Comments (2)
@moxilo Thanks! Several of the Steps depend on other Steps to work effectively. persistence and lateral movement techniques both fall into this category. In general most of the persistence techniques need the RAT to be running as elevated. Easiest way to achieve this is by setting "Starting User" as "System" when creating a new Operation. In practice I've seen processes start as elevated, if the current logged in user is the Domain Admin. You could get this by logging into the starting computer as the Domain Admin and then setting "Starting User" to "Active User". It sounds like what you're doing is explicitly giving CALDERA the credentials ("Starting User" == "Logon User"). My memory is hazy but I think this won't start the process as elevated (which is what it sounds like is happening to you).
A harder, but more realistic way of getting the RAT running as elevated would be to use a privilege escalation step, although most of those require special (mis)configurations to be done, so if you just want to test things out it's a hassle.
Lateral movement is a little different. For all of the lateral movement techniques we have, you need credentials or password hashes (which you'd get from enabling the "get_creds" step). You generally need a way to copy the (RAT) file. Any of the below Steps would work for that:
- "copy_file", (which in turn requires net_use)
- "xcopy file", (also requires net_use)
- "pass_the_hash_copy"
You also want a Step to execute the rat once copied. For that you could pick from one of the following:
- "remote_process(WMI)"
- "schtasks", (this one takes a minute or two to execute)
- "pass_the_hash_sc"
Note that you can mix and match one or more copy Steps with one or more remote execution Steps.
If you do pick multiple Steps, CALDERA will choose whichever one it thinks is best.
Another option is "psexec_move" which automatically does both the file copy and the remote execution in one go. (Although it still requires "get_creds", and you have to download the psexec binary manually from the Settings menu).
And finally, if you choose one of the built-in Adversaries that we have, (Alice, Bob, Charlie, or Lazarus Group) the Steps should already be setup in a sane way. All of the adversaries will exhibit Lateral Movement, and Charlie and Lazarus Group will exhibit Persistence.
from caldera.
Also leaving a note here for myself to update the docs with this information :)
from caldera.
Related Issues (20)
- Red user missing abilities HOT 5
- Reliance on non-static IDs for third-party abilities triggers Warnings at every startup HOT 1
- CORS - Connection Error HOT 3
- . HOT 1
- Unable to run Caldera 5.x on Ubuntu 20.04.6 LTS using either docker build or standard build HOT 14
- Builder plugin error upon server startup: "Error enabling plugin=builder, 'function' object has no attribute 'list'" HOT 8
- Is there a way to execute abilities only on the new agent? HOT 2
- FileNotFoundError: [Errno 2] No such file or directory: 'data/sources/7feb6c49-bc49-4aa8-ad56-401100797750.yml' HOT 4
- Typo in Swagger documentation HOT 1
- Adversaries' Facts Breakdown and Unlocks/Requires loading always requires a second click
- Is there a way to execute multiple abilities (using the powershell executor) with one spawned powershell.exe? HOT 2
- Updating fact sources' facts generates ghost facts during operations
- Trying to start caldera with --build fails HOT 4
- HTML contact point /weather does not work in 5.0.0 HOT 2
- Caldera uses insecure_certificate.pem even when the haproxy conf states a different certificate HOT 3
- Unused variable in ability marked as requirement HOT 8
- How can I do fronting with Caldera? HOT 3
- Build failed with error Cannot assign to "envs" because it is a constant. HOT 1
- Trying to create a new operation via REST API HOT 4
- ubuntu bug in bluid HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from caldera.