Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Blue Training: Malicious File on System #2739

Closed
jasonlmaynard opened this issue Mar 20, 2023 · 3 comments
Closed

Blue Training: Malicious File on System #2739

jasonlmaynard opened this issue Mar 20, 2023 · 3 comments
Assignees
@elegantmoose
Labels
bug good write up no-issue-activity

Comments

@jasonlmaynard
Copy link

In the training module - blue team

autonomous
-- Malicious File on System
Write a file on the Windows machine under the C:\Users\Public directory. Get the SHA256 hash of this file, and write it to C:\Users\Public\malicious_files.txt. The autonomous defender should automatically find and delete the file.

image

File is removed but flag is not granted and I cannot move on in the training.
@jasonlmaynard
Copy link
Author

any thoughts?

@nonalphanumeric
Copy link

nonalphanumeric commented Mar 22, 2023
edited

The same thing happened to me two times, with this flag and the Blue Manual flag for malicious file.

Looking at the verify method for this flag in the Training plugin, we can see that Caldera validates this flag if the file was found and is the file has been deleted.

To check wether the file was found, Caldera uses the following checks:

  • If the operation ran the ability with id 'f9b3eff0-e11c-48de-9338-1578b351b14b' Hunt for known suspicious files
  • If there is value in file.malicious.hash and host.malicious.file facts

To check wether the file was deleted, the flag checks for:

  • If the operation ran the ability '5ec7ae3b-c909-41bb-9b6b-dadec409cd40' Delete known suspicious files

My suggestions:

  • Look if the correct abilities ran.
  • Hunt for known suspicious files might not run because of requirements issues, most importantly, the issue could be with the facts source. (This one saved me for the Blue Manual malicious file by switching from Response Training facts source to response facts source).
  • Looking at the code, verify should return True if at least one of the operation called Blue Autonomous validate the conditions but in my case, cleaning up all operations actually helped for this flag. Still I can't explain why.

If you're doing several attempts, mind that Acquire known suspicious files ability removes the malicious_files.txt file. I deleted the line Remove-Item C:\Users\Public\malicious_files.txt; in the command section of this ability to make things less tedious.

@github-actions
Copy link

github-actions bot commented May 1, 2023

This issue is stale because it has been open 20 days with no activity. Remove stale label or comment or this will be closed in 5 days

@github-actions github-actions bot closed this as completed May 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@elegantmoose elegantmoose

Labels
bug good write up no-issue-activity
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@elegantmoose @jasonlmaynard @nonalphanumeric