Merge pull request #151 from kaylakraines/master

Turla - Check Implant Registered Requirement
center-for-threat-informed-defense · Oct 25, 2023 · 4a57b3d · 4a57b3d
2 parents 3ae11bd + 1b99390
commit 4a57b3d
Show file tree

Hide file tree

Showing 4 changed files with 339 additions and 81 deletions.
diff --git a/turla/Emulation_Plan/yaml/Carbon_Scenario.md b/turla/Emulation_Plan/yaml/Carbon_Scenario.md
@@ -29,7 +29,13 @@ Before running the operation, you will need to make sure that the Turla fact sou
 - `third.target.ntlm`: The NTLM hash for the third target user.
 - `apache.server.ip`: The IP address of the Apache server.
 - `attacker.host.ip`: The IP address of the attacker's host.
+- `first.epic.id`: The first EPIC implant ID.
+- `second.epic.id`: The second EPIC implant ID.
+- `first.carbon.id`: The first Carbon implant ID.
+- `second.carbon.id`: The second Carbon implant ID.
+- `third.carbon.id`: The third Carbon implant ID.
 
+Generally, it’s only possible to task a Caldera agent which is alive and actively checking in with the Caldera server. However, due to the integration between the `evalsc2client.py` and the Caldera Emu plugin in this port, the user is effectively tasking the Sandcat agent to task `evalsc2client.py` to task an implant through the Control Server, which makes it possible to task an implant that is not active. Therefore, a Caldera requirement was implemented to prevent an ability from executing if the implant tasked in that ability was not actively beaconing in. This requirement uses the facts for the EPIC and Carbon implant IDs, which are listed above.
 
 # RUNNING THE OPERATION
 

diff --git a/turla/Emulation_Plan/yaml/Snake_Scenario.md b/turla/Emulation_Plan/yaml/Snake_Scenario.md
@@ -38,6 +38,15 @@ Before running the operation, you will need to make sure that the Turla fact sou
 - `domain.admin.user`: The username of a domain admin.
 - `new.domain.user`: The username of the new domain user.
 - `new.domain.password`: The password of the new domain user.
+- `first.epic.id`: The first EPIC implant ID.
+- `first.snake.id`: The first Snake implant ID.
+- `second.snake.id`: The second Snake implant ID.
+- `third.snake.id`: The third Snake implant ID.
+- `lightneuron.implant.id`: The Lightneuron implant ID.
+
+Generally, it’s only possible to task a Caldera agent which is alive and actively checking in with the Caldera server. However, due to the integration between the [`evalsc2client.py`](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/turla/Resources/control_server/evalsC2client.py) and the Caldera Emu plugin in this port, the user is effectively tasking the Sandcat agent to task `evalsc2client.py` to task an implant through the Control Server, which makes it possible to task an implant that is not active. Therefore, a Caldera requirement was implemented to prevent an ability from executing if the implant tasked in that ability was not actively beaconing in. This requirement uses the facts for the EPIC and Snake implant IDs, which are listed above.
+
+Additionally, a separate Caldera requirement was implemented for the Lightneuron implant. This requirement will allow an ability to execute if the Lightneuron implant ID is listed in the agents tab of the Caldera Server GUI, even if the agent is dead and untrusted. The Lightneuron agent only sends one initial beacon to the Server, and is then considered a dead agent. This custom requirement will allow Lightneuron to be tasked despite that fact that it appears dead in the Caldera GUI.
 
 # RUNNING THE OPERATION