Skip to content

fix: Defense Evasion Adversary Abilities id#593

Open
HackedRico wants to merge 1 commit into
mitre:masterfrom
HackedRico:fix-adversary-abilities-uuid
Open

fix: Defense Evasion Adversary Abilities id#593
HackedRico wants to merge 1 commit into
mitre:masterfrom
HackedRico:fix-adversary-abilities-uuid

Conversation

@HackedRico

@HackedRico HackedRico commented Nov 10, 2025

Copy link
Copy Markdown

Description

  • Found correct uuids for adversary and its associated abilities based on commented ability names.

Warnings:

image

Disable iptables:

  • Correct ID should be 76f6af088510618953265cefe9bb54e0
image

Execute a process from a directory masquerading as the current parent directory:

  • Correct ID should be bef247bd0ac9b48f33f893fc937448cc
image

Type of change

  • Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

  • Built Caldera with Stockpile plugin where abilities were found.
image

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code

@HackedRico
fix: Defense Evasion Adversary Abilities uuid
6624693 
* found correct uuids for adversary and its associated abilities
@uruwhy

uruwhy commented Jan 2, 2026

Copy link
Copy Markdown
Contributor

these abilities are coming from atomic, correct?

@HackedRico

HackedRico commented Jan 2, 2026

Copy link
Copy Markdown
Author

Yes, these abilities are from the Atomic Plugin

@uruwhy

uruwhy commented Jan 5, 2026

Copy link
Copy Markdown
Contributor

So this is actually related to this PR/issue: mitre/atomic#45 where it may be ideal to switch to using the UUIDs provided by the underlying atomic tests that the abilities are derived from. We still need to finish discussing how we want to handle the ability IDs to maintain backwards compatibility

@deacon-mp deacon-mp requested a review from Copilot March 16, 2026 04:07
Copilot AI reviewed Mar 16, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the Defense Evasion adversary definition to reference the correct ability IDs, resolving missing/incorrect ability mappings during build/runtime validation.

Changes:

  • Replaced the (previously incorrect) ability ID for “Linux Disable iptables”.
  • Replaced the (previously incorrect) ability ID for “Linux/Mac Execute a process from a directory masquerading as the current parent directory.”

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@github-actions

github-actions Bot commented May 16, 2026

Copy link
Copy Markdown

This pull request is stale because it has had no activity for 60 days. Remove the stale label or comment or this will be closed in 60 days

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

no-pr-activity

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@HackedRico @uruwhy