Skip to content

fix 'checked_flags' variable in Parser module #41

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix 'checked_flags' variable in Parser module #41

wants to merge 1 commit into from

Conversation

@byt3loss
Copy link

@byt3loss byt3loss commented Oct 28, 2023

Brief description

When running an Adversary Ability with a custom PowerShell command, the command runs successfully, but the Ability status is incorrectly set to "failed." This issue is caused by a logic problem in the atomic_powershell.py module.

Details:

  • The module checks for the presence of the header FullyQualifiedErrorId in the response, but the logic is flawed.
  • The module's logic involves splitting the FullyQualifiedErrorId string into individual letters and checking each letter against the headers.

Description in depth

Ability output.

002
003

The following is the Caldera output.

001

This problem is caused by the module atomic_powershell.py which, from what I understand, should check if the header FullyQualifiedErrorId is present.

It is declared a list called checked_flags that splits the 'FullyQualifiedErrorId' string letter by letter.

checked_flags = list('FullyQualifiedErrorId')

The function parse, in the same module, is meant to check the response headers.
The code checks every header (blob variable) against every single letter contained in the checked_flags list. If the letter is present in the header string, it throws the error showed upon. The following is the code snippet that causes the error.

def parse(self, blob):
        # for every header (blob string is splitted by newline)
        for ex_line in self.line(blob):
            if any(x in ex_line for x in self.checked_flags):
                # ...
                log.warning('This ability failed for some reason. Manually updating the link to report a failed state.')

Proposed Fix

The issue with the checked_flags variable is addressed by changing the line:

checked_flags = list('FullyQualifiedErrorId')

to:

checked_flags = ['FullyQualifiedErrorId']

@deacon-mp deacon-mp requested a review from Copilot October 6, 2025 23:12
Copilot AI reviewed Oct 6, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes a critical bug in the PowerShell parser where custom PowerShell commands were incorrectly marked as failed due to a logic error in the checked_flags variable initialization.

  • Changed checked_flags from splitting 'FullyQualifiedErrorId' into individual characters to a proper list containing the complete string
  • This prevents false positive error detection when any single character from 'FullyQualifiedErrorId' appears in PowerShell output

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@byt3loss