mitre
Missing payloads in Caldera 5.0.0
I have followed the instructions and as some people have reported, Caldera 5.0.0 is missing the payloads for m64, rubeus.exe, ryuk.exe and dumpWebBrowserCreds.exe.
I can't find any reference of these downloads in the download_payloads.sh script.
When Caldera is started it complaints about the missing payloads:
2024-12-10 06:11:58 WARNING Payload referenced in data_svc.py:469 3de63509-4171-488f-8938-ce346677 a5a6 but not found: rubeus.exe 2024-12-10 06:12:07 WARNING Payload referenced in data_svc.py:469 f96e8195-8b0f-4b87-bdce-748dfda2 861f but not found: m64.exe WARNING Payload referenced in data_svc.py:469 98279c81-d5a0-4ec4-9d40-a6e87d1f 9bd2 but not found: m64.exe WARNING Missing required field in data_svc.py:458 ability 690e889f-5844-473e-98c5-c90c9f17 72dc: description 2024-12-10 06:12:08 WARNING Payload referenced in data_svc.py:469 b8ad9654-80a1-4fde-b2d4-c0de7648 621c but not found: ryuk.exe WARNING Payload referenced in data_svc.py:469 9a438a2a-c95b-4fd2-a29f-8b1250fc 3adc but not found: dumpWebBrowserCreds.exe
I find many references in the issues in github about those missing payloads since 2021. I have tried to locate samples of those payloads on the Internet. I.e.: I have downloaded the rubeus.exe from here https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/blob/master/Rubeus.exe and It doesn't complain from that missing package. Where can I find the other 3 missing?
anyone? Maybe @elegantmoose can give me an answer? This is between a question and a bug
I have followed the instructions and as some people have reported, Caldera 5.0.0 is missing the payloads for m64, rubeus.exe, ryuk.exe and dumpWebBrowserCreds.exe.
I can't find any reference of these downloads in the download_payloads.sh script.
When Caldera is started it complaints about the missing payloads:
2024-12-10 06:11:58 WARNING Payload referenced in data_svc.py:469 3de63509-4171-488f-8938-ce346677 a5a6 but not found: rubeus.exe 2024-12-10 06:12:07 WARNING Payload referenced in data_svc.py:469 f96e8195-8b0f-4b87-bdce-748dfda2 861f but not found: m64.exe WARNING Payload referenced in data_svc.py:469 98279c81-d5a0-4ec4-9d40-a6e87d1f 9bd2 but not found: m64.exe WARNING Missing required field in data_svc.py:458 ability 690e889f-5844-473e-98c5-c90c9f17 72dc: description 2024-12-10 06:12:08 WARNING Payload referenced in data_svc.py:469 b8ad9654-80a1-4fde-b2d4-c0de7648 621c but not found: ryuk.exe WARNING Payload referenced in data_svc.py:469 9a438a2a-c95b-4fd2-a29f-8b1250fc 3adc but not found: dumpWebBrowserCreds.exeI find many references in the issues in github about those missing payloads since 2021. I have tried to locate samples of those payloads on the Internet. I.e.: I have downloaded the rubeus.exe from here https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/blob/master/Rubeus.exe and It doesn't complain from that missing package. Where can I find the other 3 missing?
hello! thanks for posting the link for Rubeus. Isn't m64.exe another name for mimikatz.exe? After reading OilRig-adversary documentation, I think mimikatz is somehow renamed as m64.exe or m.exe but i can be wrong. If so, then I am only left to cover these warnings:
2025-01-09 00:57:38 WARNING Could not find payload dumpWebBrowserCreds.exe within emu_svc.py:320
plugins/emu/data/adversary-emulation-plans.
WARNING Could not find payload ryuk.exe within emu_svc.py:320
plugins/emu/data/adversary-emulation-plans.
```
FYI, i submitted a PR to fix the m64.exe warning. To address the others, the following command should decrypt the other files you are having issues with:
python3 ./plugins/emu/data/adversary-emulation-plans/sandworm/Resources/utilities/crypt_executables.py -i ./ -p malware --decrypt
Run this after you run ./plugins/emu/download_payloads.sh
I have just installed Caldera 5.3.0 and the EMU plugin. Can´t the code from @endiz cannot be merged into the download_payloads.sh? Otherwise somewhere in the documentation should be stated that this script should be run after download_payloads.sh
Thanks!