fix 'checked_flags' variable in Parser module #41
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Brief description
When running an Adversary Ability with a custom PowerShell command, the command runs successfully, but the Ability status is incorrectly set to "failed." This issue is caused by a logic problem in the atomic_powershell.py module.
Details:
Description in depth
Ability output.
The following is the Caldera output.
This problem is caused by the module atomic_powershell.py which, from what I understand, should check if the header FullyQualifiedErrorId is present.
It is declared a list called checked_flags that splits the 'FullyQualifiedErrorId' string letter by letter.
The function parse, in the same module, is meant to check the response headers.
The code checks every header (blob variable) against every single letter contained in the checked_flags list. If the letter is present in the header string, it throws the error showed upon. The following is the code snippet that causes the error.
Proposed Fix
The issue with the checked_flags variable is addressed by changing the line:
to: