You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Can someone please explain how the dependencies for an ability are resolved before an ability is run by Caldera. (As discussed in mitre/atomic#33)
For example,...
Dump LSASS.exe Memory using ProcDump
Has a dependency that ProcDump is installed in PathToAtomicsFolder\T1003.001\bin\procdump.exe, does the ability check to see if the dependency is met before running (which it doesn't look like it is) and if it isn't and you are required the run the dependency PowerShell to download the script externally, which directory should this be run from so it is in the path of the SANDCAT agent?
Since SANDCAT looks like it is installing in C:\Users\Public, is that where you should be running the prerequisite script from? It doesn't appear to be the case, and the relative path issue is really throwing me getting this ability to work.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hi there
Can someone please explain how the dependencies for an ability are resolved before an ability is run by Caldera. (As discussed in mitre/atomic#33)
For example,...
Dump LSASS.exe Memory using ProcDump
Has a dependency that ProcDump is installed in
PathToAtomicsFolder\T1003.001\bin\procdump.exe, does the ability check to see if the dependency is met before running (which it doesn't look like it is) and if it isn't and you are required the run the dependency PowerShell to download the script externally, which directory should this be run from so it is in the path of the SANDCAT agent?Since SANDCAT looks like it is installing in C:\Users\Public, is that where you should be running the prerequisite script from? It doesn't appear to be the case, and the relative path issue is really throwing me getting this ability to work.
Beta Was this translation helpful? Give feedback.
All reactions