New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Agent communicates with base64 obfuscation despites different operation settings #2975
Comments
May be related to: |
I haven't checked anything, but I think you might be confusing the base64 command obfuscation versus the base64 payload encoding for network transport. Try to start the same operation with base64 obfuscation, you should see a difference in the |
With plain-text, the command itself, too gets base64 encoded (in network Traffic). Will provide a screenshot as soon as I can. |
Alright, so here are some results:
SummaryYou are right in saying that the command itself gets b64 encoded, but that's not obfuscation. The obfuscation options are meant for host-level obfuscation, not network-level. And although it seems unnecessary to have a second layer of b64 encoding for the command when the whole payload already is b64-encoded, it doesn't matter as the agent will decode it before executing it. You can see on my first example that the command is indeed b64-encoded in the payload, but what's executed by powershell is a plain On the contrary, for the second operation, there is a third level of b64 encoding (actually, obfuscation) that does not get peeled off before being given to powershell, which will execute Third operation is the same: one level of b64 encoding in the payload, one in the command, but both are peeled off and powershell actually executes |
Thank's for clarification! |
Kudos @guillaume-duong-bib for explanation. @l1ghts4ber good to close? |
Description
When starting an operation with plain-text obfuscator the agent nevertheless communicates with base64 encryption.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The agent's communication (beaconing/commands) should be readable in plain-text from captured network traffic.
Screenshots
Operation setup:
This is a sample http-data snipped of a HTTP/200 OK Message from Caldera to the agent:
This is a sample decoded beacon POST Request from a pcap file analyzed with wireshark:
Desktop (please complete the following information):
Additional context
Caldera v5.0.0 standard installation with git clone https://github.com/mitre/caldera.git --recursive
The text was updated successfully, but these errors were encountered: