search

mitre / caldera

Automated Adversary Emulation Platform
https://caldera.mitre.org
Apache License 2.0
5.54k stars 1.06k forks source link

FIN6 ability reverts back to default even after changing the command and saving it #2250

Closed egg-mayo-sandwich closed 3 years ago

egg-mayo-sandwich commented 3 years ago

Describe the bug A clear and concise description of what the bug is.

To Reproduce Steps to reproduce the behavior:

  1. Enable emu plugin. Restart CALDERA server
  2. Create new adversary > add adversary > choose a profile: FIN6
  3. Edit the 1st ability "Enumerate AD person objects" - change "#{adfind_exe}" -f (objectcategory=person) > ad_users.txt to adfind.exe -f (objectcategory=person) > ad_users.txt image
  4. Save ability
  5. Save adversary
  6. The command stays this way as adfind.exe which is intended behaviour. However, after stopping CALDERA server and restarting it, the changes are gone and the command reverts back to the original "#{adfind_exe}" image

Expected behavior Edited command in ability should remain as such since it has already been saved i.e. "Enumerate AD person objects" should remain as adfind.exe -f (objectcategory=person) > ad_users.txt, not change back to "#{adfind_exe}" -f (objectcategory=person) > ad_users.txt

This issue also happens for other abilities of the FIN6 adversary profile, including "WCE credential access" and "Compress Files with 7zip" "#{wce_exe}" -w -o "#{output_file}" instead of wce.exe -w -o wce.txt "#{7zip_exe}" a -mx3 ad.7z ad_* instead of 7.exe a -mx3 ad.7z ad_*

Desktop (please complete the following information):

uruwhy commented 3 years ago

Looking at the plugin, it seems that every time the plugin is enabled, it will re-convert the adversary emulation plans into the corresponding abilities and profiles. So any changes you make in the emu plugin abilities/profiles will be overwritten the next time you restart the server. We understand that this is definitely inconvenient - an immediate workaround would be to save the edited abilities and profiles in a separate plugin data folder so that they persist even when the emu plugin updates. I can also pass you an edited version of the plugins/emu/hook.py file so that the overwrite will only happen if the plugins/emu/data directory is missing adversaries/abilities/sources.

I can make a backlog ticket to prevent this sort of thing from happening automatically without the user knowing, but that change might not be available immediately, and it would require you to update the emu plugin version.

uruwhy commented 3 years ago

See if you can change your plugins/emu/hook.py to the following - I tested this in my local environment, and the emu plugin stopped overwriting my files during each server restart.

import os
import shutil

from app.utility.base_world import BaseWorld
from plugins.emu.app.emu_svc import EmuService

name = 'Emu'
description = 'The collection of abilities from the CTID Adversary Emulation Plans'
address = None
access = BaseWorld.Access.RED
data_dir = os.path.join('plugins', name.lower(), 'data')
populated_dirs = ["abilities", "adversaries", "sources"]

async def enable(services):
    plugin_svc = EmuService()

    if not os.path.isdir(plugin_svc.repo_dir):
        await plugin_svc.clone_repo()

    if _repopulate_needed():
        await plugin_svc.populate_data_directory()

def _repopulate_needed():
    for directory in populated_dirs:
        full_path = os.path.join(data_dir, directory)
        if not os.path.isdir(full_path):
            return True
    return False

def _clear_dirs():
    for directory in populated_dirs:
        full_path = os.path.join(data_dir, directory)
        if os.path.isdir(full_path):
            shutil.rmtree(full_path)
egg-mayo-sandwich commented 3 years ago

Apologies for the late reply, haven't been working on CALDERA in a while. I'll try that out, thank you!