attack-arsenal icon indicating copy to clipboard operation
attack-arsenal copied to clipboard

Published 20 hours ago verified publisher icon mitre-attack

What causes abilities to be skipped?

Open Maspital opened this issue 3 years ago • 3 comments

Hey there,

I'm currently integrating CALDERA (including this plugin) into another framework I'm working on, which basically simulates a small company network. Everything works out so far, but one question remains: What causes some abilities to be skipped every single time? I ran 20 separate simulations and in every single one of them the following abilities (from APT29) didn't execute:

  • 1.B - PowerShell
  • 8.B - Copy Sandcat File
  • 18.A - Exfiltrate data to OneDrive
  • 20.A.1 - Execute Invoke-Mimikatz

It's not directly a problem that these don't run, but I need to know for sure why that happens, I can't just guess it. Can you point me to any resource where I could find more information? The CALDERA docs sadly were of no help, neither are the respective ability files. Am I overlooking something?

Maspital avatar Aug 02 '21 15:08 Maspital

Maybe you can take a look at the full report of those operations. In my experience, abilities not executed are mostly due to missing fact dependency and wrong platform.

For example, in 8.B - Copy Sandcat File, you can notice that this ability relies on a payload named sandcat.go-windows-upx, and this file should exist for the ability to be executed.

Also in 18.A - Exfiltrate data to OneDrive, there are many facts used in the command (e.g. #{onedrive.url}, #{onedrive.username}), if one of these fact dependency is not fulfilled, the ability won't execute either.

afcidk avatar Aug 02 '21 23:08 afcidk

Thanks for the hint! When i looked at the report of my operations, I found this:

  "skipped_abilities": [
    {
      "jdcctr": [
        {
          "reason": "Executor not available",
          "reason_id": 1,
          "ability_id": "a5daa530-c640-49bc-aa54-6808789a684a",
          "ability_name": "1.B - PowerShell (1086)"
        },
        {
          "reason": "Fact dependency not fulfilled",
          "reason_id": 2,
          "ability_id": "bddc0abc-07a0-41b7-813f-e0c64d9226b3",
          "ability_name": "8.B Copy Sandcat File"
        }
      ]
    }
  ]

and

  "skipped_abilities": [
    {
      "pajtoa": [
        {
          "reason": "Agent untrusted",
          "reason_id": 5,
          "ability_id": "4840d6dd-da13-401a-be46-05db56f4e1e0",
          "ability_name": "18.A - Exfiltrate data to OneDrive"
        },
        {
          "reason": "Fact dependency not fulfilled",
          "reason_id": 2,
          "ability_id": "267bad86-3f06-49f1-9a3e-6522f2a61e7a",
          "ability_name": "20.A.1 - Execute Invoke-Mimikatz"
        }
      ]
    }
  ]

8.B and 20.A make sense to me, but I expected 18.A to be skipped for the same reason (instead of agent untrusted). What I also don't understand is why 1.B is skipped, since powershell is definitely available. Any idea for these two?

Maspital avatar Aug 04 '21 07:08 Maspital

You have to take a look at what executor 1.B needs. It seems that this ability needs cmd to spawn a new powershell (please refer to the ability file).

I guess the exectuor you're using is psh, that's why this ability is not executed.

Yoy can try to start a cmd executor and re-run to see if this ability is executed🙂

afcidk avatar Aug 04 '21 08:08 afcidk