elegantmoose
commented
4 years ago Hi @rcaroncd. So few things:
- First off, Caldera's planner service and design is going through complete overhaul at the moment. We are attempting to piece meal the changes but are also making changes on the fly, and hence the corresponding docs are not appropriately up to date. So we apologize for the current disconnect.
- Caldera's new planner design does NOT have have, they have been replaced with a 'buckets' concept. Essentially, it is a bucket state machine, where example buckets are "Enumeration", "Lateral Movement", "Goals" etc.. where the planner defines the inter and intra decisions of these buckets; i.e. when to move to another bucket, what abilities to execute within a bucket. Additionally, abilities will be in default buckets (corresponding to their ATT&CK tactic) when loaded in, but then also can be tagged with any custom bucket desired by the planner. Thus an implemented planner can grab abilities based on their bucket and apply them to agent/operation as desired.
- When running an operation, an operation can now be in 'atomic' or 'planner' mode. 'atomic' mode is just a default execution of the abilities for the specified adversary as they are defined in the adversary file. While 'planner' mode will load the specified planner, which will have been implemented using the bucket functionality, aforementioned.
- This has pushed more responsibility to planners, but has also given them a lot more power/flexibility as they completely control the logic to choose and execute abilities. Planners Implemented planners require:
- 'state_machine' - list variable detailing default order of buckets
- 'next_bucket' - str variable for setting initial/next bucket that planner will execute
- 'execute()' - entrypoint method -'()' - bucket methods for each bucket of planner, should correspond to buckets listed in 'state_machine'
See sequential.py for example: https://github.com/mitre/stockpile/blob/master/app/sequential.py
ghost
Hello,
Can you please explain how the planners and requirements work? Because I am looking at the documentation, and only with the explanation of the terminology, it is not clear how to implement them. I'm looking at Stockpile's but I also don't understand very well what can be done with them.
I have the following scenario: a lateral movement attack with kerberos tickets (pass the ticket).
In one phase, I collect the TGT tickets that exist in the machine, and I should pass them to the ability (of the next phase) using a variable like "host.dump.tickets" (this way in the next ability I could access them). The problem comes when the next ability runs the Pass The Ticket, and what it expects is a single TGT ticket, I have used a parser to be able to process the output of the Dump Tickets ability but I need to be able to apply some logic, based on other outputs from previous abilities, to be able to pass the right TGT ticket to the Pass The Ticket ability.
So I was going through the Stockpile Worm (among other adversaries) and, if I'm not wrong, there's no direct way to tell:
"Take the output of the Dump Ticket, and take the output of this other ability (which looks for the domain users and their characteristics) and be able to determine what data to pass to the next ability." (I don't want to have to do that logic from another ability in the agent)
That's why I saw the planners and thought that they could be the solution, but I don't see any clear example or explanation of use.
I hope you can clarify it.
Greetings and thank you very much