search

mitre / caldera

Automated Adversary Emulation Platform
https://caldera.mitre.org
Apache License 2.0
5.54k stars 1.06k forks source link

Problems with passing data between attacks #1555

Closed rcaroncd closed 4 years ago

rcaroncd commented 4 years ago

Hello, I'm doing tests to perform chained attacks, and I'm encountering problems in passing data from one attack to another. I will explain this using an example of the following combined attack "File Finder + Compressing + HTTP Exfiltration".

This adversary would use 3 phases, one attack in each phase, and they would be as follows:

  1. Search for files with interesting extensions in the file system (.bak, .sql. .yml, etc)
  2. Compressing the files found using 7z
  3. Exfiltration of the compressed file via HTTP

The idea is that in the first attack a series of files are obtained (absolute path), there is already an ability for this attack, but I've modified it so that it doesn't just show the first 5 files found. The idea is that those paths, I pass them to the next attack, it receives them and compresses them into a 7z file. After that, pass the resulting 7z file path to the next attack and exfiltrate it via HTTP to Caldera's server.

I have encountered several problems here:

  1. I create a parser to process the output of the File Finder. And I see that the results are saved in a fact, if I don't specify one in the ability creates it based on the operation. But if I specify it, it saves the values in a "source" variable that I passed to it in la ability. As each route is stored as a separate fact, the compression is executed for each file in the path, instead of compressing all of them togeteher. As a side effect for this, all the compressed files have the same name, therefore only the las one is saved to disk.
  2. If I proceed to group the paths in a single fact to pass all the information together to the next attack, I get values with characters as '`', which causes the compression process to fail. Thjis happens even if in the parsing process the data is displayed correctly, as in the yaml file that is generated. I have not yet found a solution to this problem.
  3. When I perform a FileFinder ability, with three agents, the files found in each of the machines, pass the parser and the paths are placed in the specified fact, the problem comes when that data is passed to the next ability(the compression ability), because if you find a file X in machine A, and you pass it to the compression attack with the agent of machine B, you are not going to find it and that is going to generate an error, so... I don't know how I can pass the data obtained with an agent exclusively to that agent so it will not be used by the others.

I find problems like these for different multiphase attacks that I'm trying to implement (e.g. dump tickets + pass the ticket + lateral movement with WMI). And I'm having a hard time trying to reproduce the behavior of an attacker.

I'm probably doing something wrong, or I'm missing something, but I think the documentation is in process and there's not much detail about how to pass data between attacks, how to use facts, relationships, and parsers.

Is it possible to implement this sort of attack chains in CALDERA, as of today? How can it be done?

Thanks in advance and thank you very much for the great work you're doing.

khyberspache commented 4 years ago
  1. If I recall correctly, the compression ability need a directory (not the file path). You need to add an ability to stage your files in the directory you want to exfiltrate - or write an ability to compress files together directly based upon facts.
  2. We don't currently support grouping/arrays for facts - it's something we are poking at implementing, but have not done.
  3. We have what are called "scoping variables" that allow you constrain knowledge to specific hosts. Start a fact definition with host. and it will only be used on the host it was discovered on #{host.file.sensitive} for example.

Regarding chain attacks, I'd recommend you take a look at how we've constructed some of our demonstration adversaries (hunter and the worm variants).

rcaroncd commented 4 years ago

Okay, I've reviewed your answer, I'll explain:

The file compression ability is one of my own that I created with 7za. I'll check the yaml, but with what you said about the 'scope variables' (which are limited to one machine) I think that solves my problem

I'll review the existing adversaries and see if I can clear up my doubts. Thank you very much for the information provided.

Greetings

privateducky commented 4 years ago

@rcaroncd let us know if there's anything else on this topic you want to revisit