Skip to content

fix: grant blue training flag when malicious file is removed (#167)#184

Merged
deacon-mp merged 2 commits intomasterfrom
fix/issue-167-blue-training-flag
Mar 18, 2026
Merged

fix: grant blue training flag when malicious file is removed (#167)#184
deacon-mp merged 2 commits intomasterfrom
fix/issue-167-blue-training-flag

Conversation

@deacon-mp
Copy link
Copy Markdown
Contributor

@deacon-mp deacon-mp commented Mar 16, 2026

Summary

  • Fixes Blue Training: Malicious File on System  #167 -- Blue team training flag "Malicious file on system" was never granted even when the malicious file was successfully removed
  • Root cause: the AutonomousBlue2 flag class file was missing from app/flags/autonomous/ (it only existed at the wrong path app/blue_2.py), and the flag entry was commented out in the Blue Certificate YAML
  • Added the flag class at the correct import path (app/flags/autonomous/blue_2.py)
  • Uncommented the flag in data/certifications/8da8f0b3-194a-4eed-95b0-43c1f1b64091.yml
  • Removed spurious visible = False attribute not present on any other flag

Test plan

  • Start Caldera with training plugin
  • Complete blue team training exercise (autonomous badge)
  • Verify the "Malicious file on system" flag appears in the autonomous badge
  • Verify flag is granted after removing malicious file from C:\Users\Public
  • Unit tests added for flag import, YAML registration, and verify logic

@deacon-mp
fix: grant blue training flag when malicious file is removed (#167)
c62529f 
The AutonomousBlue2 ("Malicious file on system") flag was never granted
because of two issues:

1. The flag class file existed at app/blue_2.py but was missing from
   app/flags/autonomous/blue_2.py where the certification YAML expected
   to import it from.

2. The flag entry was commented out in the Blue Certificate YAML
   (8da8f0b3-194a-4eed-95b0-43c1f1b64091.yml), so it was never loaded
   into the training system.

Also removed the spurious visible=False attribute that no other flag has.
@deacon-mp deacon-mp mentioned this pull request Mar 16, 2026
Closed
@deacon-mp deacon-mp requested a review from Copilot March 16, 2026 13:33
Copilot AI reviewed Mar 16, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes Blue autonomous training progression by properly registering and loading the “Malicious file on system” flag so it can be granted after the malicious file is removed.

Changes:

  • Add AutonomousBlue2 flag implementation at the expected import path (app/flags/autonomous/blue_2.py).
  • Register/uncomment the flag in the Blue Certificate certification YAML.
  • Add unit tests covering importability, YAML registration, and verify() behavior.

Reviewed changes

Copilot reviewed 3 out of 5 changed files in this pull request and generated 3 comments.

File Description
app/flags/autonomous/blue_2.py Adds the AutonomousBlue2 flag at the correct module path used by the certification loader.
data/certifications/8da8f0b3-194a-4eed-95b0-43c1f1b64091.yml Uncomments/registers the AutonomousBlue2 flag for the autonomous badge.
tests/app/flags/autonomous/test_blue_2.py Adds tests for flag import path, YAML registration, and verify logic.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

tests/app/flags/autonomous/test_blue_2.py
Comment on lines +19 to +23
"""The flag must be uncommented and listed in the Blue Certificate YAML."""
with open('plugins/training/data/certifications/8da8f0b3-194a-4eed-95b0-43c1f1b64091.yml') as f:
cert = yaml.safe_load(f)
autonomous_flags = cert['badges']['autonomous']
assert 'flags.autonomous.blue_2.AutonomousBlue2' in autonomous_flags
app/flags/autonomous/blue_2.py
Comment on lines +5 to +10
class AutonomousBlue2(Flag):
name = 'Malicious file on system'
challenge = 'Write a file on the Windows machine under the C:\\Users\\Public directory. Get the SHA256 hash of ' \
'this file, and write it to C:\\Users\\Public\\malicious_files.txt. The autonomous defender should ' \
'automatically find and delete the file.'
extra_info = """"""
tests/app/flags/autonomous/test_blue_2.py Outdated
Comment on lines +1 to +2
import asyncio
from unittest.mock import AsyncMock, MagicMock, patch
@deacon-mp
fix: address Copilot review feedback
f7bf31e 
- test_blue_2.py: replace hard-coded path with Path(__file__)-derived path,
  remove unused asyncio and patch imports
- app/blue_2.py: replace dead-code duplicate with a stub that re-exports
  the canonical class from app/flags/autonomous/blue_2.py
@deacon-mp
Copy link
Copy Markdown
Contributor Author

deacon-mp commented Mar 18, 2026

@github-copilot review

@deacon-mp deacon-mp merged commit 0d7b6b1 into master Mar 18, 2026
2 checks passed
@deacon-mp deacon-mp deleted the fix/issue-167-blue-training-flag branch March 18, 2026 13:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Blue Training: Malicious File on System

2 participants

@deacon-mp