Agent communicates with base64 obfuscation despites different operation settings

[l1ghts4ber]

Description When starting an operation with plain-text obfuscator the agent nevertheless communicates with base64 encryption.

To Reproduce Steps to reproduce the behavior:

1. Start New Operation with plain-text Obfuscator (different settings for Adversary, Fact Source etc. not tested yet)
2. Run Links while capture network traffic

Expected behavior The agent's communication (beaconing/commands) should be readable in plain-text from captured network traffic.

Screenshots Operation setup:

This is a sample http-data snipped of a HTTP/200 OK Message from Caldera to the agent:

This is a sample decoded beacon POST Request from a pcap file analyzed with wireshark:

Desktop (please complete the following information):

• OS: Ubuntu 22.04 LTS
• Browser Chrome Version 124.0.6367.201 (Offizieller Build) (64-Bit)
• Caldera v5.0.0

Additional context Caldera v5.0.0 standard installation with git clone https://github.com/mitre/caldera.git --recursive

[l1ghts4ber]

May be related to: https://github.com/mitre/caldera/issues/2970

[guillaume-duong-bib]

I haven't checked anything, but I think you might be confusing the base64 command obfuscation versus the base64 payload encoding for network transport. Try to start the same operation with base64 obfuscation, you should see a difference in the command field.

[l1ghts4ber]

With plain-text, the command itself, too gets base64 encoded (in network Traffic). Will provide a screenshot as soon as I can.

[guillaume-duong-bib]

Alright, so here are some results:

1. Operation with no obfuscation Payload from the server to the agent: eyJwYXciOiAidWRqd2JtIiwgInNsZWVwIjogMzgsICJ3YXRjaGRvZyI6IDAsICJpbnN0cnVjdGlvbnMiOiAiW1wie1xcXCJpZFxcXCI6IFxcXCJjZDY3MTM5NC1hMGY3LTRlNWUtOWEyNy0yNTA2NGIyNGE0YmRcXFwiLCBcXFwic2xlZXBcXFwiOiAzLCBcXFwiY29tbWFuZFxcXCI6IFxcXCJaV05vYnlCb1pXeHNidz09XFxcIiwgXFxcImV4ZWN1dG9yXFxcIjogXFxcInBzaFxcXCIsIFxcXCJ0aW1lb3V0XFxcIjogNjAsIFxcXCJwYXlsb2Fkc1xcXCI6IFtdLCBcXFwidXBsb2Fkc1xcXCI6IFtdLCBcXFwiZGVhZG1hblxcXCI6IGZhbHNlLCBcXFwiZGVsZXRlX3BheWxvYWRcXFwiOiB0cnVlfVwiXSJ9 Translates into: {"paw": "udjwbm", "sleep": 38, "watchdog": 0, "instructions": "[\"{\\\"id\\\": \\\"cd671394-a0f7-4e5e-9a27-25064b24a4bd\\\", \\\"sleep\\\": 3, \\\"command\\\": \\\"ZWNobyBoZWxsbw==\\\", \\\"executor\\\": \\\"psh\\\", \\\"timeout\\\": 60, \\\"payloads\\\": [], \\\"uploads\\\": [], \\\"deadman\\\": false, \\\"delete_payload\\\": true}\"]"} Command translates into:

echo hello

2. Operation with base64 obfuscation Payload from the server to the agent: eyJwYXciOiAidWRqd2JtIiwgInNsZWVwIjogNDIsICJ3YXRjaGRvZyI6IDAsICJpbnN0cnVjdGlvbnMiOiAiW1wie1xcXCJpZFxcXCI6IFxcXCJjOTZkNTU5Yi1hNjBjLTQ4YjItYmI4YS1mMTkyYTQ1Y2YwNDJcXFwiLCBcXFwic2xlZXBcXFwiOiAzLCBcXFwiY29tbWFuZFxcXCI6IFxcXCJjRzkzWlhKemFHVnNiQ0F0Ulc1aklGcFJRbXBCUjJkQlluZEJaMEZIWjBGYVVVSnpRVWQzUVdKM1FUMD1cXFwiLCBcXFwiZXhlY3V0b3JcXFwiOiBcXFwicHNoXFxcIiwgXFxcInRpbWVvdXRcXFwiOiA2MCwgXFxcInBheWxvYWRzXFxcIjogW10sIFxcXCJ1cGxvYWRzXFxcIjogW10sIFxcXCJkZWFkbWFuXFxcIjogZmFsc2UsIFxcXCJkZWxldGVfcGF5bG9hZFxcXCI6IHRydWV9XCJdIn0= Translates into: {"paw": "udjwbm", "sleep": 42, "watchdog": 0, "instructions": "[\"{\\\"id\\\": \\\"c96d559b-a60c-48b2-bb8a-f192a45cf042\\\", \\\"sleep\\\": 3, \\\"command\\\": \\\"cG93ZXJzaGVsbCAtRW5jIFpRQmpBR2dBYndBZ0FHZ0FaUUJzQUd3QWJ3QT0=\\\", \\\"executor\\\": \\\"psh\\\", \\\"timeout\\\": 60, \\\"payloads\\\": [], \\\"uploads\\\": [], \\\"deadman\\\": false, \\\"delete_payload\\\": true}\"]"} Command translates into:

