Closed leegengyu closed 3 years ago
Thus, would it be right to say that since the SysInternalsSuite.zip file in CALDERA execution's case was never downloaded to the Downloads directory, the SDelete tool would thus always fail in Phase 8?
@leegengyu you are correct that if the SysInternalSuite.zip file does not get downloaded you will have an issue with SDelete and other steps going forward.
On another note, I am not sure where the zip file is downloaded to during the downloading in line 15, but I am guessing that it is to the same directory which the Agent it is running under is located?
Can you check C:\Users\Public
?
@jstroud-mitre Thank you for getting back to me!
SysInternalsSuite.zip does get downloaded - I had thought about C:\Users\Public
too, since the first Agent (splunkd.exe
) is found in that directory and if no absolute file path is specified, it should be relative to it.
I observed that particular directory prior to the start of 4.A - Planting Modified Sysinternals Utilities
, till after 4.B.2 - Artifact Cleanup - Delete Files
completed, and during this period of time, I never saw any addition or deletion of files to that directory. This means that I never observed anything on my end from line 15, but I did see the unzipped directory in the Downloads directory, as executed in line 16.
An another note, I can never get ?cod.3aka3.scr
deleted too. From that step, only Draft.Zip gets successfully deleted using SDelete, out of the 3 files.
Thanks for your help!
An another note, I can never get ?cod.3aka3.scr deleted too. From that step, only Draft.Zip gets successfully deleted using SDelete, out of the 3 files.
With regards to not being able to delete files, is there any process still running that has a handle to it?
Hello,
In Phase 8 of APT29 Day1.A of CALDERA, the last command executed is
.\sdelete64.exe /accepteula "$env:USERPROFILE\Downloads\SysInternalsSuite.zip";
.I have been unable to get a success response from that command, i.e. the output is always
No files/folders found that match C:\Users\...\Downloads\SysInternalsSuite.zip
.I understand that the SysInternalsSuite.zip file was originally uploaded to the Downloads directory in Step 4.A of the manual emulation (and which is also why it is deleted using SDelete in Step 4.B). However, when running the CALDERA plugin, where SysInternalsSuite.zip is first involved in Phase 7, it is not actually downloaded to the Downloads directory like how it is done in the manual emulation (see line 15 of CALDERA phase 7). Nonetheless, the zip file's contents were unzipped to the Downloads directory during Phase 7's execution in line 16.
Thus, would it be right to say that since the SysInternalsSuite.zip file in CALDERA execution's case was never downloaded to the Downloads directory, the SDelete tool would thus always fail in Phase 8? (On another note, I am not sure where the zip file is downloaded to during the downloading in line 15, but I am guessing that it is to the same directory which the Agent it is running under is located?)
Thank you!