Oilrig: controlServer/agent unreliable

[arty-hlr]

Hi,

We have been using the Oilrig scenario for a few months now, and have noticed that some of our runs fail because the controlServer/agent is unreliable. Last example in date, the upload of plink did not go through:

Command: ./evalsC2client.py --set-task goMM '102 c:\users\public\downloads\plink.exe|plink.exe'

Log output:

+------+------------+----------+------+-----+-----+------+
| GUID | IP ADDRESS | HOSTNAME | USER | CWD | PID | PPID |
+------+------------+----------+------+-----+-----+------+
| goMM |            |          |      |     |   0 |    0 |
+------+------------+----------+------+-----+-----+------+
   [INFO] 2024/09/10 15:34:26 Received SetTask request
[SUCCESS] 2024/09/10 15:34:26 Successfully set task
   [INFO] 2024/09/10 15:36:26 Received SetTask request
[SUCCESS] 2024/09/10 15:36:26 Successfully set task

As you can see it shows "Successfully set task" and "Received SetTask request", but no task output.

It is not the first time that it happens, also on the download of the fsociety.dat: ./evalsC2client.py --set-task $implant_id '103 C:\Users\gosta\AppData\Roaming\fsociety.dat' that never worked for us for some reason.

We cannot reproduce it reliably either, it just sometimes happens, which is annoying on an automated run.

Could you look into this? Maybe there is a bug in the implementation of the control server or the agent?

[arty-hlr]

See this issue on the other repo: center-for-threat-informed-defense/adversary_emulation_library#159

[mchan143]

Hi @arty-hlr , thank you for your patience in regards to this issue. When this error occurs, can you confirm that the SideTwist process is running on the victim machine? The unresponsive agent behavior seems indicative of the process not running despite initially registering.