I don't understand why my operation freezes/does not work.

[bcheevers123]

Hello, I am trying to run a modified version of the default Windows worm operation. I am trying to use the worm lateraly move across my network of two Windows 10 home VMs. The Windows VMs have no domain name/ just use IP address. This meant I could remove the nslookup part of the operation out.

I tried to remove the requirement for the remote.host.fqdn on the Copy 54ndc7 (SMB) ability by editing the command run, but it still reports that it requires this var.

It is assumed that a caldera shell has started in the first Windows machine.
[Windows_Worm_IPAddress_only.txt](https
debrief_2022-08-16_19-20-11.txt
://github.com/mitre/caldera/files/9353481/Windows_Worm_IPAddress_only.txt)

The advesary:

The view remote share command works/is successful, returns:

The fact sources:

The command that either does not get executed, or gets stuck:

Do note the change from remote.host.fdns to remote.host.ip

The operation ends with no error message after the successful parsing of shares from the ARP table lookup

This is my first operation so please let me know what I've done wrong, I would love to learn.

[clenk]

Hi, at the bottom of the json report there's a section for "skipped_abilities" that shows that the agent became untrusted so the last 2 abilities were not run on it. I would check if something happened to cause the agent to not respond.

Two of your screenshots are identical so I'm not sure what the commands were changed to.

With regards to the abilities, abilities can use facts in their commands, but can also have requirements, which are facts that must be present in order to run. Abilties can also have parsers, which parse the output of their command into new facts. If you view the ability in the abilities tab you can see its requirements and parsers. If you want to remove a requirement click on the "[-]":

When you edit the ability to use IPs you'll want to make sure the parsers in the previous ability use the same fact name as in the command and requirement of the next one.

[bcheevers123]

@clenk Sorry for the duplicate image here is the correct one:

I tried to edit the ability to remove thee parser and requirement. It now no longer reports the need for the remote.host.fqdn.

Ran the operation again, and I now get this error on

on this command

I do also see that caldera now tries to view the shares of every ipaddress found in the ARP table, including the already hacked Windows machine. This gets a little further, with a successful copying of the sandcat, but doesnt bother with last command due to agent becoming untrusted (I am not sure why this happens)

I have attached the full report.

Wormz_full-report.txt

[clenk]

The "Access is denied" error suggests that maybe the agent needs to be run as administrator.

One thing you could try for the agent going untrusted is to modify the agent settings (see documentation), like increasing the untrusted timer.

[bcheevers123]

I have tried this and the result is still the same. Is their a step by step walkthrough of setting up a WIndows Worm scenario?

[clenk]

No, not at this time. Are you able to run other adversary profiles, such as the Check adversary, or do they also fail with "agent untrusted" in the "skipped_abilities" section of the json report?

[bcheevers123]

I have ran the check advisory command and I get this output. Looks like it went to completion and failed the last task due to no executor
Check_full-report.txt
r