search

mitre / caldera

Automated Adversary Emulation Platform
https://caldera.mitre.org
Apache License 2.0
5.34k stars 1.03k forks source link

How to handel Atomic or adversary_emulation_library "dependencies" #2363

Closed mirek186 closed 2 years ago

mirek186 commented 2 years ago

Some Atomic and adversary_emulation_library yaml files have dependencies sections. Mainly used to prep env, e.g. download or install files, etc. At the moment I can't see this section in Caldera, I've checked the code and it looks like it's not parsed from the file when loading data. Is there a plan to do it, or maybe it's there but I can't find it. e.g. https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml There is a section to install tshark


dependency_executor_name: bash
  dependencies:
    - description: |
        Check if at least one of tcpdump or tshark is installed.
      prereq_command: |
        if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi;
      get_prereq_command: |
        (which yum && yum -y epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)

or in https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/44f6edebb53b130e23efaf256d4491bd32eb18d7/fin6/Emulation_Plan/yaml/FIN6.yaml Emulation plans have dependencies sections to download payloads

dependency_executor_name: powershell
  dependencies:
  - description: Adfind.exe must exist on disk at specified location (#{adfind_exe})
    prereq_command: |
      if (Test-Path "#{adfind_exe}") {exit 0} else {exit 1}
    get_prereq_command: |
      $parentpath = Split-Path "#{adfind_exe}"; $zippath = "$parentpath\adfind.zip"
      IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1")
      if(Invoke-WebRequestVerifyHash "#{adfind_url}" $zippath "#{adfind_zip_hash}") {
      Expand-Archive $zippath $parentpath\adfind -Force
      Move-Item $parentpath\adfind\adfind.exe "#{adfind_exe}"
      Remove-Item $zippath, $parentpath\adfind -Recurse
      }
ArtificialErmine commented 2 years ago

@mirek186 - Thanks for pointing this out! As you surmised, we don't currently have any support for these kinds of dependencies, nor do we have any concrete plans to add that support at the moment. However, since you've brought this up, we're going to take a look and see if developing some support may be possible, since providing the functionality definitely seems beneficial.

ArtificialErmine commented 2 years ago

@mirek186 We've addressed this dependency processing gap in https://github.com/mitre/atomic/pull/33. If the problem persists after this update, please feel free to reach out again and we'll see how we can help!