search

mitre-attack / attack-arsenal

A collection of red team and adversary emulation resources developed and released by MITRE.
Apache License 2.0
485 stars 79 forks source link

Day 1.A CALDERA: Phase 8 (Delete Zip File) #18

Closed leegengyu closed 3 years ago

leegengyu commented 3 years ago

Hello,

In Phase 8 of APT29 Day1.A of CALDERA, the last command executed is .\sdelete64.exe /accepteula "$env:USERPROFILE\Downloads\SysInternalsSuite.zip";.

I have been unable to get a success response from that command, i.e. the output is always No files/folders found that match C:\Users\...\Downloads\SysInternalsSuite.zip.

I understand that the SysInternalsSuite.zip file was originally uploaded to the Downloads directory in Step 4.A of the manual emulation (and which is also why it is deleted using SDelete in Step 4.B). However, when running the CALDERA plugin, where SysInternalsSuite.zip is first involved in Phase 7, it is not actually downloaded to the Downloads directory like how it is done in the manual emulation (see line 15 of CALDERA phase 7). Nonetheless, the zip file's contents were unzipped to the Downloads directory during Phase 7's execution in line 16.

Thus, would it be right to say that since the SysInternalsSuite.zip file in CALDERA execution's case was never downloaded to the Downloads directory, the SDelete tool would thus always fail in Phase 8? (On another note, I am not sure where the zip file is downloaded to during the downloading in line 15, but I am guessing that it is to the same directory which the Agent it is running under is located?)

Thank you!

jstroud-mitre commented 3 years ago

Thus, would it be right to say that since the SysInternalsSuite.zip file in CALDERA execution's case was never downloaded to the Downloads directory, the SDelete tool would thus always fail in Phase 8?

@leegengyu you are correct that if the SysInternalSuite.zip file does not get downloaded you will have an issue with SDelete and other steps going forward.

On another note, I am not sure where the zip file is downloaded to during the downloading in line 15, but I am guessing that it is to the same directory which the Agent it is running under is located?

Can you check C:\Users\Public?

leegengyu commented 3 years ago

@jstroud-mitre Thank you for getting back to me!

SysInternalsSuite.zip does get downloaded - I had thought about C:\Users\Public too, since the first Agent (splunkd.exe) is found in that directory and if no absolute file path is specified, it should be relative to it.

I observed that particular directory prior to the start of 4.A - Planting Modified Sysinternals Utilities, till after 4.B.2 - Artifact Cleanup - Delete Files completed, and during this period of time, I never saw any addition or deletion of files to that directory. This means that I never observed anything on my end from line 15, but I did see the unzipped directory in the Downloads directory, as executed in line 16.

An another note, I can never get ?cod.3aka3.scr deleted too. From that step, only Draft.Zip gets successfully deleted using SDelete, out of the 3 files.

Thanks for your help!

jstroud-mitre commented 3 years ago

An another note, I can never get ?cod.3aka3.scr deleted too. From that step, only Draft.Zip gets successfully deleted using SDelete, out of the 3 files.

With regards to not being able to delete files, is there any process still running that has a handle to it?