-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathAPT-Emulation-Test_report.json
More file actions
1 lines (1 loc) · 19.5 KB
/
APT-Emulation-Test_report.json
File metadata and controls
1 lines (1 loc) · 19.5 KB
1
{"name":"APT-Emulation-Test","host_group":[{"paw":"heoubo","sleep_min":30,"sleep_max":60,"watchdog":0,"group":"red","architecture":"amd64","platform":"linux","server":"http://10.0.2.15:8888","upstream_dest":"http://10.0.2.15:8888","username":"root","location":"/root/caldera/splunkd","pid":186159,"ppid":100789,"trusted":true,"executors":["proc","sh"],"privilege":"Elevated","exe_name":"splunkd","host":"kali","contact":"HTTP","proxy_receivers":{},"proxy_chain":[],"origin_link_id":"","deadman_enabled":true,"available_contacts":["HTTP"],"host_ip_addrs":["10.0.2.15"],"display_name":"kali$root","created":"2025-08-05T13:30:32Z","last_seen":"2025-08-05T17:19:31Z","links":[{"id":"fb70bf3d-647e-4e26-b807-2bdc8e853cc2","paw":"heoubo","command":"PiAkSE9NRS8uYmFzaF9oaXN0b3J5ICYmIHVuc2V0IEhJU1RGSUxF","plaintext_command":"PiAkSE9NRS8uYmFzaF9oaXN0b3J5ICYmIHVuc2V0IEhJU1RGSUxF","status":0,"score":0,"jitter":0,"decide":"2025-08-05T13:30:32Z","pin":0,"pid":"359390","facts":[],"relationships":[],"used":[],"unique":"fb70bf3d-647e-4e26-b807-2bdc8e853cc2","collect":"2025-08-05T13:30:32Z","finish":"2025-08-05T13:30:32Z","ability":{"ability_id":"43b3754c-def4-4699-a673-1d85648fda6a","tactic":"defense-evasion","technique_name":"Indicator Removal on Host: Clear Command History","technique_id":"T1070.003","name":"Avoid logs","description":"Stop terminal from logging history","executors":[{"name":"sh","platform":"darwin","command":"> $HOME/.bash_history && unset HISTFILE","code":null,"language":null,"build_target":null,"payloads":[],"uploads":[],"timeout":60,"parsers":[],"cleanup":[],"variations":[],"additional_info":{}},{"name":"sh","platform":"linux","command":"> $HOME/.bash_history && unset HISTFILE","code":null,"language":null,"build_target":null,"payloads":[],"uploads":[],"timeout":60,"parsers":[],"cleanup":[],"variations":[],"additional_info":{}},{"name":"psh","platform":"windows","command":"Clear-History;Clear","code":null,"language":null,"build_target":null,"payloads":[],"uploads":[],"timeout":60,"parsers":[],"cleanup":[],"variations":[],"additional_info":{}}],"requirements":[],"privilege":null,"repeatable":false,"buckets":["defense-evasion"],"additional_info":{},"access":{},"singleton":false,"plugin":"stockpile","delete_payload":true},"executor":{"name":"sh","platform":"linux","command":"> $HOME/.bash_history && unset HISTFILE","code":null,"language":null,"build_target":null,"payloads":[],"uploads":[],"timeout":60,"parsers":[],"cleanup":[],"variations":[],"additional_info":{}},"cleanup":0,"visibility":{"score":50,"adjustments":[]},"host":"kali","output":"False","deadman":false,"agent_reported_time":"2025-08-05T13:30:32Z"}],"pending_contact":"HTTP"}],"start":"2025-08-05T14:24:01Z","steps":{"heoubo":{"steps":[{"link_id":"3c88f6d4-c2a6-4689-a534-1059141761c0","ability_id":"4d9b079c-9ede-4116-8b14-72ad3a5533af","command":"get-process >> $env:APPDATA\\vmtools.log;cat $env:APPDATA\\vmtools.log","plaintext_command":"get-process >> $env:APPDATA\\vmtools.log;cat $env:APPDATA\\vmtools.log","delegated":"2025-08-05T14:24:01Z","run":"2025-08-05T14:24:20Z","status":0,"platform":"linux","executor":"sh","pid":387267,"description":"Custom