mitre / emu Goto Github PK
View Code? Open in Web Editor NEWThis CALDERA Plugin converts Adversary Emulation Plans from the Center for Threat Informed Defense
Home Page: https://caldera.mitre.org/
License: Apache License 2.0
This CALDERA Plugin converts Adversary Emulation Plans from the Center for Threat Informed Defense
Home Page: https://caldera.mitre.org/
License: Apache License 2.0
Describe the bug
When running the Operation for Adversary for FIN 6/7, the commands that are being executed are wrong. In these commands the facts file is supposed to be used to replace the traits with corresponding values but that's not happening.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The traits are supposed to be replaced by the corresponding values in the commands.
Screenshots
The facts for FIN6:
The command that's being executed:
The facts for FIN7
The command that's being executed:
It appears that the executors defined in the emulation library aren't all being imported, and the second listed (pwsh) is getting done instead of both psh and pwsh. For example coming from apt29 yaml adversary:
Looks like after importing to caldera via emu becomes just:
mvanopst@ubuntu:~/caldera$ cat plugins/emu/data/abilities/discovery/24ed020e-4730-4000-b6b4-6b5d3e95314f.yml
It's problematic since even with the 'shells' extension installed to the win10 sandcat agents, I'm only set to run ["cmd","psh"] so I'm missing a bunch of the abilities from an adversary profile.
The Day 1 part completes but then the Day 2 part never starts and it just stays hug up at that point. Basically after the restart in Day 1 new bots are not created again which leads to the apt29 plugin getting stuck at Artifact cleanup phase after the scheduled task phase. Also is there any documentation on what each of the facts means so that I can verify if I have the correct things where they should be.
Also when using StealToken powershell script in the Access Token Manipulation stage I get these errors:
I think most of the errors that I am getting can be just due to misunderstanding of where which facts should go. Can you please help me understand this part?
Describe the bug
I think this is the correct place to open this issue since it is related to the emu plugin's emu_svc.py.
When starting a CALDERA server with enabled emu plugin and the information about APT29 from the adversary emulation library (see here), the wrong payloads are copied to plugins/emu/payloads
.
I would expect the emu_svc.py to copy the payloads in plugins/emu/data/adversary-emulation-plans/apt29/resources/
(here) but instead the payloads from the archived directory plugins/emu/data/adversary-emulation-plans/apt29/Archive/CALDERA_DIY/evals/payloads
(here) are copied (see output with debug-prints added below). For other emulation plans the correct directory was searched (probably because there is no "Archive" directory?)(tested with carbanak emulation plan).
I know this does not belong here but rather in the adversary-emulation-library but I still want to mention it here. Maybe I will open another issue over there as well about this.
The APT29 adversary emulation library information contains 3 payload directories in total. For example the stepFourteen_bypassUAC.ps1
payload is found 3 times in:
The payload that will be used by the emu plugin is number 3 in the above list.
It is also worth to mention that the payloads' contents are not the same. Also this is really confusing when you want to edit the payloads (which is necessary for the attacks) because it is not clear which are really used by CALDERA.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
I would expect the emu_svc to copy the payloads from the "not-archived" directory (plugins/emu/data/adversary-emulation-plans/apt29/resources/
).
Screenshots
2023-03-08 05:36:04 - DEBUG (emu_svc.py:265 _store_required_payloads) Searching for and storing required payloads.
payload timestomp.ps1
path plugins/emu/data/adversary-emulation-plans/apt29/Archive/CALDERA_DIY/evals/payloads/timestomp.ps1
target_path plugins/emu/payloads/timestomp.ps1
payload stepSeventeen_zip.ps1
path plugins/emu/data/adversary-emulation-plans/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_zip.ps1
target_path plugins/emu/payloads/stepSeventeen_zip.ps1
payload plink.exe
path plugins/emu/data/adversary-emulation-plans/carbanak/Resources/step5/plink.exe
target_path plugins/emu/payloads/plink.exe
payload Invoke-Mimikatz.ps1
path plugins/emu/data/adversary-emulation-plans/apt29/Archive/CALDERA_DIY/evals/payloads/Invoke-Mimikatz.ps1
target_path plugins/emu/payloads/Invoke-Mimikatz.ps1
payload stepSixteen_SID.ps1
path plugins/emu/data/adversary-emulation-plans/apt29/Archive/CALDERA_DIY/evals/payloads/stepSixteen_SID.ps1
target_path plugins/emu/payloads/stepSixteen_SID.ps1
payload stepFourteen_bypassUAC.ps1
path plugins/emu/data/adversary-emulation-plans/apt29/Archive/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1
target_path plugins/emu/payloads/stepFourteen_bypassUAC.ps1
Desktop (please complete the following information):
Additional context
...
The path of the yaml file in the Adversary Emulation Library will be changed.
Why don't you try to find the yaml file recursively?
diff --git a/app/emu_svc.py b/app/emu_svc.py
index d52d677..f2f014a 100644
--- a/app/emu_svc.py
+++ b/app/emu_svc.py
@@ -36,12 +36,12 @@ class EmuService(BaseService):
"""
if not path_yaml:
- path_yaml = os.path.join(self.repo_dir, '**', '**', '*.yaml')
+ path_yaml = os.path.join(self.repo_dir, '*', '**', '*.yaml')
at_total = 0
at_ingested = 0
errors = 0
- for filename in glob.iglob(path_yaml):
+ for filename in glob.iglob(path_yaml, recursive=True):
emulation_plan = self.strip_yml(filename)[0]
abilities = []
Line 147 in 0ae1f7c
diff --git a/app/emu_svc.py b/app/emu_svc.py
index 460dcf6..bb670a8 100644
--- a/app/emu_svc.py
+++ b/app/emu_svc.py
@@ -144,7 +144,7 @@ class EmuService(BaseService):
{
'command': info['command'].strip(),
'payloads': info.get('payloads', []),
- 'cleanup': info['command'].strip()
+ 'cleanup': info.get('cleanup', '').strip()
}
}
})
Describe the bug
AdFind.zip that is downloaded for the emu plugin now requires a password
To Reproduce
Steps to reproduce the behavior:
Expected behavior
All payloads are downloaded and unzipped.
Screenshots
See here at the bottom in red, the zip is now protected with a password that is included in the zip itself (NotMalware
)
Desktop:
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.