installers:

  1. Adding a "*" to the most frequently used categories
  2. Adding a tag of [CMD] and [FLR] ahead of each category, making it easy for the users to browse relevant categories
  3. Nesting categories in relevant root categories "Flare", "Commando" and "Default" -- placing "Command and Control" into "Commando > Command and Control", but the "Debloater" into "Default > Debloater".

geo-lit avatar May 07 '25 06:05 geo-lit

I have started with the implementation of #669 and here is the problem I see with removing hardcoded categories that belong to CommandoVM only, if there is custom config that is used instead of the default config.xml and there are packages that belong to these categories, we wouldn't be displaying them in the installer.

sara-rn avatar May 07 '25 08:05 sara-rn

@geo-lit Commando-VM has its own installer where they use profiles where they add by default their tools based on the profile selection . Sames as FLARE-VM before we implemented #672 where we display packages by category, in the Commando-VM installer you can add any tool from VM-Packages to be installed. So what @Ana06 proposes is to show only the list of tools that are relevant to the FLARE-VM user. The problem I see with this implementation is explained in my previous comment.

sara-rn avatar May 07 '25 09:05 sara-rn

@geo-lit we are discussing improving the UI of the FLARE-VM installer here only. This does not affect the Commando VM installer or its packages in any way. I mean to mention only @mandiant/flare-vm above when asking about opinion, sorry for the noise.

Ana06 avatar May 07 '25 10:05 Ana06

@sara-rn the CommandoVM packages should be displayed in the same way as the community packages that you are implementing in https://github.com/mandiant/flare-vm/issues/669. These two issues should be addressed together.

Ana06 avatar May 07 '25 10:05 Ana06