Persistence and lateral movement techniques not working

[moxilo]

First of all, thank you for this amazing project. I have a problem when I select an adversary with techniques such as persistence (like task or service) or lateral movement (WMI or PSExec). These techniques are not executed or showed during the operation in the "stepts" tab. Any other technique like enum, systeminfo, etc is shown in the "stepts" tab and it is executed (successfully or not) during the operation (I know that it is executed as I have Sysmon with Splunk in each host).

Configuration:

• I have an environment with 2 windows 7 and 2 win 2012 (one DC) caldera installed in both of them.
• Caldera is installed in Ubuntu LTS 16.04 with mongo 3.6 from the official mongo repository
• The starting victim is always one Windows 7.
• I have tried different types of credentials: local admin credentials, domain controller admin user, and domain user account not admin.

As an example, I created an adversary with only the technique "schtasks_persist". Then, I have created a new Operation using domain controller admin credentials in the windows 7. However, when I run the operation no STEP is observed in the "Operation Details" information.

Sysmon:

date | host | user | parent | process | command line argument:
2018-01-14 01:11:22.649 | John-PC.test.local | NT AUTHORITY\SYSTEM | C:\Windows\System32\cmd.exe | takeown /F C:\commander.exe /A
2018-01-14 01:11:22.649 | John-PC.test.local | NT AUTHORITY\SYSTEM | C:\Program Files\cagent\cagent.exe | C:\Windows\system32\cmd.exe /c "takeown /F C:\commander.exe /A"

Thank you!

[dm-mitre]

@moxilo Thanks! Several of the Steps depend on other Steps to work effectively. persistence and lateral movement techniques both fall into this category. In general most of the persistence techniques need the RAT to be running as elevated. Easiest way to achieve this is by setting "Starting User" as "System" when creating a new Operation. In practice I've seen processes start as elevated, if the current logged in user is the Domain Admin. You could get this by logging into the starting computer as the Domain Admin and then setting "Starting User" to "Active User". It sounds like what you're doing is explicitly giving CALDERA the credentials ("Starting User" == "Logon User"). My memory is hazy but I think this won't start the process as elevated (which is what it sounds like is happening to you).

A harder, but more realistic way of getting the RAT running as elevated would be to use a privilege escalation step, although most of those require special (mis)configurations to be done, so if you just want to test things out it's a hassle.

Lateral movement is a little different. For all of the lateral movement techniques we have, you need credentials or password hashes (which you'd get from enabling the "get_creds" step). You generally need a way to copy the (RAT) file. Any of the below Steps would work for that:

• "copy_file", (which in turn requires net_use)
• "xcopy file", (also requires net_use)
• "pass_the_hash_copy"

You also want a Step to execute the rat once copied. For that you could pick from one of the following:

• "remote_process(WMI)"
• "schtasks", (this one takes a minute or two to execute)
• "pass_the_hash_sc"

Note that you can mix and match one or more copy Steps with one or more remote execution Steps.
If you do pick multiple Steps, CALDERA will choose whichever one it thinks is best.

Another option is "psexec_move" which automatically does both the file copy and the remote execution in one go. (Although it still requires "get_creds", and you have to download the psexec binary manually from the Settings menu).

And finally, if you choose one of the built-in Adversaries that we have, (Alice, Bob, Charlie, or Lazarus Group) the Steps should already be setup in a sane way. All of the adversaries will exhibit Lateral Movement, and Charlie and Lazarus Group will exhibit Persistence.

[dm-mitre]

Also leaving a note here for myself to update the docs with this information :)