adversary profile simulating real-world threats","name":"APT-Emulation","attack":{"tactic":"discovery","technique_name":"Process Discovery","technique_id":"T1059.003"},"output":{"stdout":"","stderr":"sh: 1: get-process: not found","exit_code":"0"},"agent_reported_time":"2025-08-05T14:24:20Z"},{"link_id":"e4e4a95c-9e6a-4e52-9d90-c3d292979510","ability_id":"4d9b079c-9ede-4116-8b14-72ad3a5533af","command":"get-process >> $env:APPDATA\\vmtools.log;cat $env:APPDATA\\vmtools.log","plaintext_command":"get-process >> $env:APPDATA\\vmtools.log;cat $env:APPDATA\\vmtools.log","delegated":"2025-08-05T14:24:21Z","run":"2025-08-05T14:25:20Z","status":0,"platform":"linux","executor":"sh","pid":387823,"description":"Custom adversary profile simulating real-world threats","name":"APT-Emulation","attack":{"tactic":"discovery","technique_name":"Process Discovery","technique_id":"T1059.003"},"output":{"stdout":"","stderr":"sh: 1: get-process: not found","exit_code":"0"},"agent_reported_time":"2025-08-05T14:25:20Z"},{"link_id":"72d1139c-2052-4a4c-b575-b789b5053821","ability_id":"4d9b079c-9ede-4116-8b14-72ad3a5533af","command":"get-process >> $env:APPDATA\\vmtools.log;cat $env:APPDATA\\vmtools.log","plaintext_command":"get-process >> $env:APPDATA\\vmtools.log;cat $env:APPDATA\\vmtools.log","delegated":"2025-08-05T14:25:21Z","run":"2025-08-05T14:26:09Z","status":0,"platform":"linux","executor":"sh","pid":388221,"description":"Custom adversary profile simulating real-world threats","name":"APT-Emulation","attack":{"tactic":"discovery","technique_name":"Process Discovery","technique_id":"T1059.003"},"output":{"stdout":"","stderr":"sh: 1: get-process: not found","exit_code":"0"},"agent_reported_time":"2025-08-05T14:26:09Z"},{"link_id":"a9d0745b-135c-41f9-a4ea-28ea4f8f7efb","ability_id":"4d9b079c-9ede-4116-8b14-72ad3a5533af","command":"get-process >> $env:APPDATA\\vmtools.log;cat $env:APPDATA\\vmtools.log","plaintext_command":"get-process >> $env:APPDATA\\vmtools.log;cat $env:APPDATA\\vmtools.log","delegated":"2025-08-05T14:26:11Z","run":"2025-08-05T14:26:44Z","status":0,"platform":"linux","executor":"sh","pid":388540,"description":"Custom adversary profile simulating real-world threats","name":"APT-Emulation","attack":{"tactic":"discovery","technique_name":"Process Discovery","technique_id":"T1059.003"},"output":{"stdout":"","stderr":"sh: 1: get-process: not found","exit_code":"0"},"agent_reported_time":"2025-08-05T14:26:44Z"},{"link_id":"7deffd17-d67c-4e78-a12a-03974f568147","ability_id":"4d9b079c-9ede-4116-8b14-72ad3a5533af","command":"get-process >> $env:APPDATA\\vmtools.log;cat $env:APPDATA\\vmtools.log","plaintext_command":"get-process >> $env:APPDATA\\vmtools.log;cat $env:APPDATA\\vmtools.log","delegated":"2025-08-05T14:26:46Z","run":"2025-08-05T14:27:44Z","status":0,"platform":"linux","executor":"sh","pid":389069,"description":"Custom adversary profile simulating real-world threats","name":"APT-Emulation","attack":{"tactic":"discovery","technique_name":"Process Discovery","technique_id":"T1059.003"},"output":{"stdout":"","stderr":"sh: 1: get-process: not found","exit_code":"0"},"agent_reported_time":"2025-08-05T14:27:44Z"},{"link_id":"09857e82-774f-4611-a72c-1f7aef2a83ca","ability_id":"2ef6672fd5b1e94dab0f2af1c40a1d7c","command":"sudo cat /etc/master.passwd > /tmp/T1003.008.txt; cat /tmp/T1003.008.txt","plaintext_command":"sudo cat /etc/master.passwd > /tmp/T1003.008.txt; cat /tmp/T1003.008.txt","delegated":"2025-08-05T14:27:00Z","run":"2025-08-05T14:27:52Z","status":0,"platform":"linux","executor":"sh","pid":389128,"description":"/etc/master.passwd file is accessed in FreeBSD environments\n","name":"Access /etc/master.passwd (Local)","attack":{"tactic":"credential-access","technique_name":"OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow","technique_id":"T1003.008"},"output":{"stdout":"","stderr":"cat: /etc/master.passwd: No such file or directory","exit_code":"0"},"agent_reported_time":"2025-08-05T14:27:52Z"},{"link_id":"b34b1d06-ead4-475b-b321-171df48d48c1","ability_id":"4d9b079c-9ede-4116-8b14-72ad3a5533af","command":"get-process >> $env:APPDATA\\vmtools.log;cat $env:APPDATA\\vmtools.log","plaintext_command":"get-process >> $env:APPDATA\\vmtools.log;cat $env:APPDATA\\vmtools.log","delegated":"2025-08-05T14:27:46Z","run":"2025-08-05T14:28:38Z","status":0,"platform":"linux","executor":"sh","pid":389562,"description":"Custom adversary profile simulating real-world threats","name":"APT-Emulation","attack":{"tactic":"discovery","technique_name":"Process Discovery","technique_id":"T1059.003"},"output":{"stdout":"","stderr":"sh: 1: get-process: not found","exit_code":"0"},"agent_reported_time":"2025-08-05T14:28:38Z"},{"link_id":"0171fcb4-9d54-4709-b4af-74302ef6e4d1","ability_id":"5920727f-02dd-4cb6-bede-d74a7bbf0df8","command":"echo \"\" | sudo tee /var/log/syslog","plaintext_command":"echo \"\" | sudo tee /var/log/syslog","delegated":"2025-08-05T17:07:28Z","run":"2025-08-05T17:07:57Z","status":0,"platform":"linux","executor":"sh","pid":449657,"description":"Deletes system logs to evade detection.","name":"Clear Syslog Logs","attack":{"tactic":"defense-evasion","technique_name":"Clear Linux Logs","technique_id":"T1070.002"},"output":{"stdout":"","stderr":"","exit_code":"0"},"agent_reported_time":"2025-08-05T17:07:57Z"},{"link_id":"89bbf193-6fd1-49a3-a384-00f1f1da6e3e","ability_id":"4d9b079c-9ede-4116-8b14-72ad3a5533af","command":"get-process >> $env:APPDATA\\vmtools.log;cat $env:APPDATA\\vmtools.log","plaintext_command":"get-process >> $env:APPDATA\\vmtools.log;cat $env:APPDATA\\vmtools.log","delegated":"2025-08-05T14:28:41Z","run":"2025-08-05T17:07:57Z","status":0,"platform":"linux","executor":"sh","pid":449655,"description":"Custom adversary profile simulating real-world threats","name":"APT-Emulation","attack":{"tactic":"discovery","technique_name":"Process Discovery","technique_id":"T1059.003"},"output":{"stdout":"","stderr":"sh: 1: get-process: not found","exit_code":"0"},"agent_reported_time":"2025-08-05T17:07:57Z"},{"link_id":"0b71e8fc-aa5a-49aa-97a7-37e5fe0623a0","ability_id":"5920727f-02dd-4cb6-bede-d74a7bbf0df8","command":"echo \"\" | sudo tee /var/log/syslog","plaintext_command":"echo \"\" | sudo tee /var/log/syslog","delegated":"2025-08-05T17:07:23Z","run":"2025-08-05T17:08:00Z","status":0,"platform":"linux","executor":"sh","pid":449688,"description":"Deletes system logs to evade detection.","name":"Clear Syslog Logs","attack":{"tactic":"defense-evasion","technique_name":"Clear Linux Logs","technique_id":"T1070.002"},"output":{"stdout":"","stderr":"","exit_code":"0"},"agent_reported_time":"2025-08-05T17:08:00Z"},{"link_id":"c524e1a5-34e0-4cfc-8d6a-6bd6acc99454","ability_id":"4d9b079c-9ede-4116-8b14-72ad3a5533af","command":"get-process >> $env:APPDATA\\vmtools.log;cat $env:APPDATA\\vmtools.log","plaintext_command":"get-process >> $env:APPDATA\\vmtools.log;cat $env:APPDATA\\vmtools.log","delegated":"2025-08-05T17:08:00Z","run":"2025-08-05T17:08:34Z","status":0,"platform":"linux","executor":"sh","pid":449972,"description":"Custom adversary profile simulating real-world threats","name":"APT-Emulation","attack":{"tactic":"discovery","technique_name":"Process Discovery","technique_id":"T1059.003"},"output":{"stdout":"","stderr":"sh: 1: get-process: not found","exit_code":"0"},"agent_reported_time":"2025-08-05T17:08:34Z"},{"link_id":"7b60e4d2-6d29-4cb2-9033-56f03fb2ecfa","ability_id":"4d9b079c-9ede-4116-8b14-72ad3a5533af","command":"get-process >> $env:APPDATA\\vmtools.log;cat $env:APPDATA\\vmtools.log","plaintext_command":"get-process >> $env:APPDATA\\vmtools.log;cat $env:APPDATA\\vmtools.log","delegated":"2025-08-05T17:08:35Z","run":"2025-08-05T17:09:30Z","status":0,"platform":"linux","executor":"sh","pid":450481,"description":"Custom adversary profile simulating real-world threats","name":"APT-Emulation","attack":{"tactic":"discovery","technique_name":"Process Discovery","technique_id":"T1059.003"},"output":{"stdout":"","stderr":"sh: 1: get-process: not found","exit_code":"0"},"agent_reported_time":"2025-08-05T17:09:30Z"},{"link_id":"8d9587ad-072f-4c58-a72c-05a6f646d6e2","ability_id":"4d9b079c-9ede-4116-8b14-72ad3a5533af","command":"get-process >> $env:APPDATA\\vmtools.log;cat $env:APPDATA\\vmtools.log","plaintext_command":"get-process >> $env:APPDATA\\vmtools.log;cat $env:APPDATA\\vmtools.log","delegated":"2025-08-05T17:09:35Z","run":"2025-08-05T17:10:15Z","status":0,"platform":"linux","executor":"sh","pid":450847,"description":"Custom adversary profile simulating real-world threats","name":"APT-Emulation","attack":{"tactic":"discovery","technique_name":"Process Discovery","technique_id":"T1059.003"},"output":{"stdout":"","stderr":"sh: 1: get-process: not found","exit_code":"0"},"agent_reported_time":"2025-08-05T17:10:15Z"},{"link_id":"270cbf72-5354-4bde-a648-30a5b7f0c0ca","ability_id":"4d9b079c-9ede-4116-8b14-72ad3a5533af","command":"get-process >> $env:APPDATA\\vmtools.log;cat $env:APPDATA\\vmtools.log","plaintext_command":"get-process >> $env:APPDATA\\vmtools.log;cat $env:APPDATA\\vmtools.log","delegated":"2025-08-05T17:10:15Z","run":"2025-08-05T17:10:53Z","status":0,"platform":"linux","executor":"sh","pid":451159,"description":"Custom adversary profile simulating real-world threats","name":"APT-Emulation","attack":{"tactic":"discovery","technique_name":"Process Discovery","technique_id":"T1059.003"},"output":{"stdout":"","stderr":"sh: 1: get-process: not found","exit_code":"0"},"agent_reported_time":"2025-08-05T17:10:53Z"},{"link_id":"c3e18ee7-0032-4fb4-ba9d-72061375f499","ability_id":"4d9b079c-9ede-4116-8b14-72ad3a5533af","command":"get-process >> $env:APPDATA\\vmtools.log;cat $env:APPDATA\\vmtools.log","plaintext_command":"get-process >> $env:APPDATA\\vmtools.log;cat $env:APPDATA\\vmtools.log","delegated":"2025-08-05T17:10:55Z","run":"2025-08-05T17:11:46Z","status":0,"platform":"linux","executor":"sh","pid":451595,"description":"Custom adversary profile simulating real-world threats","name":"APT-Emulation","attack":{"tactic":"discovery","technique_name":"Process Discovery","technique_id":"T1059.003"},"output":{"stdout":"","stderr":"sh: 1: get-process: not found","exit_code":"0"},"agent_reported_time":"2025-08-05T17:11:46Z"},{"link_id":"a93eb440-f34c-47d7-ae93-9c43c0df04c9","ability_id":"4d9b079c-9ede-4116-8b14-72ad3a5533af","command":"get-process >> $env:APPDATA\\vmtools.log;cat $env:APPDATA\\vmtools.log","plaintext_command":"get-process >> $env:APPDATA\\vmtools.log;cat $env:APPDATA\\vmtools.log","delegated":"2025-08-05T17:11:50Z","run":"2025-08-05T17:12:29Z","status":0,"platform":"linux","executor":"sh","pid":451950,"description":"Custom adversary profile simulating real-world threats","name":"APT-Emulation","attack":{"tactic":"discovery","technique_name":"Process Discovery","technique_id":"T1059.003"},"output":{"stdout":"","stderr":"sh: 1: get-process: not found","exit_code":"0"},"agent_reported_time":"2025-08-05T17:12:29Z"},{"link_id":"b02a6c51-b063-441d-b6c4-f5538b8f0396","ability_id":"4d9b079c-9ede-4116-8b14-72ad3a5533af","command":"get-process >> $env:APPDATA\\vmtools.log;cat $env:APPDATA\\vmtools.log","plaintext_command":"get-process >> $env:APPDATA\\vmtools.log;cat $env:APPDATA\\vmtools.log","delegated":"2025-08-05T17:12:30Z","run":"2025-08-05T17:13:08Z","status":0,"platform":"linux","executor":"sh","pid":452277,"description":"Custom adversary profile simulating real-world threats","name":"APT-Emulation","attack":{"tactic":"discovery","technique_name":"Process Discovery","technique_id":"T1059.003"},"output":{"stdout":"","stderr":"sh: 1: get-process: not found","exit_code":"0"},"agent_reported_time":"2025-08-05T17:13:08Z"},{"link_id":"e53c8292-e98c-46d1-bc32-5910a4ea1186","ability_id":"4d9b079c-9ede-4116-8b14-72ad3a5533af","command":"get-process >> $env:APPDATA\\vmtools.log;cat $env:APPDATA\\vmtools.log","plaintext_command":"get-process >> $env:APPDATA\\vmtools.log;cat $env:APPDATA\\vmtools.log","delegated":"2025-08-05T17:13:10Z","run":"2025-08-05T17:13:51Z","status":0,"platform":"linux","executor":"sh","pid":452629,"description":"Custom adversary profile simulating real-world threats","name":"APT-Emulation","attack":{"tactic":"discovery","technique_name":"Process Discovery","technique_id":"T1059.003"},"output":{"stdout":"","stderr":"sh: 1: get-process: not found","exit_code":"0"},"agent_reported_time":"2025-08-05T17:13:51Z"},{"link_id":"fa306db3-4318-4409-9b29-17b5af9528e6","ability_id":"4d9b079c-9ede-4116-8b14-72ad3a5533af","command":"get-process >> $env:APPDATA\\vmtools.log;cat $env:APPDATA\\vmtools.log","plaintext_command":"get-process >> $env:APPDATA\\vmtools.log;cat $env:APPDATA\\vmtools.log","delegated":"2025-08-05T17:13:55Z","run":"2025-08-05T17:14:47Z","status":0,"platform":"linux","executor":"sh","pid":453092,"description":"Custom adversary profile simulating real-world threats","name":"APT-Emulation","attack":{"tactic":"discovery","technique_name":"Process Discovery","technique_id":"T1059.003"},"output":{"stdout":"","stderr":"sh: 1: get-process: not found","exit_code":"0"},"agent_reported_time":"2025-08-05T17:14:47Z"},{"link_id":"317a8802-4c15-4af7-a2b9-2285417f294f","ability_id":"4d9b079c-9ede-4116-8b14-72ad3a5533af","command":"get-process >> $env:APPDATA\\vmtools.log;cat $env:APPDATA\\vmtools.log","plaintext_command":"get-process >> $env:APPDATA\\vmtools.log;cat $env:APPDATA\\vmtools.log","delegated":"2025-08-05T17:14:50Z","run":"2025-08-05T17:15:48Z","status":0,"platform":"linux","executor":"sh","pid":453653,"description":"Custom adversary profile simulating real-world threats","name":"APT-Emulation","attack":{"tactic":"discovery","technique_name":"Process Discovery","technique_id":"T1059.003"},"output":{"stdout":"","stderr":"sh: 1: get-process: not found","exit_code":"0"},"agent_reported_time":"2025-08-05T17:15:48Z"}]}},"finish":null,"planner":"atomic","adversary":{"adversary_id":"d6ea4c1e-7959-4eb1-a292-b6fd2b06c73e","name":"Enumerator","description":"Enumerate Processes in all the ways","atomic_ordering":["94f21386-9547-43c4-99df-938ab05d45ce","8adf02e8-6e71-4244-886c-98c402857404","4d9b079c-9ede-4116-8b14-72ad3a5533af","7c42a30c-c8c7-44c5-80a8-862d364ac1e4","cc191baa-7472-4386-a2f4-42f203f1acfd","e037b87a48373a76106c0e4a164bcdf7"],"objective":"495a9828-cab1-44dd-a0ca-66e58177d8cc","tags":[],"has_repeatable_abilities":false,"plugin":"stockpile"},"jitter":"2/8","objectives":{"id":"495a9828-cab1-44dd-a0ca-66e58177d8cc","name":"default","description":"This is a default objective that runs forever.","goals":[{"target":"exhaustion","value":"complete","count":1048576,"operator":"==","achieved":false}],"percentage":0},"facts":[{"unique":"file.sensitive.extensionwav","trait":"file.sensitive.extension","name":"file.sensitive.extension","value":"wav","created":"2025-08-05T13:30:22Z","score":1,"source":"ed32b9c3-9593-4c33-b0db-e2007315096b","origin_type":"IMPORTED","links":[],"relationships":[],"limit_count":-1,"collected_by":[],"technique_id":""},{"unique":"file.sensitive.extensionyml","trait":"file.sensitive.extension","name":"file.sensitive.extension","value":"yml","created":"2025-08-05T13:30:22Z","score":1,"source":"ed32b9c3-9593-4c33-b0db-e2007315096b","origin_type":"IMPORTED","links":[],"relationships":[],"limit_count":-1,"collected_by":[],"technique_id":""},{"unique":"file.sensitive.extensionpng","trait":"file.sensitive.extension","name":"file.sensitive.extension","value":"png","created":"2025-08-05T13:30:22Z","score":1,"source":"ed32b9c3-9593-4c33-b0db-e2007315096b","origin_type":"IMPORTED","links":[],"relationships":[],"limit_count":-1,"collected_by":[],"technique_id":""},{"unique":"server.malicious.urlkeyloggedsite.com","trait":"server.malicious.url","name":"server.malicious.url","value":"keyloggedsite.com","created":"2025-08-05T13:30:22Z","score":1,"source":"ed32b9c3-9593-4c33-b0db-e2007315096b","origin_type":"IMPORTED","links":[],"relationships":[],"limit_count":-1,"collected_by":[],"technique_id":""}],"skipped_abilities":[{"heoubo":[{"reason":"Mismatched ability platform and executor","reason_id":1,"ability_id":"94f21386-9547-43c4-99df-938ab05d45ce","ability_name":"Log Running Processes"},{"reason":"Mismatched ability platform and executor","reason_id":1,"ability_id":"8adf02e8-6e71-4244-886c-98c402857404","ability_name":"tasklist Process Enumeration"},{"reason":"Mismatched ability platform and executor","reason_id":1,"ability_id":"7c42a30c-c8c7-44c5-80a8-862d364ac1e4","ability_name":"UAC Status"},{"reason":"Mismatched ability platform and executor","reason_id":1,"ability_id":"cc191baa-7472-4386-a2f4-42f203f1acfd","ability_name":"SysInternals PSTool Process Discovery"},{"reason":"Operation not completed","reason_id":6,"ability_id":"e037b87a48373a76106c0e4a164bcdf7","ability_name":"System Network Configuration Discovery"}]}]}