LISA is a system that simulates realistic user behavior within an isolated training infrastructure of a cyber range. The purpose of the system is to create a background of "peaceful" activity that enables conducting detection and incident analysis training in conditions close to real ones.
This section is crucial for customers as it ensures proper deployment and functionality of LISA within your cyber range environment. Understanding these requirements prevents compatibility issues and ensures optimal performance during security training exercises.
Before deploying LISA in your training infrastructure, ensure the following components are available:
- Linux: Ubuntu 18.04+, CentOS 7+, or equivalent distributions
- Windows: Windows 10/11, Windows Server 2016+
- Architecture: x86_64 (64-bit) required for both platforms
- RAM: Minimum 4GB, recommended 8GB+ for concurrent agent operations
- Storage: 2GB free space for droppers, agents, and temporary files
- Network: SSH access (port 22) and HTTP/HTTPS connectivity for remote deployment
sudo apt install openssh-server python3 python3-pip docker.io
pip3 install nuitkaThis section is essential for customers to understand the security implications of LISA's memory injection techniques and ensure compliance with organizational security policies and legal requirements during training scenarios.
- No Disk Footprint: Agents operate entirely in memory to minimize detection
- Process Masquerading: Agents disguise themselves within legitimate processes
- Graceful Termination: All components clean up properly after execution
chmod +x dropper.bin
- Training Environment Only: LISA must only be used in isolated cyber range environments
- Written Authorization: Ensure proper documentation for all deployment activities
- Data Protection: No sensitive data should be processed during simulations
- Network Isolation: Deploy within segregated training networks
- Monitoring: Enable logging for all dropper and agent activities
- Time Limits: Set maximum execution times for training scenarios
tail -f /var/log/lisa/agent.log
- Sandboxing: Use containerized environments where possible
- Regular Updates: Keep all components updated to latest versions
- Incident Response: Have procedures ready for unexpected behavior
- Backup and Recovery: Maintain system backups before training exercises
Our project consists of multi-platform droppers that inject Linux and Windows agents into live processes using advanced techniques.
- GUI process example:
konsole,dolphin. - Debug files: Temporary debug files can be found under
/tmp.
We use a GitHub Project Kanban board:
Kanban Board Link
- To Do: Issues are fully described and linked to a user story/bug/technical task template.
- In Progress: Issue is assigned to a developer and a dedicated branch is created.
- In Review: Pull Request (PR) is created and linked to the issue.
- Ready to Deploy: PR is reviewed and approved by at least one team member.
- User Testing: Feature deployed and available for internal/customer review.
- Done: Feedback is collected and integrated (if applicable).
We follow GitHub Flow:
- Issues created using predefined templates (User Story, Bug Report, Technical Task).
- Branches named as
feature/issue-number-description,bugfix/issue-number-description. - Commit messages follow:
[#issue-number] <Short Description> - PRs must reference the related issue and use the PR template.
- Reviews and approvals are mandatory before merging.
- Merging is done via "Squash and Merge" to keep history clean.
gitGraph
commit id: "main"
branch feature/agent-injection
commit id: "Work in Progress"
checkout main
commit id: "Prepare CI"
merge feature/agent-injection
We use:
.envfiles for local development (excluded from version control).- Secrets like database passwords, API keys, and SSH keys are passed via GitHub Actions Secrets in CI.
- Docker containerization is used to manage build-time secrets.
pytest– Unit and integration testing.- GitHub Actions – CI pipeline.
flake8– Linter for static analysis.
- Unit tests cover core functionalities (minimum 5 tests per critical component).
- Integration tests cover dropper-agent interaction.
- CI workflow: GitHub Actions CI
- Tools:
flake8for linting.pytestfor unit and integration tests.
- CI ensures that all tests pass before merging.
- CD is not implemented yet. CI is fully functional.
The system consists of:
- Backend (configuration and control center).
- Frontend (admin panel).
- Multi-platform agents (Linux, Windows).
- Dropper (multi-platform, capable of memory injection).
Coupling between droppers and agents is minimal. Components are loosely coupled to enhance maintainability.
- Dropper downloads agent.
- Dropper locates a live process.
- Dropper injects agent into memory.
- Agent executes payload.
- Logs generated.
Execution time in production: ~3-5 seconds per injection.
- Backend is deployed on a cloud server.
- Droppers are distributed to client machines.
- Agents operate inside injected processes.
- Docker is used to containerize services where applicable.
- Memory-only injection (no disk footprint).
- Process masquerading to minimize detection.
- Dropper terminates gracefully.
- Ensures proper process attachment and memory allocation.
- Modular components.
- Well-documented Git workflow.
- Clean branching and merging strategy.
The LISA source and documentation are released under the MIT License


