Adversary Simulation & Detection with Caldera: Red Teamers Guide

Red Teaming Part 1

This write-up focuses on setting Caldera and emulating the Adversary Simulation and detection.

Basic Terminologies before heading start towards the hands-on.

Understanding MITRE ATT&CK Framework in CALDERA:

Within the domain of Adversary Simulation and detection, the MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework serves as a foundational pillar. This framework methodically organizes the tactics and techniques employed by adversaries in the course of cyber operations.

CALDERA, a powerful tool for simulating real-world attacks, leverages the ATT&CK framework to emulate threat scenarios. By mapping its abilities to specific ATT&CK tactics and techniques, CALDERA provides a structured approach for red teaming and penetration testing.

The ATT&CK matrix encompasses various attack vectors, from initial access to impact, offering a comprehensive view of adversarial behaviors. CALDERA users can employ this framework to design and execute realistic attack simulations, ensuring a robust testing environment for security teams to evaluate and enhance their defenses.

Caldera’s Essential Terminology:

1. Ability: Specific implementation of a tactic/technique in ATT&CK, including commands, platforms, payloads, and output parsing references.
2. Adversary: Profiles representing threat actor groups, encompassing tactics, techniques, and procedures (TTPs).
3. Agents: Software on target hosts connecting to CALDERA for instructions at intervals.
4. Groups: Collections of agents based on criteria (OS/function) used to determine which agents execute specific abilities during operations.

Installing Caldera in Linux

git clone https://github.com/mitre/caldera.git — recursive
cd caldera
pip3 install -r requirements.txt
python3 server.py — insecure

Caldera Dashboard

Note: If you are working on virtual machines, ensure your network mode is Bridged.

The default Credentials for Caldera are for the red team [red: admin] and for the blue team [blue: admin].

For simulation and detection, we need to add agents. These agents are nothing but our target systems. For this instance, we are adding our VM as an agent which will be Linux-based.

Adding Agent

To initiate the deployment of an agent, go to the Agents tab and select the “deploy an agent” button, as indicated in the highlighted section of the accompanying screenshot.

Select an agent, such as Sandcat (recommended for beginners), and specify the platform (operating system) of your choice. Refer to the highlighted sections in the provided screenshots for guidance.

Note: Sandcat, also known as 54ndc47, stands out as a remote access agent crafted in GoLang, ensuring cross-platform compatibility. This agent will be deployed on the targeted endpoint(s) to execute our operations effectively.

Make sure the agent options are correct (ex: ensure app.contact.http matches the expected host and port for the CALDERA server).

The “agents.implant_name” field plays a crucial role in designating the base name for newly-spawned agents. In instances where needed, an extension will be appended during agent creation (e.g., transforming “splunkd” to “splunkd.exe” when spawning an agent on a Windows machine). Next, select a command to execute on the target machine, referring to the highlighted section in the provided screenshot for guidance.

Copy the Payload and Paste it to the terminal of the Targeted system. In Our case in Linux Machine.

Setting Agent -

1. Beacon Timers: Specify the minimum and maximum seconds for the agent’s beacon home interval. These timers apply universally to all newly created agents.
2. Watchdog Timer: Set the duration, in seconds, to wait after the target agent becomes unreachable before terminating the agent. This timer applies to all newly created agents.
3. Untrusted Timer: Define the wait time, in seconds, before marking a missing agent as untrusted. Untrusted agents won’t generate new links for operations. This timer is global, affecting all running and newly-created agents.
4. Implant Name: Set the base name for newly-spawned agents. An extension may be added during agent creation (e.g., “splunkd” becoming “splunkd.exe” on a Windows machine).
5. Bootstrap Abilities: Specify a comma-separated list of ability IDs to execute on a new agent beacon. The default is to run a command clearing command history.
6. Deadman Abilities: Define a comma-separated list of ability IDs to execute just before agent termination. Note that the agent must support deadman abilities for them to run effectively.

We Added and Setup the agent now the next part is Adversaries

Adversaries

Access adversary profiles by navigating to the Adversary tab. Click on the “Select an existing profile” drop-down menu, as illustrated in the highlighted section of the provided screenshot.

Upon selecting an adversary profile from the drop-down menu, the interface will present the adversary name, description, and the associated abilities linked to the chosen adversary profile. This provides a comprehensive overview of the tactics, techniques, and procedures (TTPs) encapsulated within the selected adversary profile.

Once you’ve assigned a name and description to your profile, augment its capabilities by clicking the “add ability” button, as emphasized in the earlier screenshot.

To incorporate abilities into your custom profile, you can either search for a specific ability or designate a particular tactic relevant to the functionality of the desired ability. This flexibility allows you to tailor the adversary profile to your specific simulation and detection needs.

Operations

Initiating an operation offers various optional configurations, as highlighted in the provided screenshot. These configurations allow for tailored settings to meet the specific requirements of the operation.

1. Group: Specify the collection of agents you want the operation to run against.
2. Adversary: Choose the adversary profile to be employed during the operation.
3. Auto-close: Decide whether to automatically close the operation when no further actions are required or keep it open indefinitely.
4. Run immediately: Opt to either run the operation immediately or start it in a paused state.
5. Autonomous: Choose between autonomous and manual modes. In manual mode, the operator approves or discards each command.
6. Planner: Select the logic library (planner) you want to use for the operation.

Output

As shown in the above screenshot caldera found the active user in our targeted system to view the result click on view output.

Overall Results —

Conclusion -

We have completed our first adversary emulation with Caldera. At this point, you ought should be able to use Caldera to add agents, add or modify profiles, and perform operations against agents.

Caldera documentation: https://caldera.readthedocs.io/en/latest/index.html