| Caldera (Core) | Sandcat | Mock | Terminal | SSL | Stockpile | Caltack |
|---|---|---|---|---|---|---|
 |
 |
 |
 |
 |
 |
 |
CALDERA is an automated adversary emulation system, built on the MITRE ATT&CK™ framework.
CALDERA works by attaching abilities to an adversary and running the adversary in an operation. Full documentation for this system can be found in the wiki.
- Python 3.5.3+
- Google Chrome is our only supported/tested browser
Additionally, this code (the C2 server) is intended to be run on Linux or MacOS. The agents - which connect to the C2 - can run on Windows, Linux and MacOS.
Start by cloning this repository recursively, passing the desired version/release in x.x.x format. This will pull all available plugins.
git clone https://github.com/mitre/caldera.git --recursive --branch x.x.x
Next, run the auto-installer.sh script to automatically configure CALDERA in our recommended way. Alternatively, you can install the basic requirements, which will allow you to run operations but not take full advantage of all features. Basic requirements can be installed by running:
pip install -r requirements.txt
Finally, start the server:
python server.py
To understand CALDERA, it helps to run an operation. Below are pre-built missions you can execute to understand the system. The missions assume CALDERA is running locally.
Perform reconnaissance on a compromised laptop. Your employer needs a list of the laptop user’s preferred WIFI networks. Grab this list, collecting anything else along the way, then knock the user offline. Finally, get out. Quickly. Leave no trace. There is one caveat: the laptop’s AV scans the machine in full every minute. You must complete this mission in less than 60 seconds.
Start a 54ndc47 agent on the same computer as CALDERA. Do this by opening a terminal and pasting in the correct delivery command for your operating system. You should be welcomed by a log message indicating the agent has sent a "beacon" to CALDERA.
Move to a browser, at 127.0.0.1:8888, logging in with the credentials admin:admin. Click into campaigns and use the "Operations" section to fire off an operation using the "nosy neighbor" adversary and the my_group group. Fill in an operation name but leave all other fields at their defaults.
Once the operation is complete, compare the execution time of the first and last commands. Was the mission a success? Did the adversary run without a trace? Can you figure out why the abilities are being run in the order they are?
A laptop containing secret, sensitive files has been compromised. Scan the computer for files which match the file extensions (.txt and .yml) the sensitive files are known to have. Then steal the files.
Similar to mission #1, start a 54ndc47 agent and confirm it "beacons" back to CALDERA.
Once confirmed, move to a browser at 127.0.0.1 and click into the campaigns -> operations section and start a new operation, choosing the hunter adversary and the group my_group.
Did the operation find the sensitive files? How many? Can you determine how it determines which files are sensitive? Hint- you may want to read about facts.
You need to navigate through a compromised host but you fear an autonomous agent may draw too much attention. You need to use a traditional reverse-shell to gain manual shell access.
Inside CALDERA, enable the terminal plugin by updating the conf/default.yml file. Restart the server and - similar to the above missions - start a 54ndc47 agent and confirm it "beacons" back to CALDERA.
Once confirmed, move to a browser at 127.0.0.1 and click into the campaigns -> operations section and start a new operation, choosing the terminal adversary and the group my_group. Then, inside the optional choices, select the terminal fact source. Run the operation and wait for it to complete.
Next, navigate to the plugins -> terminal GUI page. From here, check the sessions drop-down and you should see a new reverse-shell session. Select this session and use the UI to manually interact with the host.
Can you figure out how to deploy the reverse-shell without using 54ndc47?
We use the basic feature branch GIT flow. Create a feature branch off of master and when ready, submit a merge request. Make branch names and commits descriptive. A merge request should solve one problem, not many.
In addition to CALDERA's open source capabilities, MITRE maintains several in-house CALDERA plugins that offer more advanced functionality. For more information, or to discuss licensing opportunities, please reach out to [email protected] or directly to MITRE's Technology Transfer Office.
BRAWL Game - Data set created by the BRAWL project representing one CALDERA operation with data collected by Microsoft Sysmon and other sensors.
CASCADE - Prototype blue team analysis tool to automate investigative work.