emu plugin loads unexpected/wrong payloads for apt29 #32
Description
Describe the bug
I think this is the correct place to open this issue since it is related to the emu plugin's emu_svc.py.
When starting a CALDERA server with enabled emu plugin and the information about APT29 from the adversary emulation library (see here), the wrong payloads are copied to plugins/emu/payloads.
I would expect the emu_svc.py to copy the payloads in plugins/emu/data/adversary-emulation-plans/apt29/resources/ (here) but instead the payloads from the archived directory plugins/emu/data/adversary-emulation-plans/apt29/Archive/CALDERA_DIY/evals/payloads (here) are copied (see output with debug-prints added below). For other emulation plans the correct directory was searched (probably because there is no "Archive" directory?)(tested with carbanak emulation plan).
I know this does not belong here but rather in the adversary-emulation-library but I still want to mention it here. Maybe I will open another issue over there as well about this.
The APT29 adversary emulation library information contains 3 payload directories in total. For example the stepFourteen_bypassUAC.ps1 payload is found 3 times in:
- adversary-emulation-plans/apt29/resources/scenario_2/stepFourteen_bypassUAC.ps1
- adversary-emulation-plans/apt29/Archive/Emulation_Plan/Day 2/payloads/stepFourteen_bypassUAC.ps1
- adversary-emulation-plans/apt29/Archive/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1
The payload that will be used by the emu plugin is number 3 in the above list.
It is also worth to mention that the payloads' contents are not the same. Also this is really confusing when you want to edit the payloads (which is necessary for the attacks) because it is not clear which are really used by CALDERA.
To Reproduce
Steps to reproduce the behavior:
- Enable emu plugin
- Start server
Expected behavior
I would expect the emu_svc to copy the payloads from the "not-archived" directory (plugins/emu/data/adversary-emulation-plans/apt29/resources/).
Screenshots
2023-03-08 05:36:04 - DEBUG (emu_svc.py:265 _store_required_payloads) Searching for and storing required payloads.
payload timestomp.ps1
path plugins/emu/data/adversary-emulation-plans/apt29/Archive/CALDERA_DIY/evals/payloads/timestomp.ps1
target_path plugins/emu/payloads/timestomp.ps1
payload stepSeventeen_zip.ps1
path plugins/emu/data/adversary-emulation-plans/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_zip.ps1
target_path plugins/emu/payloads/stepSeventeen_zip.ps1
payload plink.exe
path plugins/emu/data/adversary-emulation-plans/carbanak/Resources/step5/plink.exe
target_path plugins/emu/payloads/plink.exe
payload Invoke-Mimikatz.ps1
path plugins/emu/data/adversary-emulation-plans/apt29/Archive/CALDERA_DIY/evals/payloads/Invoke-Mimikatz.ps1
target_path plugins/emu/payloads/Invoke-Mimikatz.ps1
payload stepSixteen_SID.ps1
path plugins/emu/data/adversary-emulation-plans/apt29/Archive/CALDERA_DIY/evals/payloads/stepSixteen_SID.ps1
target_path plugins/emu/payloads/stepSixteen_SID.ps1
payload stepFourteen_bypassUAC.ps1
path plugins/emu/data/adversary-emulation-plans/apt29/Archive/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1
target_path plugins/emu/payloads/stepFourteen_bypassUAC.ps1
Desktop (please complete the following information):
- OS: Kali
- Browser: -
- Version: 4.1.0
Additional context
...