Agents untrusted when running an operation with bucket planner

[alexgumo7]

Hi,

I am testing release 2.7.0 of caldera, specifically the different planners. The current tests are focused on creating an operation concerning one windows agent and using the discovery profile. When using the atomic and batch planners everything works as expected. However, when using the bucket planner the operation is finished without executing any ability as all abilities are skipped. The following is extracted from the report:

"skipped_abilities": [
    {
      "tfenaf": [
        {
          "reason": "Fact dependency not fulfilled",
          "reason_id": 2,
          "ability_id": "90c2efaa-8205-480d-8bb6-61d90dbaf81b",
          "ability_name": "Find files"
        },
        {
          "reason": "Agent untrusted",
          "reason_id": 5,
          "ability_id": "c0da588f-79f0-4263-8998-7496b1a40596",
          "ability_name": "Identify active user"
        },
        {
          "reason": "Wrong platform",
          "reason_id": 0,
          "ability_id": "c1cd6388-3ced-48c7-a511-0434c6ba8f48",
          "ability_name": "Find local users"
        },
        {
          "reason": "Agent untrusted",
          "reason_id": 5,
          "ability_id": "feaced8f-f43f-452a-9500-a5219488abb8",
          "ability_name": "Identify local users"
        },
        {
          "reason": "Wrong platform",
          "reason_id": 0,
          "ability_id": "b6f545ef-f802-4537-b59d-2cb19831c8ed",
          "ability_name": "Snag broadcast IP"
        },
        {
          "reason": "Fact dependency not fulfilled",
          "reason_id": 2,
          "ability_id": "3b5db901-2cb8-4df7-8043-c4628a6a5d5a",
          "ability_name": "Find user processes"
        },
        {
          "reason": "Agent untrusted",
          "reason_id": 5,
          "ability_id": "530e47c6-8592-42bf-91df-c59ffbd8541b",
          "ability_name": "View admin shares"
        },
        {
          "reason": "Agent untrusted",
          "reason_id": 5,
          "ability_id": "b22b3b47-6219-4504-a2e6-ae8263e49fc3",
          "ability_name": "Find domain controller"
        },
        {
          "reason": "Agent untrusted",
          "reason_id": 5,
          "ability_id": "2dece965-37a0-4f70-a391-0f30e3331aba",
          "ability_name": "Discover antivirus programs"
        },
        {
          "reason": "Agent untrusted",
          "reason_id": 5,
          "ability_id": "5c4dd985-89e3-4590-9b57-71fed66ff4e2",
          "ability_name": "Permission Groups Discovery"
        },
        {
          "reason": "Agent untrusted",
          "reason_id": 5,
          "ability_id": "8c06ebf8-bacf-486b-bd77-21ba8c5a5777",
          "ability_name": "Identify Firewalls"
        },
        {
          "reason": "Fact dependency not fulfilled",
          "reason_id": 2,
          "ability_id": "ce485320-41a4-42e8-a510-f5a8fe96a644",
          "ability_name": "Discover Mail Server"
        },
        {
          "reason": "Wrong platform",
          "reason_id": 0,
          "ability_id": "b007fc38-9eb7-4320-92b3-9a3ad3e6ec25",
          "ability_name": "Get Chrome Bookmarks"
        },
        {
          "reason": "Agent untrusted",
          "reason_id": 5,
          "ability_id": "6469befa-748a-4b9c-a96d-f191fde47d89",
          "ability_name": "Create staging directory"
        },
        {
          "reason": "Fact dependency not fulfilled",
          "reason_id": 2,
          "ability_id": "4e97e699-93d7-4040-b5a3-2e906a58199e",
          "ability_name": "Stage sensitive files"
        },
        {
          "reason": "Fact dependency not fulfilled",
          "reason_id": 2,
          "ability_id": "300157e5-f4ad-4569-b533-9d1fa0e74d74",
          "ability_name": "Compress staged directory"
        },
        {
          "reason": "Fact dependency not fulfilled",
          "reason_id": 2,
          "ability_id": "ea713bc4-63f0-491c-9a6f-0b01d560b87e",
          "ability_name": "Exfil staged directory"
        }
      ]
    }
  ]

Then, why are there skipped abilities because of "Agent untrusted" if the agents are in fact active and if the same operation with the other planners is working fine?

[alexgumo7]

I've detected the problem. The issue was not that the agent is untrusted. In function _check_reason_skipped() of caldera/app/objects/c_operation.py, if it doesn't know why the ability was skipped, then it goes to the last else and assigns the reason to agent untrusted, when the agent is actually trusted.

The problem has been detected in the definition of buckets of abilities, where in the generation of links when there are buckets involved, tries to compare the planners buckets with the buckets of the abilities and there is no hit as the buckets of the abilities are treated as a list of chars and the bucket from the planner as a single string:

caldera_1                    | 2020-07-08 16:04:14 - DEBUG (planning_svc.py:107 get_links) b: d, bucket: defense-evasion                                                                      
caldera_1                    | 2020-07-08 16:04:14 - DEBUG (planning_svc.py:107 get_links) b: e, bucket: defense-evasion                                                                      
caldera_1                    | 2020-07-08 16:04:14 - DEBUG (planning_svc.py:107 get_links) b: f, bucket: defense-evasion                                                                      
caldera_1                    | 2020-07-08 16:04:14 - DEBUG (planning_svc.py:107 get_links) b: e, bucket: defense-evasion                                                                      
caldera_1                    | 2020-07-08 16:04:14 - DEBUG (planning_svc.py:107 get_links) b: n, bucket: defense-evasion                                                                      
caldera_1                    | 2020-07-08 16:04:14 - DEBUG (planning_svc.py:107 get_links) b: s, bucket: defense-evasion                                                                      
caldera_1                    | 2020-07-08 16:04:14 - DEBUG (planning_svc.py:107 get_links) b: e, bucket: defense-evasion                                                                      
caldera_1                    | 2020-07-08 16:04:14 - DEBUG (planning_svc.py:107 get_links) b: -, bucket: defense-evasion                                                                      
caldera_1                    | 2020-07-08 16:04:14 - DEBUG (planning_svc.py:107 get_links) b: e, bucket: defense-evasion                                                                      
caldera_1                    | 2020-07-08 16:04:14 - DEBUG (planning_svc.py:107 get_links) b: v, bucket: defense-evasion                                                                      
caldera_1                    | 2020-07-08 16:04:14 - DEBUG (planning_svc.py:107 get_links) b: a, bucket: defense-evasion                                                                      
caldera_1                    | 2020-07-08 16:04:14 - DEBUG (planning_svc.py:107 get_links) b: s, bucket: defense-evasion                                                                      
caldera_1                    | 2020-07-08 16:04:14 - DEBUG (planning_svc.py:107 get_links) b: i, bucket: defense-evasion                                                                      
caldera_1                    | 2020-07-08 16:04:14 - DEBUG (planning_svc.py:107 get_links) b: o, bucket: defense-evasion                                                                      
caldera_1                    | 2020-07-08 16:04:14 - DEBUG (planning_svc.py:107 get_links) b: n, bucket: defense-evasion   

The problem has been corrected in the following master commit: https://github.com/mitre/caldera/commit/4e243fcc943eb21c2148c0b1b5fb0e5ca208e574

[github-actions[bot]]

This issue is stale because it has been open 20 days with no activity. Remove stale label or comment or this will be closed in 5 days