search

mitre / caldera

Automated Adversary Emulation Platform
https://caldera.mitre.org
Apache License 2.0
5.51k stars 1.05k forks source link

Confusion between obfuscated command and edited command in manual operations #2970

Open guillaume-duong-bib opened 4 months ago

guillaume-duong-bib commented 4 months ago

Describe the bug I was unsure about categorizing this as a bug, but this does feel like an abnormal behavior.

In a manual operation, editing a link's command before approving the link will display the edited command as obfuscated command. In other words, Caldera does not differentiate between an obfuscated command and a command that has been edited by the user before approving it. Actually, they seem to use the same variable.

This also means that when using any kind of obfuscation, the edition window provides the obfuscated command, and this is what we can edit, even though the result may be that the obfuscated command does not correspond to the plaintext command.

To Reproduce Steps to reproduce the behavior: NB: this uses mitre/magma#48 and mitre/magma#49 to make manual approvals work. First case

  1. Start a manual operation with any adversary, no obfuscation.
  2. Edit the command before approving a link.
  3. The edited command appears as "obfuscated command" (and is the one that's actually executed)

Second case

  1. Start a manual operation with any adversary and b64 obfuscation.
  2. Edit the (obfuscated) command before approving a link.
  3. The edited (obfuscated) command appears as "obfuscated command" (which makes sense), but it may not correspond to the plaintext command anymore.

Expected behavior In a case with no obfuscation, I would expect the edited command to replace the "plaintext command" and not appear "obfuscated command".

In a case with obfuscation, I am not sure:

Screenshots Here I changed the string in the command (no obfuscation), which marks the new command as "obfuscated" even though it's really not. test1

Here I set up obfuscation and then messed up the obfuscated command. It still shows up as obfuscated command which makes sense, but it's rubbish. I could also have changed it to echo zxcvbn. image

@elegantmoose any insight on this? I might be able to submit a fix as I've spent a while looking around to understand how this happens, but I don't know what the ideal working scenario would be.

Plus, although the first case (no obfuscation) looks like a bug, I'm not sure whether the second case (obfuscation) is one.

elegantmoose commented 4 months ago

I merged the quick fix in magma plugin, Ill have to circle back to this one next time to think through the total desired functionality.

github-actions[bot] commented 2 months ago

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days

github-actions[bot] commented 3 weeks ago

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days