github.com/facebookincubator/ttpforge@v1.0.13-0.20240405153150-5ae801628835/docs/foundations/chaining.md (about)

     1  # Chaining TTPs Together
     2  
     3  TTPForge provides users with the ability to chain multiple existing TTPs
     4  together to form new composite TTPs. This is useful for two primary reasons:
     5  
     6  1. Users can simulate complex multi-stage cyberattacks.
     7  1. Duplication of code is avoided because steps that are shared across multiple
     8     TTPs can be combined together.
     9  
    10  ## Syntax for Chaining TTPs
    11  
    12  To chain multiple TTPs together, use the `ttp:` action, as shown in the example
    13  below:
    14  
    15  https://github.com/facebookincubator/TTPForge/blob/7634dc65879ec43a108a4b2d44d7eb2105a2a4b1/example-ttps/chaining/basic.yaml#L1-L21
    16  
    17  Run this example TTP by executing the following command:
    18  
    19  ```bash
    20  ttpforge run examples//chaining/basic.yaml
    21  ```
    22  
    23  Notice that the steps of each sub-TTP referenced via the `ttp:` action are
    24  executed in sequence - our example has therefore combined two smaller TTPs into
    25  a single larger one. TTP chains may consist of as many TTPs as desired.
    26  
    27  The `ttp:` action accepts a
    28  [TTP reference](repositories.md#listing-and-examining-ttps-in-repositories) as
    29  its argument. The `//` prefix indicates that the provided TTP path is relative
    30  to root of the current repository's
    31  [TTP Search Path](repositories.md#repository-configuration-files). Therefore, in
    32  the case of this repository, the provided path is rooted in the `example-ttps`
    33  directory. Consult the [TTP Repositories](repositories.md) documentation for
    34  further details about how TTP references are resolved.
    35  
    36  **Note**: for legacy reasons, TTPForge also supports omitting the `//` prefix in
    37  `ttp:` actions. Paths provided without the `//` prefix are still resolved
    38  relative to the TTP search path root, just as if the `//` was present. This
    39  compatibility may be removed in a later version of TTPForge; therefore, new TTPs
    40  should always use the `//`.
    41  
    42  ## Passing Arguments to Sub-TTPs
    43  
    44  The example above also showcases the `args:` syntax that is used to pass
    45  arguments to sub-TTPs. The specified argument values are mapped directly to the
    46  [command-line arguments](args.md) that are declared in the YAML file of the
    47  sub-TTP.
    48  
    49  ## Cleaning Up TTP Chains
    50  
    51  The TTPForge [cleanup](cleanup.md) feature works somewhat differently than usual
    52  for TTP chains. TTPForge automatically adds a special cleanup action to each
    53  `ttp:` step. This cleanup action runs the cleanup actions defined in the
    54  referenced sub-TTP file. If a step from the sub-TTP fails, this cleanup action
    55  will begin sub-TTP cleanup execution from the last successful step of the
    56  sub-TTP.