You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
autonomous
-- Malicious File on System
Write a file on the Windows machine under the C:\Users\Public directory. Get the SHA256 hash of this file, and write it to C:\Users\Public\malicious_files.txt. The autonomous defender should automatically find and delete the file.
File is removed but flag is not granted and I cannot move on in the training.
The text was updated successfully, but these errors were encountered:
The same thing happened to me two times, with this flag and the Blue Manual flag for malicious file.
Looking at the verify method for this flag in the Training plugin, we can see that Caldera validates this flag if the file was found and is the file has been deleted.
To check wether the file was found, Caldera uses the following checks:
If the operation ran the ability with id 'f9b3eff0-e11c-48de-9338-1578b351b14b' Hunt for known suspicious files
If there is value in file.malicious.hash and host.malicious.file facts
To check wether the file was deleted, the flag checks for:
If the operation ran the ability '5ec7ae3b-c909-41bb-9b6b-dadec409cd40' Delete known suspicious files
My suggestions:
Look if the correct abilities ran.
Hunt for known suspicious files might not run because of requirements issues, most importantly, the issue could be with the facts source. (This one saved me for the Blue Manual malicious file by switching from Response Training facts source to response facts source).
Looking at the code, verify should return True if at least one of the operation called Blue Autonomous validate the conditions but in my case, cleaning up all operations actually helped for this flag. Still I can't explain why.
If you're doing several attempts, mind that Acquire known suspicious files ability removes the malicious_files.txt file. I deleted the line Remove-Item C:\Users\Public\malicious_files.txt; in the command section of this ability to make things less tedious.
In the training module - blue team
autonomous
-- Malicious File on System
Write a file on the Windows machine under the C:\Users\Public directory. Get the SHA256 hash of this file, and write it to C:\Users\Public\malicious_files.txt. The autonomous defender should automatically find and delete the file.
File is removed but flag is not granted and I cannot move on in the training.
The text was updated successfully, but these errors were encountered: