New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Multiple issues with Atomic Red Team plugin #2721
Comments
Looks like your first issue -- we aim to respond to issues as quickly as possible. In the meantime, check out our documentation here: http://caldera.readthedocs.io/ |
This issue is stale because it has been open 20 days with no activity. Remove stale label or comment or this will be closed in 5 days |
@PSR009 RE Issue 1 - The error status is coming from this general post-ability parser (https://github.com/mitre/atomic/blob/master/app/parsers/atomic_powershell.py#L6). Currently, Im not sure why the simple error check (for all atomic powershell abilities) is to check for the line 'FullyQualifiedErrorId' in the ability output, and I dont have a test windows box where I can test this ability. Lets ping the former team member who created the parser a few years ago. @ArtificialErmine - any chance youre active and can remember why we created the parser this way? @PSR009 - If you want to get hacky, try removing the check for 'FullyQualifiedErrorId' from that parser in the source code and see what happens. |
@PSR009 RE Issue 2 - These are Atomic Red Teams abilities (as opposed to Caldera's) so we dont maintain those. However, if you wanted to fix, you can just create a Caldera ability that does the needed actions before this ability. |
Yep, @elegantmoose, I'm still around. Let's see what I can pull out here. For Issue 1 - I believe we were using For Issue 2 - As @elegantmoose pointed out, we don't maintain the Atomic Red Team techniques per say, just load them and provide a platform to interact with. As a result, while we make a best effort to load Pre-Requisites (atomic red team style) and handle them, we can't make a guarantee that it works for every case, and it looks like this is one that slips through the current system. For Issue 3 - My guess is that some Pre-Requisites (caldera style) for the ability aren't being met. I'd need to look into the actual abilities files to be sure of that, but that's my initial guess as to why they wouldn't be executed. |
@PSR009 RE issue 3 - yes exactly what @ArtificialErmine said |
This issue is stale because it has been open 20 days with no activity. Remove stale label or comment or this will be closed in 5 days |
This issue is stale because it has been open 20 days with no activity. Remove stale label or comment or this will be closed in 5 days |
Issue#1 : Though the test case (ability) has passed with given output, the status is shown as failed.
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber" -Value 4489; New-NetFirewallRule -DisplayName 'RDPPORTLatest-TCP-In' -Profile 'Public' -Direction Inbound -Action Allow -Protocol TCP -LocalPort 4489
WARNING (atomic_powershell.py:12 parse) This ability failed for some reason. Manually updating the link to report a failed state.
but is there a way to know this reason or debug and resolve it?New-PSDrive -name g -psprovider filesystem -root \\Target\C$
Issue#2 : Prerequisite commands are not executed in the ability, leading to multiple failures.
C:\PSTools\PsExec.exe \\localhost -accepteula -c C:\Windows\System32\cmd.exe
The system cannot find the path specified.
Requires
column in the adversary profile.evil-winrm -i Target -u Domain\Administrator -p P@ssw0rd1
Issue#3 : Some abilities are not executed during an operation, they are not shown as failed or error.
Screenshots for all 3 issues mentioned above
Desktop
The text was updated successfully, but these errors were encountered: