Test Case createTemplate GraphQL mutation not populating AttackAutomation

[ForrestYockey]

Describe the bug As far as I can tell, successful Test Case createTemplate GraphQL mutation requests with AttackAutomation input populated do not result in the creation of Test Cases with the Automation Configuration populated.

To Reproduce Steps to reproduce the behavior:

1. Make a GraphQL request to the Vectr GraphQL endpoint to create a Test Case template:

{
    "query": "mutation ($input: CreateTestCaseTemplateInput!) { testCase { createTemplate(input: $input) { testCases {id, name} } } }",
    "variables": {
        "input": {
            "overwrite": true,
            "testCaseTemplateData": [
                {
                    "attackAutomation": {
                        "attackVariables": [
                            {
                                "inputName": "dump_path",
                                "inputValue": "$ENV:temp",
                                "type": "STRING"
                            },
                            {
                                "inputName": "target_hive",
                                "inputValue": "SAM",
                                "type": "STRING"
                            },
                            {
                                "inputName": "dumped_hive",
                                "inputValue": "myhive",
                                "type": "STRING"
                            }
                        ],
                        "cleanupCommand": "$toremove = #{dump_path} + \"\\\" + '#{dumped_hive}'\nrm $toremove -ErrorAction Ignore",
                        "cleanupExecutor": "INLINE_POWERSHELL",
                        "command": "write-host \"\"\n$shadowlist = get-wmiobject win32_shadowcopy\n$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}\n$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]\n$shadowpath = \"\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy\" + $maxvolume + \"\\Windows\\System32\\config\\#{target_hive}\"\n$mydump = #{dump_path} + '\\' + '#{dumped_hive}'\n[System.IO.File]::Copy($shadowpath , $mydump)\n",
                        "executor": "INLINE_POWERSHELL"
                    },
                    "description": "Dump hives from volume shadow copies with System.IO.File\n",
                    "detectionSteps": [
                        "Hash dumpers open the Security Accounts Manager (SAM) on the local file system (<code>%SystemRoot%/system32/config/SAM</code>) or create a dump of the Registry SAM key to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised [Valid Accounts](https://attack.mitre.org/techniques/T1078) in-use by adversaries may help as well."
                    ],
                    "name": "T1003.002 - Dump Volume Shadow Copy Hives With System.Io.File",
                    "operatorGuidance": "Supported Platforms:\n\twindows\n\nInput Arguments:\n  [Path] dump_path\n    Description: Path where the hive will be dumped\n    (default value: \"$ENV:temp\")\n\n  [String] target_hive\n    Description: Hive you wish to dump\n    (default value: \"SAM\")\n\n  [String] dumped_hive\n    Description: Name of the dumped hive\n    (default value: \"myhive\")\n\nExecutor:\n\tpowershell\n\nElevation Required:\n\tFalse\n\nCommand:\n\nwrite-host \"\"\n$shadowlist = get-wmiobject win32_shadowcopy\n$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}\n$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]\n$shadowpath = \"\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy\" + $maxvolume + \"\\Windows\\System32\\config\\#{target_hive}\"\n$mydump = #{dump_path} + '\\' + '#{dumped_hive}'\n[System.IO.File]::Copy($shadowpath , $mydump)\n\n\nCleanup:\n\n$toremove = #{dump_path} + \"\\\" + '#{dumped_hive}'\nrm $toremove -ErrorAction Ignore\n\n",
                    "organization": "ART",
                    "phase": "Credential Access",
                    "preventionSteps": [],
                    "references": [
                        "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md",
                        "https://attack.mitre.org/versions/v10/techniques/T1003/",
                        "https://attack.mitre.org/versions/v10/techniques/T1003/002/"
                    ],
                    "technique": "Security Account Manager - T1003.002"
                }
            ]
        }
    }
}

Expected behavior After receiving a 200 response from the GraphQL request to create a Test Case template and successfully finding the newly created Test Case template within the Vectr web interface, it is expected that the Automation Configuration would be populated with the supplied variables.

Screenshots Examining the created Test Case in the Vectr web interface:

The empty Automation Configuration:

Desktop (please complete the following information):

• OS: Linux 5.13.0-30-generic 33~20.04.1-Ubuntu SMP Mon Feb 7 14:25:10 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
• Browser: Firefox 97.0 x64
• Version: Vectr ce-8.2.2

Additional context The provided attackVariables do not appear under any of the executor types, within the web interface. I am not sure why this is not working, and my query could be malformed, however I would expect to receive a GraphQL formatting error and Test Case creation failure over partial success. I work for Red Canary and am interested in this project.

[thebleucheese]

Confirmed this is a bug, attackAutomation population logic is presently only applied to test case data created from the non-template operations.

We'll fix as part of upcoming graphQL API improvements and fixes.

[thebleucheese]

Fixed underlying bugs in 8.3.1