caldera icon indicating copy to clipboard operation
caldera copied to clipboard

Published 20 hours ago verified publisher icon mitre

Current command is "obfuscated" by previous ability's command

Open kacvinsky-tom opened this issue 1 year ago • 3 comments

Describe the bug The ability's command is sometimes randomly obfuscated by the command of the previous ability. For example, the first ability was - Office Generic Payload Download, with a command visible on screenshot num. 1. Ability was successfully completed. The next ability is File and Directory Discovery (cmd.exe), which fails because it is somehow, IDK why, obfuscated by the command from the previous ability. See screenshots.

To Reproduce Steps to reproduce the behavior:

  1. Create some adversary with some of the abilities from the Atomic Red Team plugin
  2. Run the operation multiple times; the previous ability's command randomly obfuscates the next command.

Expected behavior Ability should not be obfuscated by anything if it is not defined in .yml.

Screenshots

First ability - image Second ability - image

Desktop (please complete the following information):

  • OS: Kali
  • Browser Firefox
  • Version 122.0.1 (64-bit)

Additional information

EDIT: It looks like it happens only when the Autonomous flag on the operation is set to Require manual approval.

kacvinsky-tom avatar Feb 14 '24 11:02 kacvinsky-tom

Looks like your first issue -- we aim to respond to issues as quickly as possible. In the meantime, check out our documentation here: http://caldera.readthedocs.io/

github-actions[bot] avatar Feb 14 '24 11:02 github-actions[bot]

@kacvinsky-tom a couple questions. Which version of Caldera are you using? Do you have the obfuscation drop-down set to anything other than plain-text? See image below image

bjeffries avatar Feb 14 '24 18:02 bjeffries

I am using Caldera 4.2.0. No, I have not changed the default obfuscation to anything other than the plain text.

It happened to me only when the Autonomous flag on the operation was set to Require manual approval. When I clicked on the review command, it showed only the correct command in Plain-text, but about 2 seconds later, the Obfuscated command from another ability was added to the window as shown on the screenshot.

I also found out that it does not use explicitly previous ability, because in the same run from which I made screenshots 5-6 abilities later after the second one, was the ability again obfuscated by the same command from the first ability (same as the second ability on the screenshot).

kacvinsky-tom avatar Feb 15 '24 20:02 kacvinsky-tom

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days

github-actions[bot] avatar Mar 17 '24 00:03 github-actions[bot]