fix 'checked_flags' variable in Parser module

[0xyy66]

Brief description

When running an Adversary Ability with a custom PowerShell command, the command runs successfully, but the Ability status is incorrectly set to "failed." This issue is caused by a logic problem in the atomic_powershell.py module.

Details:

• The module checks for the presence of the header FullyQualifiedErrorId in the response, but the logic is flawed.
• The module's logic involves splitting the FullyQualifiedErrorId string into individual letters and checking each letter against the headers.

Description in depth

Ability output.

The following is the Caldera output.

This problem is caused by the module atomic_powershell.py which, from what I understand, should check if the header FullyQualifiedErrorId is present.

It is declared a list called checked_flags that splits the 'FullyQualifiedErrorId' string letter by letter.

checked_flags = list('FullyQualifiedErrorId')

The function parse, in the same module, is meant to check the response headers.
The code checks every header (blob variable) against every single letter contained in the checked_flags list. If the letter is present in the header string, it throws the error showed upon. The following is the code snippet that causes the error.

def parse(self, blob):
        # for every header (blob string is splitted by newline)
        for ex_line in self.line(blob):
            if any(x in ex_line for x in self.checked_flags):
                # ...
                log.warning('This ability failed for some reason. Manually updating the link to report a failed state.')

Proposed Fix

The issue with the checked_flags variable is addressed by changing the line:

checked_flags = list('FullyQualifiedErrorId')

to:

checked_flags = ['FullyQualifiedErrorId']