-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Persistence and lateral movement techniques not working #11
Comments
@moxilo Thanks! Several of the Steps depend on other Steps to work effectively. persistence and lateral movement techniques both fall into this category. In general most of the persistence techniques need the RAT to be running as elevated. Easiest way to achieve this is by setting "Starting User" as "System" when creating a new Operation. In practice I've seen processes start as elevated, if the current logged in user is the Domain Admin. You could get this by logging into the starting computer as the Domain Admin and then setting "Starting User" to "Active User". It sounds like what you're doing is explicitly giving CALDERA the credentials ("Starting User" == "Logon User"). My memory is hazy but I think this won't start the process as elevated (which is what it sounds like is happening to you). A harder, but more realistic way of getting the RAT running as elevated would be to use a privilege escalation step, although most of those require special (mis)configurations to be done, so if you just want to test things out it's a hassle. Lateral movement is a little different. For all of the lateral movement techniques we have, you need credentials or password hashes (which you'd get from enabling the "get_creds" step). You generally need a way to copy the (RAT) file. Any of the below Steps would work for that:
You also want a Step to execute the rat once copied. For that you could pick from one of the following:
Note that you can mix and match one or more copy Steps with one or more remote execution Steps. Another option is "psexec_move" which automatically does both the file copy and the remote execution in one go. (Although it still requires "get_creds", and you have to download the psexec binary manually from the Settings menu). And finally, if you choose one of the built-in Adversaries that we have, (Alice, Bob, Charlie, or Lazarus Group) the Steps should already be setup in a sane way. All of the adversaries will exhibit Lateral Movement, and Charlie and Lazarus Group will exhibit Persistence. |
Also leaving a note here for myself to update the docs with this information :) |
First of all, thank you for this amazing project. I have a problem when I select an adversary with techniques such as persistence (like task or service) or lateral movement (WMI or PSExec). These techniques are not executed or showed during the operation in the "stepts" tab. Any other technique like enum, systeminfo, etc is shown in the "stepts" tab and it is executed (successfully or not) during the operation (I know that it is executed as I have Sysmon with Splunk in each host).
Configuration:
As an example, I created an adversary with only the technique "schtasks_persist". Then, I have created a new Operation using domain controller admin credentials in the windows 7. However, when I run the operation no STEP is observed in the "Operation Details" information.
Sysmon:
date | host | user | parent | process | command line argument:
2018-01-14 01:11:22.649 | John-PC.test.local | NT AUTHORITY\SYSTEM | C:\Windows\System32\cmd.exe | takeown /F C:\commander.exe /A
2018-01-14 01:11:22.649 | John-PC.test.local | NT AUTHORITY\SYSTEM | C:\Program Files\cagent\cagent.exe | C:\Windows\system32\cmd.exe /c "takeown /F C:\commander.exe /A"
Thank you!
The text was updated successfully, but these errors were encountered: