Scribd Logo
Upload

Welcome to Scribd!

  • 16 views

    Debrief - 2023 04 25 - 14 38 17

    Uploaded by

    javier bernal
    This document summarizes analytics from a set of cyber operations. It includes statistics on the operations such as names, states, planners and objectives. It also lists the agents used along with their details. Finally, it provides graphical views of the attack path, steps, tactics, techniques and facts discovered during the operations.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Debrief - 2023 04 25 - 14 38 17

    Uploaded by

    javier bernal
    16 views10 pages
    This document summarizes analytics from a set of cyber operations. It includes statistics on the operations such as names, states, planners and objectives. It also lists the agents used along with their details. Finally, it provides graphical views of the attack path, steps, tactics, techniques and facts discovered during the operations.

    Original Description:

    Original Title

    debrief_2023-04-25_14-38-17

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document summarizes analytics from a set of cyber operations. It includes statistics on the operations such as names, states, planners and objectives. It also lists the agents used along with their details. Finally, it provides graphical views of the attack path, steps, tactics, techniques and facts discovered during the operations.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    16 views10 pages

    Debrief - 2023 04 25 - 14 38 17

    Uploaded by

    javier bernal
    This document summarizes analytics from a set of cyber operations. It includes statistics on the operations such as names, states, planners and objectives. It also lists the agents used along with their details. Finally, it provides graphical views of the attack path, steps, tactics, techniques and facts discovered during the operations.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 10

    OPERATIONS DEBRIEF

    Generated on 2023-04-25T14:38:17Z

    This document covers the overall campaign analytics made up of the selected set of operations. The
    below sections contain general metadata about the selected operations as well as graphical views of
    the operations, the techniques and tactics used, and the facts discovered by the operations. The
    following sections include a more in depth review of each specific operation ran.

    STATISTICS
    An operation's planner makes up the decision making process. It contains logic for how a running
    operation should make decisions about which abilities to use and in what order. An objective is a
    collection of fact targets, called goals, which can be tied to adversaries. During the course of an
    operation, every time the planner is evaluated, the current objective status is evaluated in light of the
    current knowledge of the operation, with the operation completing should all goals be met.

    Name State Planner Objective Time


    prueba finished atomic default 2023-04-25T14:36:01Z

    AGENTS
    The table below displays information about the agents used. An agent's paw is the unique identifier, or
    paw print, of an agent. Also included are the username of the user who executed the agent, the
    privilege level of the agent process, and the name of the agent executable.

    Paw Host Platform Username Privilege Executable


    uldkmv upa linux root Elevated sandcat.go-linux

    ecamvk upa linux root Elevated sandcat.go-linux

    xibwnb upa linux root Elevated red-ubuntu

    mkawkb WIN-1RE7BLRQC2T windows WIN-1RE7BLRQC2T\Administrado User wserver2008.exe


    r

    dnqiix upa linux root Elevated splunkd

    Page 1
    OPERATIONS DEBRIEF

    ATTACK PATH GRAPH


    This graph displays the attack path of hosts compromised by CALDERA. Source and target hosts are
    connected by the method of execution used to start the agent on the target host.
    Legend

    server

    linux

    upa$root

    C2 Server

    upa$root

    STEPS GRAPH
    This is a graphical display of the agents connected to the command and control (C2), the operations
    run, and the steps of each operation as they relate to the agents.

    C2 Server
    upa$root
    Legend

    server
    prueba
    linux

    operation

    discovery

    upa$root

    Page 2
    OPERATIONS DEBRIEF

    TACTIC GRAPH
    This graph displays the order of tactics executed by the operation. A tactic explains the general
    purpose or the "why" of a step.
    Legend

    operation

    discovery

    prueba

    discovery

    TECHNIQUE GRAPH
    This graph displays the order of techniques executed by the operation. A technique explains the
    technical method or the "how" of a step.
    Legend

    operation

    technique_name

    System Owner/User Discovery


    Account Discovery: Local Account

    Process Discovery
    prueba

    Page 3
    OPERATIONS DEBRIEF

    FACT GRAPH
    This graph displays the facts discovered by the operations run. Facts are attached to the operation
    where they were discovered. Facts are also attached to the facts that led to their discovery. For
    readability, only the first 15 facts discovered in an operation are included in the graph.
    Legend
    domain.user.name
    operation

    fact
    host.user.name

    3 file.sensitive.extension
    1 server.malicious.url
    51 host.user.name
    host.user.name
    1
    3 domain.user.name
    file.sensitive.extension
    4
    1 host.file.path
    server.malicious.url
    host.user.name
    server.malicious.url 51 host.user.name
    file.sensitive.extension
    1
    3 domain.user.name
    file.sensitive.extension
    prueba 4
    1 host.file.path
    server.malicious.url
    file.sensitive.extension host.user.name
    51 host.user.name
    1 domain.user.name
    host.user.name 4host.user.name
    host.file.path

    host.user.name host.user.name

    file.sensitive.extension

    host.user.name
    host.user.name

    TACTICS AND TECHNIQUES


    Tactics Techniques Abilities
    Discovery T1033: System Owner/User Discovery prueba
    T1087.001: Account Discovery: Local Account Identify active user
    T1057: Process Discovery Find local users
    Find user processes

    STEPS IN OPERATION PRUEBA


    The table below shows detailed information about the steps taken in an operation and whether the
    command run discovered any facts.

    Time Status Agent Name Command Facts


    2023-04-25 success xibwnb Identify active whoami Yes
    T14:19:08Z user

    2023-04-25 success dnqiix Identify active whoami Yes


    T14:19:18Z user

    2023-04-25 success xibwnb Find local cut -d: -f1 /etc/passwd | grep -v '_' | grep -v '#' Yes
    T14:19:58Z users

    2023-04-25 success dnqiix Find local cut -d: -f1 /etc/passwd | grep -v '_' | grep -v '#' Yes
    T14:19:54Z users

    Page 4
    OPERATIONS DEBRIEF

    Time Status Agent Name Command Facts


    2023-04-25 success xibwnb Find user ps aux | grep gdm Yes
    T14:20:36Z processes

    2023-04-25 success dnqiix Find user ps aux | grep gdm Yes


    T14:20:51Z processes

    2023-04-25 success xibwnb Find user ps aux | grep gnome-initial-setup No


    T14:21:27Z processes

    2023-04-25 success dnqiix Find user ps aux | grep gnome-initial-setup No


    T14:21:32Z processes

    2023-04-25 success xibwnb Find user ps aux | grep colord No


    T14:22:08Z processes

    2023-04-25 success dnqiix Find user ps aux | grep colord No


    T14:22:07Z processes

    2023-04-25 success xibwnb Find user ps aux | grep hplip No


    T14:23:00Z processes

    2023-04-25 success dnqiix Find user ps aux | grep hplip No


    T14:22:59Z processes

    2023-04-25 success xibwnb Find user ps aux | grep saned No


    T14:23:45Z processes

    2023-04-25 success dnqiix Find user ps aux | grep saned No


    T14:23:43Z processes

    2023-04-25 success xibwnb Find user ps aux | grep geoclue No


    T14:24:20Z processes

    2023-04-25 success dnqiix Find user ps aux | grep geoclue No


    T14:24:36Z processes

    2023-04-25 success xibwnb Find user ps aux | grep speech-dispatcher No


    T14:25:14Z processes

    2023-04-25 success dnqiix Find user ps aux | grep speech-dispatcher No


    T14:25:26Z processes

    2023-04-25 success xibwnb Find user ps aux | grep pulse No


    T14:26:10Z processes

    2023-04-25 success dnqiix Find user ps aux | grep pulse No


    T14:26:14Z processes

    2023-04-25 success xibwnb Find user ps aux | grep nm-openvpn No


    T14:27:05Z processes

    2023-04-25 success dnqiix Find user ps aux | grep nm-openvpn No


    T14:27:04Z processes

    2023-04-25 success xibwnb Find user ps aux | grep cups-pk-helper No


    T14:27:57Z processes

    Page 5
    OPERATIONS DEBRIEF

    Time Status Agent Name Command Facts


    2023-04-25 success dnqiix Find user ps aux | grep cups-pk-helper No
    T14:27:38Z processes

    2023-04-25 success xibwnb Find user ps aux | grep avahi No


    T14:29:02Z processes

    2023-04-25 success dnqiix Find user ps aux | grep avahi No


    T14:28:25Z processes

    2023-04-25 success xibwnb Find user ps aux | grep avahi-autoipd No


    T14:29:59Z processes

    2023-04-25 success dnqiix Find user ps aux | grep avahi-autoipd No


    T14:29:14Z processes

    2023-04-25 success xibwnb Find user ps aux | grep dnsmasq No


    T14:30:34Z processes

    2023-04-25 success dnqiix Find user ps aux | grep dnsmasq No


    T14:30:06Z processes

    2023-04-25 success xibwnb Find user ps aux | grep whoopsie No


    T14:31:29Z processes

    2023-04-25 success dnqiix Find user ps aux | grep whoopsie No


    T14:31:05Z processes

    2023-04-25 success xibwnb Find user ps aux | grep lightdm No


    T14:32:30Z processes

    2023-04-25 success dnqiix Find user ps aux | grep lightdm No


    T14:32:12Z processes

    2023-04-25 success xibwnb Find user ps aux | grep kernoops No


    T14:33:22Z processes

    2023-04-25 success dnqiix Find user ps aux | grep kernoops No


    T14:32:57Z processes

    2023-04-25 success xibwnb Find user ps aux | grep rtkit No


    T14:34:23Z processes

    2023-04-25 success dnqiix Find user ps aux | grep rtkit No


    T14:33:37Z processes

    2023-04-25 success xibwnb Find user ps aux | grep fwupd-refresh No


    T14:35:19Z processes

    2023-04-25 success dnqiix Find user ps aux | grep fwupd-refresh No


    T14:34:54Z processes

    2023-04-25 success xibwnb Find user ps aux | grep lxd No


    T14:35:59Z processes

    2023-04-25 success dnqiix Find user ps aux | grep lxd No


    T14:35:35Z processes

    Page 6
    OPERATIONS DEBRIEF

    FACTS FOUND IN OPERATION PRUEBA


    The table below displays the facts found in the operation, the command run and the agent that found
    the fact. Every fact, by default, gets a score of 1. If a host.user.password fact is important or has a high
    chance of success if used, you may assign it a score of 5. When an ability uses a fact to fill in a
    variable, it will use those with the highest scores first. A fact with a score of 0, is blacklisted - meaning it
    cannot be used in an operation.

    Trait Value Score Source Command Run


    file.sensitive.ext wav 1 ed3..96b No Command (SEEDED)
    ension

    file.sensitive.ext yml 1 ed3..96b No Command (SEEDED)


    ension

    file.sensitive.ext png 1 ed3..96b No Command (SEEDED)


    ension

    server.malicious keyloggedsite.com 1 ed3..96b No Command (SEEDED)


    .url

    host.user.name root 1 xibwnb, whoami


    dnqiix cut -d: -f1 /etc/passwd | grep -v '_' |
    grep -v '#'

    domain.user.na root 1 xibwnb, whoami


    me dnqiix

    host.user.name daemon 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name bin 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name sys 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name sync 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name games 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name man 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name lp 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name mail 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name news 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name uucp 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    Page 7
    OPERATIONS DEBRIEF

    Trait Value Score Source Command Run


    host.user.name proxy 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |
    xibwnb grep -v '#'

    host.user.name www-data 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name backup 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name list 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name irc 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name gnats 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name nobody 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name systemd-network 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name systemd-resolve 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name systemd-timesync 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name messagebus 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name syslog 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name tss 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name uuidd 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name tcpdump 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name landscape 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name pollinate 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name usbmux 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name sshd 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    Page 8
    OPERATIONS DEBRIEF

    Trait Value Score Source Command Run


    host.user.name systemd-coredump 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |
    xibwnb grep -v '#'

    host.user.name upa 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name lxd 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name fwupd-refresh 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name rtkit 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name kernoops 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name lightdm 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name whoopsie 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name dnsmasq 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name avahi-autoipd 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name avahi 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name cups-pk-helper 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name nm-openvpn 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name pulse 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name speech-dispatcher 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name geoclue 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name saned 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name hplip 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.user.name colord 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    Page 9
    OPERATIONS DEBRIEF

    Trait Value Score Source Command Run


    host.user.name gnome-initial-setup 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |
    xibwnb grep -v '#'

    host.user.name gdm 1 dnqiix, cut -d: -f1 /etc/passwd | grep -v '_' |


    xibwnb grep -v '#'

    host.file.path /usr/bin/dbus-daemon --config-file=/usr 1 xibwnb, ps aux | grep gdm


    /share/defaults/at-spi2/accessibility.con dnqiix
    f

    host.file.path /usr/bin/Xwayland :1024 -rootless 1 xibwnb ps aux | grep gdm


    -noreset -accessx -core -auth /run/user
    /130/.mutter-Xwaylandauth.VG0Z31

    host.file.path /usr/bin/gjs /usr/share/gnome-shell/org. 1 xibwnb, ps aux | grep gdm


    gnome.Shell.Notifications dnqiix

    host.file.path /usr/bin/Xwayland :1024 -rootless 1 dnqiix ps aux | grep gdm


    -noreset -accessx -core -auth /run/user
    /130/.mutter-Xwaylandauth.P26W31

    Page 10

    You might also like