Skip to content

APT3 CALDERA: Phase 9 - 3.A.1 Bypass User Account Control #25

Description

@leegengyu

First off, probably not the most appropriate place to post this question: I understand that this repository is targeted at APT29 (which is also pointed out at #24).

However,

  1. the mitre-attack/evals_caldera repository that originally catered just for APT3 is no longer active,
  2. I was informed at Plugin (Evals) - Pending Issues apache/caldera#1843 that that repository was superseded by this one, and that
  3. an email to evals@mitre-engenuity.org told me that "most, if not all issues are actually a result of CALDERA versioning" when I asked about where I should direct queries relating to APT3 portions of CALDERA to.

If someone can point me to the right channel/person, that would be great!


This phase is not working out for me - I am getting a new Agent at the end of this particular phase, but it is one with medium-integrity only:

image

The output shows a successful one:

image

To temporarily get around this, I had swapped it out with Invoke-EnvBypass.ps1 - which gives me a high-integrity Agent at the end of this phase. However, with this new way of doing Phase 9, running the high-integrity Agent against 3.B-3.C did not work out as it always resulted in a timeout:
image

This was executed in a Windows v1803 machine (not v1903 like what was mentioned in mitre-attack/evals_caldera#1), with anti-virus disabled.

Anyway that I should debug this? Thank you!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions