Type pentestit
Reporter Black
Modified 2019-04-27T18:42:02


PenTestIT RSS Feed

I read a tweet about two days ago and today, MITRE CALDERA 2.0 is out already! If you remember, I wrote briefly about this automated adversary emulation system in my post titled - List of Adversary Emulation Tools. This is a major update and the current version supports Windows, Linux, Mac OSX & Raspberry Pi platforms! A couple of new features include BYOR (Bring Your Own RAT), BYOP (Bring Your Own Planner) and BYOT (Bring Your Own Technique)!

Caldera 2.0


> CALDERA is an automated adversary emulation system, built on the ATT&CK framework, that performs post-compromise adversarial behavior inside computer networks. It is intended for both red and blue teams.

Changes in CALDERA 2.0:

As I said earlier, this is a major update. This release changes a few things. For example, in the earlier version CALDERA consisted of three separate pieces of software:

  • CALDERA server: The server controls the execution of CALDERA and contains a web interface for administration
  • CALDERA agent: A Windows service that communicates to the CALDERA server, the CALDERA Agent is installed on every computer partaking in adversary emulation activities.
  • Crater: A Windows executable that is used as an implant for Adversary Emulation exercises

Though this has not changed much, components are called with different names and there is a concept of plugins now! To be precise, CALDERA works by attaching abilities to an adversary and running the adversary in an operation.

  • Ability: A specific task or set of commands, written in any language
  • Adversary: A threat profile that contains a set of abilities, making it easy to form repeatable operations
  • Agent: An individual computer running a CALDERA agent, such as the 54ndc47 (Sandcat) plugin
  • Group: A collection of agents
  • Operation: A start-to-finish execution of an adversary profile against a group

As of now, CALDERA 2.0 supports the following plugins:

  • Stockpile: This plugin is a stockpile of abilities, adversaries, files and contains a collection of abilities, a few pre-built adversary profiles, a filestore and a basic planner. There are two adversary profiles as of now:
    1. Bash discovery on a single machine
    2. PowerShell discovery on a single machine
  • Chain: Adds a REST API for chain mode, along with GUI configuration which is accessible at the same location but in a browser.
  • Adversary: Adds the full Adversary mode, including REST and GUI components. This is what was called as crater earlier and still has the relevant files such as mimikatz in addition to PowerShell scripts such as PowerView.ps1, PowerUp.ps1, timestomper.ps1.
  • GUI: As the name suggests, this is a basic web application structure, including style-sheets and login/logout functionality. The home page displays details about all loaded plugins.
  • 54ndc47/Sandcat: This plugin contains a custom in-memory agent, with variants for PowerShell and Bash. It also contains API endpoints for the agent to communicate to CALDERA over HTTPS. It can run on Linux, Mac or Microsoft Windows.

Stockpile currently allows you with features to test the following MITRE ATT&CK TIDs:

  • Collection:
    1. T1005: Data from Local System
    2. Search for valid SSH commands in the config file
    3. Search the file system for all word documents
  • Command and Control:
    1. T1105: Remote File Copy - Create a text file for the user to find
  • Defensive Evasion:
    1. T1108: Redundant Access - Pause all operations to avoid making noise
    2. T1107: File Deletion - Clears out the bash history
  • Discovery:
    1. T1018: Remote System Discovery - Identify the remote domain controllers
    2. T1063: Security Software Discovery - Identify antivirus programs using WMIC
    3. T1139: Bash History - Get contents of bash history
    4. T1057: Process Discovery - Identify system processes
    5. T1018: Remote System Discovery - View the SSH known_hosts file
    6. T1018: Remove System Discovery - Locate all active IP and FQDNs on the network via ARP
    7. T1016: System Network Configuration Discovery - View all potential WIFI networks on host
    8. T1016: System Network Configuration Discovery - Determine the most used WIFI networks of a machine
    9. T1135: Network Share Discovery - Local Network Share Discovery using Net Share
    10. T1016: System Network Configuration Discovery - Capture the local network broadcast IP address via ipconfig
    11. T1005: Data from Local System - Locate text files for a given user using the find command
    12. T1033: System Owner/User Discovery - Platform agnostic way to find the active user using whoami
    13. T1007: System Service Discovery - Identify system services via PowerShell
    14. T1016: System Network Configuration Discovery - Download a set of commands for manipulating WIFI
    15. T1069: Permission Groups Discovery - Identify all local users using the dscl command
  • Execution:
    1. T1059: Command-Line Interface - Turn a computers WIFI off

A small snapshot of currently supported CALDERA 2.0 commands:

MITRE CALDERA 2.0 commands

All in all this is a very good release and definitely can be customized for your use using simple .yml files and different plugins. You can also perform cleanup operations after the script execution is done!


Clone the MITRE CALDERA 2.0 directory recursively from it's GitHub page here and off you go! All you need is a system that supports Python 3.6+ and is designed on top of the asyncio library.

The post UPDATE: MITRE CALDERA 2.0 appeared first on PenTestIT.