APT3 CALDERA: Full Profile

[leegengyu]

According to the Full profile of APT3 here, the 19 phases are executed in one-shot.

When adding an Operation to run this particular profile, we start off with the initial red group:

However, it appears that we are unable to change the group in which the Operation is based on, mid-way through the Operation. This is required because 3.B should be executed with the diy_eval group, and 4 - 5.A should be executed with yet another group. Else, the entire Operation is running only on the initial medium-integrity Agent callback (as seen in the yml file and also as tested). This would mean that that only around half of the Operation is executed correctly.

We can see that at the end of this Operation, there are only 2 Agents (the high-integrity one is spawned from 3.A, but none of the steps are carried out using it):

Is there something that I am doing wrong when running the Full profile, or is this a feature limitation in CALDERA in not being able to switch between Groups in a single Operation?

[jcwilliamsATmitre]

Hey @leegengyu!

Yeah I see what you are saying. I don't think you can change groups, but the solution could be similar to APT29 where the operation is split into more phases (https://github.com/mitre-attack/attack-arsenal/tree/master/adversary_emulation/APT29/CALDERA_DIY/evals#round-2-adversary). I will ask around and get back to you though.

[leegengyu]

Noted, thank you so much for getting back to me on this @jcwilliamsATmitre.

Hear from you soon!