Inject in pending state

[RomuDeuxfois]

Description

We still have some inject in pending state:

• Basic Permission Groups Discovery Windows (Domain)
  https://testing.obas.staging.filigran.io/admin/exercises/98272e68-f3bd-4bce-8e21-af9b0ad14942/injects/2c6f0b96-2c9b-4b9b-b33e-e72a7147e982

• System Information Discovery
  https://testing.obas.staging.filigran.io/admin/exercises/e0ad8d49-0eea-481f-b6a2-604ef4bc0e94/injects/bc3924d9-7609-4544-8d84-60ada1f84f51

• Data Encrypt Using DiskCryptor

[isselparra]

Analysis (so far)

Basic Permission Groups Discovery Windows (Domain)
I executed this Payload as an Atomic Testing twice and there seems no problem here (status MAYBE_PREVENTED)
https://testing.obas.staging.filigran.io/admin/atomic_testings/40c27754-5f86-49ea-a523-fd11c89db972
https://testing.obas.staging.filigran.io/admin/atomic_testings/05916618-b8c9-4574-a15e-0e5bf66dc7ba

I lanched two simulations with this Payload and two other ones from the original simulation

• Execution1:

  • https://testing.obas.staging.filigran.io/admin/simulations/5bdb4a93-c61d-4025-986e-3ea561cf3824
  • Payload executed with MAYBE_PREVENTED status
  • Simulation not yet finished since a payload is still in DRAFT (Windows - Delete Volume Shadow Copies via WMI with PowerShell)

• Execution2:

  • https://testing.obas.staging.filigran.io/admin/simulations/27e41da9-ee5f-4fca-b563-15d6a5ca4661
  • Payload executed with MAYBE_PREVENTED status
  • Same problem as with the Execution1, simulation not yet finished since a payload is still in DRAFT (Windows - Delete Volume Shadow Copies via WMI with PowerShell)

The attack command seems quite simple

net localgroup
net group /domain
net group "enterprise admins" /domain
net group "domain admins" /domain

System Information Discovery
I executed this Payload as an Atomic Testing twice and both have the INJECT_EXECUTED status so no problem here
https://testing.obas.staging.filigran.io/admin/atomic_testings/e513d745-24d5-4ab5-b72b-65301f51e942
https://testing.obas.staging.filigran.io/admin/atomic_testings/0f468d53-53c0-4177-bb8f-475b73873d67

I lanched two simulations with this Payload and two other ones from the original simulation

• Execution1:

  • https://testing.obas.staging.filigran.io/admin/simulations/b4fcd749-e180-4421-8aee-4c5c63bc346f
  • Payload executed with INJECT_EXECUTED status
  • The Simulation was FINISHED

• Execution2:

  • https://testing.obas.staging.filigran.io/admin/simulations/5164ad3c-f4f0-41dc-aed3-ec671bf7c51
  • Payload executed with INJECT_EXECUTED status
  • The Simulation was FINISHED

The attack command seems simple

systeminfo
reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum

[RomuDeuxfois]

Can you create a simulation with these two injects which have the same trigger date?
Maybe this is because the two injects are played at the same time.

[isselparra]

I launched a simulation with these two payloads:

• Basic Permission Groups Discovery Windows (Domain)
• System Information Discovery
• https://testing.obas.staging.filigran.io/admin/simulations/c0427db1-b93a-4f13-acd4-f44715894211
• The simulation is now FINISHED

Both were processed:

• Basic Permission Groups Discovery Windows (Domain) => Status MAYBE_PREVENTED
• System Information Discovery => Status INJECT_EXECUTED

[isselparra]

Same result after both Injects launched at the same time, two minutes later

https://testing.obas.staging.filigran.io/admin/simulations/307ebde3-0d96-4777-8877-97ed12e5078c

Both were processed:
Basic Permission Groups Discovery Windows (Domain) => Status MAYBE_PREVENTED
System Information Discovery => Status INJECT_EXECUTED

[isselparra]

Even when we have a Simulation with a few Injects, an Inject could still be on pending or on draft

For example:
I created a Simulation with three Injects

• Basic Permission Groups Discovery Windows (Domain)
• Basic Permission Groups Discovery Windows (Local)
• Windows - Delete Volume Shadow Copies via WMI with PowerShell

Execution 1:
This Simulation is still on going since there is an Inject still on draft
https://testing.obas.staging.filigran.io/admin/simulations/5bdb4a93-c61d-4025-986e-3ea561cf3824

• Basic Permission Groups Discovery Windows (Domain) => Status MAYBE_PREVENTED
• Basic Permission Groups Discovery Windows (Local) => Status INJECT_EXECUTED
• Windows - Delete Volume Shadow Copies via WMI with PowerShell => Status DRAFT

Execution 2:
The Simulation is now FINISHED
Note that the Inject Windows - Delete Volume Shadow Copies via WMI with PowerShell took 30 minutes longer to be executed compared with the other two Injects
https://testing.obas.staging.filigran.io/admin/simulations/27e41da9-ee5f-4fca-b563-15d6a5ca4661

• Basic Permission Groups Discovery Windows (Domain) => Status MAYBE_PREVENTED
• Basic Permission Groups Discovery Windows (Local) => Status INJECT_EXECUTED
• Windows - Delete Volume Shadow Copies via WMI with PowerShell => Status INJECT_EXECUTED

---

We may have an idempotence problem: even if we launch two Simulations with the same Injects, we are not sure that we are going to obtain the same results.

We need to analyse more deeply the issue we are seeing with these Injects.

[RomuDeuxfois]

For the pending inject, I think the problem come from the implant.
If the implant has fail to report result, the inject status still in PENDING.
We should have a garbage collector to handle this case (with a timeout).

[EllynBsc]

Hello @RomuDeuxfois @isselparra 👋

What's the status of this issue ? Is it on pause ?

[RomuDeuxfois]

We were waiting for developments on the implant side.
Now that they have been done, we can resume investigating this bug.

[damgouj]

The 2 first payloads work thanks to other issues (the "MAYBE_PREVENTED" one is because we have some restrictions when we try to discover the domain)

The last payload "Data Encrypt Using DiskCryptor" is "PARTIAL" because it executes a background process and has no response. It will be fixed with the issue #1860

[EllynBsc]

Thank you @damgouj for the follow up! 🚀