This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

How to Create Endpoint Host CLI Custom Actions

Posted on 12-26-2024 08:00 PM
AbdElHafez
Staff
Reply posted on --/--/---- --:-- AM

This post is a short explanation for some of the parameters in MSV Custom Actions Editor, for an advanced use case please refer to this excellent post by @TomAtGoogle  ; https://www.googlecloudcommunity.com/gc/Security-Validation/Advanced-Host-CLI-Usage/m-p/770623#M118

The simplest way is to pick a similar endpoint action from Library > Actions > Filter by Endpoint > Clone From the far right side.
AbdElHafez_1-1735261388702.png
AbdElHafez_0-1735261370898.png

We will pick this action ; Host CLI - Workstation User Enumeration - VIDA104-205 as an example. In the "HOST CLI" section in the action details you would see ;
dir C:\Users
Attack successful if zero exit

Cloning this action will start the custom actions wizard, and will create a placeholder for a custom action. Custom actions VID start with VID200. The options available are ;

AbdElHafez_2-1735262381372.png

  • Action User Profile: Selects the user account this action will run as.
  • Require Interactive Session: Always No for Host-CLI actions. Check https://docs.mandiant.com/home/msv-supported-actions-for-run-as-user for reference.
  • Monitor Outbound Connections: Set this option to "Yes" for intrusive actions as this will limit the action execution to Protected Actors. It should be set to "No" for beign actions as in our case here.

The next screen will show the shell (cmd, powershell for Windows actors, bash for Linux,  and Python interpreter for running ) action syntax in MSV Action Editor, The help for the syntax is available  on https://app.validation.mandiant.com/manage_sims/actions/host_cli_help_info . The action edited is a single-command action but in general we could have multiple-commands actions.

dir C:\Users
  auto,4,true,60
  success_zero

This is the command syntax template ; 

<command>
    <prompt_regex>,<sleep_seconds>,<check_logs_boolean>,<max_timeout_seconds>
    <condition>:<conditional_value>

Before we go through the different parameters, we clarify the difference between 2 key concepts :

  • Action Exit Code : This is the OS Return value when you execution an action. for example if an action is executed without any syntax errors then the return code is 0 indicating success. For example Syntax-errored commands execution could return any generic non-Zero exit code. Windows Access Denied execution will return exit code 2.
  • Action MSV Status : Could be one of Timeout, Success, Block, Incompatible or Error. These criteria are the conditions defined in MSV context to determine whether an action is "Blocked", "Allowed" (i.e. "Success") or any of the other values . This is a separate concept from the OS Exit Code and is dependent on your action definition.
  • Action Exit Code could be 0 for successful command execution. For example a Ping command, but the Action MSV status could be "Blocked" if the ping does not returns any reply due to a transparent Host Firewall. So A successful OS Action Execution (Exit Code = 0) does not necessarily mean the action is "Allowed" in MSV context.

Here is a  brief description for the action parameters ;

  • Command: The cmd command to be executed by the shell "dir C:\Users" .
  • Prompt Regex: Default set to "Auto" meaning match anything. The prompt after executing the command is checked by this regex to indicate whether the command is successful and the next command is executed or not. When a command is run through a different prompt. For example; Mimikatz once run will change the prompt to be "Mimikatz #", similarily for Metasploit it will turn the prompt into "msf6", so in these cases the prompt regex should be set to "Mimikatz #" and "msf6" respectively. 
  • Sleep seconds: This is how long the engine will wait before executing any follow-up actions or checking for local endpoint logs (like Windows Security Logs, Crowdstrike Endpoint Logs in the Local Windows Event Channels).
  • Check Logs Boolean: Usually set to "True" if you need the engine to check the local logs.
  • Max Timeout Seconds: Max waiting time for the engine to wait for a command output. Some actions like Users enumeration for large organizations can take up to few minutes until the command line returns any results. If time elapsed to have command results is greater than the Max timeout then the action will fail with a timeout.
  • Condition: This sets the condition evaluated by the engine to determine if the actions is blocked or allowed. 
    • success_zero :  Action is "Allowed" if the OS Return Value (exit code) = 0 indicating successful execution (Action was executed successfully by the OS, regardless of the returned results). For example a Reboot action usually won't return any strings if executed successfully, and the OS Return Value = 0 .
    • success_match : Action is "Allowed" if the returned results match a regex. For example disabling a host firewall action if executed successfully can either return a message like "Firewall disabled" or "Access Denied", Both of them will have OS Return Value = 0 but only the return message will indicate the outcome of the event.
    • blocked_nonzero: Action is "Blocked" if the OS Return Value = 0.
    • error_match : Similar to success_match, but this will change the action status to "Error" if the results regex matched.
    • Cleanup: This is a follow-up action to cleanup the execution results of previous actions. For example if an action created some files, changed some registry keys or modified a configuration, then the cleanup action are required to undo all of these changes. Cleanup actions are the last series of commands in a custom Host CLI action.
  • conditional value: This is the regex checked against the command results. Used only for "(.)_match" condition types.

AbdElHafez_4-1735266295557.png

In the example above, the actor will execute "dir C:\Users" in Windows CMD shell. The actor engine will proceed directly to run any subsequent actions (none in this example) due to the "auto" prompt regex. Then it will wait for 4 seconds to check for any Windows local OS logs and send them to the director due to the "4,true" values. And it will wait for 60 seconds max for the OS to return the results otherwise it will return a "Timeout". The action is considered "Success" if the OS exit code is 0 (i.e. the OS did not return any syntax or permissions errors). The engine is not checking for any values in C:\Users, just executing the action successfully without any results returned will mark it as "Success"

1 0 85
Topic Labels
0 REPLIES 0