Can not create new adversaries and import APT29 adversary

[dino-chiio]

I have just installed CALDERA version 4.1.0 using Docker environment. I followed this repo and config caldera to import APT29 adversary. I am struggling with some obstacles, please help me overcome these. Thanks so muck!

• After starting CALDERA server, I successfully deployed an agent on Windows victim and see imported APT29 abilities as Fig.1 and Fig.2
• But I can not create a new adversary when clicking CREATE button, nothing happened, or importing APT29 adversaries - It threw errors as Fig.3 And when I click in one profile in pre-defined list, there is no ability in this profile. However, when click to add adversary, it shows those abilities as Fig.4 and Fig.5
• In the Operations option, when creating and starting an operation, in docker terminal, it threw the error as Fig.6
• This is a sample of pre-defined APT29 adversary `id: 3af0e59b-0d2a-48cd-b934-c46d5d1621d6 name: ATT&CK Eval APT3 - 5.B-8.A description: Access Token Manipulation, Discovery for Lateral Movement, Persistence, and Discovery for Collection visible: 1 phases: 1:
  • 03afada1-1714-408f-bde5-f528b91dc89d`
• Figure 1 Figure 2

Figure 3 *Figure 4 Figure 5

Figure 6

[github-actions[bot]]

Looks like your first issue -- we aim to respond to issues as quickly as possible. In the meantime, check out our documentation here: http://caldera.readthedocs.io/

[L015H4CK]

Hi, unfortunately I cannot help you with this problem. For me, importing the APT29 adversary worked using a non-docker environment. Since I have no experience using CALDERA with docker I cannot tell if the error comes from docker or not. Actually, you should not have to import the APT29 adversary profiles manually but they should be loaded automatically to CALDERAs adversary profiles as long as they are in the plugin's respective data/adversaries directory and the plugin is enabled in the config/default.yml.

But, I have some information regarding the attack-arsenal/adversary-emulation-library and APT29 that might be interesting for you as well.

The attack-arsenal repo that you linked was moved to the adversary emulation library. You can find a note in the attack-arsenal repo as well (This content has been ported to https://github.com/center-for-threat-informed-defense/adversary_emulation_library as of January 2021. This format was preserved in [/Archive](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/apt29/Archive). - see here). The content of the original repo was moved here.

Another but: If you then intent to use the new adversary emulation library with the emu-plugin instead of the old evals-plugin, you will probably find that the generated APT29 adversary profile is faulty. More information on that can be seen in my pull request. Using the APT29 adversary emulation plan I also did not get the operation to work as expected - but I am still investigating this and it should not be a problem for you right now since you have other problems to fix first as it seems.

[dino-chiio]

Hi, unfortunately I cannot help you with this problem. For me, importing the APT29 adversary worked using a non-docker environment. Since I have no experience using CALDERA with docker I cannot tell if the error comes from docker or not. Actually, you should not have to import the APT29 adversary profiles manually but they should be loaded automatically to CALDERAs adversary profiles as long as they are in the plugin's respective data/adversaries directory and the plugin is enabled in the config/default.yml.

But, I have some information regarding the attack-arsenal/adversary-emulation-library and APT29 that might be interesting for you as well.

The attack-arsenal repo that you linked was moved to the adversary emulation library. You can find a note in the attack-arsenal repo as well (This content has been ported to https://github.com/center-for-threat-informed-defense/adversary_emulation_library as of January 2021. This format was preserved in [/Archive](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/apt29/Archive). - see here). The content of the original repo was moved here.

Another but: If you then intent to use the new adversary emulation library with the emu-plugin instead of the old evals-plugin, you will probably find that the generated APT29 adversary profile is faulty. More information on that can be seen in my pull request. Using the APT29 adversary emulation plan I also did not get the operation to work as expected - but I am still investigating this and it should not be a problem for you right now since you have other problems to fix first as it seems.

Hello. I tried to run CALDERA with non-docker option and configured the evals plugin but It still did not import adversary profiles automatically. I also tried your modification of emulation plan by importing .yaml file. It threw an error as the Fig.3.

• Abilities were automatically successful.
• My installation ran on Ubuntu 18.04 and CALDERA version is 4.1.0

[L015H4CK]

When using the new emulation plans you no longer need the evals plugin - instead you enable the emu plugin. It automatically generates adversary profiles, abilities, etc from the given YAML adversary emulation plan and puts them into plugins/emu/data/adversaries, plugins/emu/data/abilities, etc.

Some questions that might help finding the problem here:

• Does CALDERA work as expected when you disable the evals plugin? So, is every adversary profile loaded as expected and can you run operations with them?
• Does CALDERA correctly load adversary profiles from any other plugin?
• Also, are you using the tagged 4.1.0 version or the master branch? I did not have any problems with the tagged version in the past - but I do not have the time to try and recreate the issue at the moment.

[dino-chiio]

Thank you so much! I have just run successfully with emu plugin!