Is there a way to execute multiple abilities (using the powershell executor) with one spawned powershell.exe?

[jgwak1]

Hi,

When I execute the adversary profile with all abilities using PowerShell as the executor, the "splunkd.exe" process on the target machine first spawns two processes: a conhost.exe and a powershell.exe. This powershell.exe executes the "Indicator Removal on Host: Clear Command History" ability consistently.

After this, multiple powershell.exe processes are spawned, each corresponding to an ability from the adversary profile. Is there a way to run all the abilities sequentially with one spawned powershell.exe process, assuming successful execution on the target machine? Alternatively, should I consider creating a custom ability that integrates all the necessary commands and payloads of these individual abilities?

Thank you

[github-actions[bot]]

Looks like your first issue -- we aim to respond to issues as quickly as possible. In the meantime, check out our documentation here: http://caldera.readthedocs.io/

[Guil33]

I don't think what you're asking is possible, since that's how the code seems to do things. You should probably check this if you want to delve deeper.

Thus, if using the same powershell process is important to you, having a single ability should be the simpler solution, compared to changing the agent's code.

[github-actions[bot]]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days