Way to define if ability needs elevated privilege?

[L015H4CK]

Hello there,

I am currently working on a new planner that tries to automatically elevate privileges only when needed. The planner executes a selection of abilities using a user agent during the operation and the goal is that it detects that an ability needs elevated privileges and then tries to start a new elevated agent, e.g. using the UAC bypass used by APT29. So far everything is clear and kind of already works as proof of concept. But how to define that an ability needs elevated privileges?

Possible solutions might include:

• Define a new ability field "need_elevated" and just check if this field is true before executing the ability and act accordingly
• Use a fact "got_elevated_agent" during the operation that gets created by the privilege escalation abilities and is required by the abilities that need elevated (I already implemented a planner that tries to gather required facts recursively during an operation..)

My question now is, is there a CALDERA way to define/detect that an ability needs elevated privileges?

Edit: Wow, as always I think I found the solution myself just a few minutes after opening this issue.. I do not know how I missed this the last few days.. I found the "privilege" field in c_ability.py and the usage in c_agent.py.

Looking into the tests in tests/objects/test_ability.py the solutions seems like defining the privileges as "User" or "Elevated". One can find the following example usage:

agent = event_loop.run_until_complete(data_svc.store(Agent(sleep_min=1, sleep_max=2, watchdog=0, privilege='Elevated')))
ability = event_loop.run_until_complete(data_svc.store(
    Ability(ability_id='123', privilege='Elevated')
))
assert agent.privileged_to_run(ability)

The issue can be deleted or kept as archived solution in case anyone might ask themselves the same question in the future..

Best regards,
L015