Open RomuDeuxfois opened 1 week ago
Analysis (so far)
Basic Permission Groups Discovery Windows (Domain) I executed this Payload as an Atomic Testing twice and there seems no problem here (status MAYBE_PREVENTED) https://testing.obas.staging.filigran.io/admin/atomic_testings/40c27754-5f86-49ea-a523-fd11c89db972 https://testing.obas.staging.filigran.io/admin/atomic_testings/05916618-b8c9-4574-a15e-0e5bf66dc7ba
I lanched two simulations with this Payload and two other ones from the original simulation
Execution1:
Execution2:
The attack command seems quite simple
net localgroup
net group /domain
net group "enterprise admins" /domain
net group "domain admins" /domain
System Information Discovery I executed this Payload as an Atomic Testing twice and both have the INJECT_EXECUTED status so no problem here https://testing.obas.staging.filigran.io/admin/atomic_testings/e513d745-24d5-4ab5-b72b-65301f51e942 https://testing.obas.staging.filigran.io/admin/atomic_testings/0f468d53-53c0-4177-bb8f-475b73873d67
I lanched two simulations with this Payload and two other ones from the original simulation
Execution1:
Execution2:
The attack command seems simple
systeminfo
reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum
Can you create a simulation with these two injects which have the same trigger date? Maybe this is because the two injects are played at the same time.
I launched a simulation with these two payloads:
Both were processed:
Same result after both Injects launched at the same time, two minutes later
https://testing.obas.staging.filigran.io/admin/simulations/307ebde3-0d96-4777-8877-97ed12e5078c
Both were processed: Basic Permission Groups Discovery Windows (Domain) => Status MAYBE_PREVENTED System Information Discovery => Status INJECT_EXECUTED
Even when we have a Simulation with a few Injects, an Inject could still be on pending or on draft
For example: I created a Simulation with three Injects
Execution 1: This Simulation is still on going since there is an Inject still on draft https://testing.obas.staging.filigran.io/admin/simulations/5bdb4a93-c61d-4025-986e-3ea561cf3824
Execution 2: The Simulation is now FINISHED Note that the Inject Windows - Delete Volume Shadow Copies via WMI with PowerShell took 30 minutes longer to be executed compared with the other two Injects https://testing.obas.staging.filigran.io/admin/simulations/27e41da9-ee5f-4fca-b563-15d6a5ca4661
We may have an idempotence problem: even if we launch two Simulations with the same Injects, we are not sure that we are going to obtain the same results.
We need to analyse more deeply the issue we are seeing with these Injects.
For the pending inject, I think the problem come from the implant. If the implant has fail to report result, the inject status still in PENDING. We should have a garbage collector to handle this case (with a timeout).
Description
We still have some inject in pending state:
Basic Permission Groups Discovery Windows (Domain) https://testing.obas.staging.filigran.io/admin/exercises/98272e68-f3bd-4bce-8e21-af9b0ad14942/injects/2c6f0b96-2c9b-4b9b-b33e-e72a7147e982
System Information Discovery https://testing.obas.staging.filigran.io/admin/exercises/e0ad8d49-0eea-481f-b6a2-604ef4bc0e94/injects/bc3924d9-7609-4544-8d84-60ada1f84f51
Data Encrypt Using DiskCryptor