powershell -Enc ZQBjAGgAbwAgAGgAZQBsAGwAbwA=

3. Operation with caesar obfuscation: Payload from the server to the agent: eyJwYXciOiAidWRqd2JtIiwgInNsZWVwIjogNDUsICJ3YXRjaGRvZyI6IDAsICJpbnN0cnVjdGlvbnMiOiAiW1wie1xcXCJpZFxcXCI6IFxcXCIyOTdkMjdiZi1iNTVkLTRlMzQtYmE0Mi1mMjMzY2E3NzVmN2RcXFwiLCBcXFwic2xlZXBcXFwiOiA0LCBcXFwiY29tbWFuZFxcXCI6IFxcXCJKR1Z1WTNKNWNIUmxaQ0E5SUNKeGIzUjdJSFJ4ZUhoN0lqc2dKR050WkNBOUlDSWlPeUFrWlc1amNubHdkR1ZrSUQwZ0pHVnVZM0o1Y0hSbFpDNTBiME5vWVhKQmNuSmhlU2dwT3lCbWIzSmxZV05vSUNna2JHVjBkR1Z5SUdsdUlDUmxibU55ZVhCMFpXUXBJSHNrYkdWMGRHVnlJRDBnVzJOb1lYSmRLQ2hiYVc1MFhWdGphR0Z5WFNSc1pYUjBaWElwSUMwZ01USXBPeUFrWTIxa0lDczlJQ1JzWlhSMFpYSTdmU0IzY21sMFpTMXZkWFJ3ZFhRZ0pHTnRaRHM9XFxcIiwgXFxcImV4ZWN1dG9yXFxcIjogXFxcInBzaFxcXCIsIFxcXCJ0aW1lb3V0XFxcIjogNjAsIFxcXCJwYXlsb2Fkc1xcXCI6IFtdLCBcXFwidXBsb2Fkc1xcXCI6IFtdLCBcXFwiZGVhZG1hblxcXCI6IGZhbHNlLCBcXFwiZGVsZXRlX3BheWxvYWRcXFwiOiB0cnVlfVwiXSJ9 Translates into: {"paw": "udjwbm", "sleep": 45, "watchdog": 0, "instructions": "[\"{\\\"id\\\": \\\"297d27bf-b55d-4e34-ba42-f233ca775f7d\\\", \\\"sleep\\\": 4, \\\"command\\\": \\\"JGVuY3J5cHRlZCA9ICJxb3R7IHRxeHh7IjsgJGNtZCA9ICIiOyAkZW5jcnlwdGVkID0gJGVuY3J5cHRlZC50b0NoYXJBcnJheSgpOyBmb3JlYWNoICgkbGV0dGVyIGluICRlbmNyeXB0ZWQpIHskbGV0dGVyID0gW2NoYXJdKChbaW50XVtjaGFyXSRsZXR0ZXIpIC0gMTIpOyAkY21kICs9ICRsZXR0ZXI7fSB3cml0ZS1vdXRwdXQgJGNtZDs=\\\", \\\"executor\\\": \\\"psh\\\", \\\"timeout\\\": 60, \\\"payloads\\\": [], \\\"uploads\\\": [], \\\"deadman\\\": false, \\\"delete_payload\\\": true}\"]"} Command translates into:

$encrypted = "qot{ tqxx{"; $cmd = ""; $encrypted = $encrypted.toCharArray(); foreach ($letter in $encrypted) {$letter = [char](([int][char]$letter) - 12); $cmd += $letter;} write-output $cmd;

Summary

You are right in saying that the command itself gets b64 encoded, but that's not obfuscation. The obfuscation options are meant for host-level obfuscation, not network-level. And although it seems unnecessary to have a second layer of b64 encoding for the command when the whole payload already is b64-encoded, it doesn't matter as the agent will decode it before executing it.

You can see on my first example that the command is indeed b64-encoded in the payload, but what's executed by powershell is a plain echo hello.

On the contrary, for the second operation, there is a third level of b64 encoding (actually, obfuscation) that does not get peeled off before being given to powershell, which will execute powershell -Enc ZQBjAGgAbwAgAGgAZQBsAGwAbwA=. So in that case we have 2 levels of b64 encoding, and one level of b64 obfuscation.

Third operation is the same: one level of b64 encoding in the payload, one in the command, but both are peeled off and powershell actually executes $encrypted = "qot{ tqxx{"; $cmd = ""; $encrypted = $encrypted.toCharArray(); foreach ($letter in $encrypted) {$letter = [char](([int][char]$letter) - 12); $cmd += $letter;} write-output $cmd;

[l1ghts4ber]

Thank's for clarification!

[elegantmoose]

Kudos @guillaume-duong-bib for explanation.

@l1ghts4ber good to close?