Install/Setup MITRE Caldera the automated cyber adversary emulation system

In this blog post I will be covering how to setup and utilize MITRE’s new tool called Caldera. Caldera is a cyber adversary emulation system that operates on a server/agent model. On the server you can create adversary campaigns that are deployed to your agents. Your agents will periodically call back with their results and progress. Let’s begin!

Install/Setup Caldera on Ubuntu 16.04

Deploy Caldera with Ansible – prod

  1. git clone https://github.com/Benster900/BlogProjects.git
  2. cd BlogProjects/CalderaMitre
  3. vim hosts and set [caldera]
  4. mv group_vars/all.example group_vars/all
  5. vim group_vars/all and set:
    1. base_domain
    2. caldera_pass
    3. cert info
  6. ansible-playbook -i hosts deploy_caldera.yml -u
  7. Browse to “https://<IP addr of Caldera server>” and login
    1. user: admin
    2. pass: {{ caldera_pass }}

Deploy Caldera with Docker – dev

  1. git clone https://github.com/Benster900/BlogProjects.git
  2. cd BlogProjects/CalderaMitre
  3. docker build -t caldera .
  4. docker run -d -p 8888:8888 –hostname=<FQDN> caldera
    1. A DNS entry MUST be made to point at the host running the Docker container. Caldera uses the hostname of the Docker container which is only accessible within the Docker network but “–hostname” flag corrects that.
    2. MongoDB is built into the docker container so this means the data will NOT persist.
  5. Browse to “https://127.0.0.1:8888” and login
    1. user: admin
    2. pass: caldera

Deploy Caldera agents to Windows clients

  1. vim hosts and set [win_agents]
  2. mv group_vars/windows.example group_vars/windows
  3. vim group_vars/windows and set:
    1. ansible_user: <Windows username>
    2. ansible_password: <Windows user password>
  4. ansible-playbook -i hosts deploy_windows_agents.yml
  5. Browse to “https://127.0.0.1:8888” and login
  6. Select “Debug” then “Connected agents”

Becoming the hunter

Creating an adversary

To perform an Operation, CALDERA needs an Adversary to emulate. In CALDERA, an Adversary represents a real adversary’s tactics and techniques. When we create our operation we will select an Adversary to use which will dictate what techniques CALDERA performs during the operation.

  1. Select “Threat” then “Create adversary”
    1. Enter “test_adversary” as the name
    2. Select different adversary tactics from the steps drop down menu
      1. get_computers
      2. get_domain
      3. get_local_profiles
    3. Select “http” for exfil method
    4. Leave exfil address as default
    5. Enter “8889” for exfil port
    6. Select “Submit”

Creating a network

Networks are just collections of host. They are a simple way for CALDERA to organize and group together computers.

  1. Select “Networks” then “Create network”
    1. Enter “test_network” for name
    2. If you connected to a domain select the domain but this computer is NOT part of a domain
    3. Select the hosts you want to participate in the simulation
    4. Select “Submit”

Creating an operation

  1. Select “Operations” then “Create operation”
    1. Enter “test_op” for name
    2. Select “test_adversay” for adversary
    3. Select “test_network” for network
    4. Select a starting host
      1. I only have one host for this demo
    5. Select “bootstrap rat” for start method
    6. Leave start path blank
    7. Select “active user” as the starting user
    8. Enter “explorer.exe” for parent process
    9. UNcheck “Auto-cleanup”
      1. I want to leave the artifacts behind for future posts 🙂
    10. Enter a desired command delay
    11. Enter a desired jitter
    12. Select “Submit”

Watch operation

In the Operation view, you can view the progress that CALDERA has made working on an operation. The operation’s status is displayed at the top of the screen next to the Operation’s name. Below the status, colored bubbles indicate the number of hosts and credentials that have been compromised during this operation.

 

 

Where to go from here?

MITRE has created a really awesome tool here for defenders. This tool can help you evaluate your security team’s effectiveness at detecting different red team tactics. Cyb3rWard0g provides a scoring system for tactics outlined in the MITRE ATT&CK framework. His scoring system starts at none(no detection) too excellent(automated detection).

In the coming months, I will be taking advantage of Cyb3rWardog’s scale and this tool for my threat hunting and incident response projects. A majority of my projects require an adversary and I want to quantify my progress at detecting various techniques. As my projects and skills progress, this tool provides the capability to reproduce an attack to accurately measure my effectiveness. Additionally, this tool provides the ability to extend the adversarial tactics and capabilities. Personally, I think it would be awesome to combine the Powershell Empire API and this tool :).

Resources/Sources

7 thoughts on “Install/Setup MITRE Caldera the automated cyber adversary emulation system

  1. D says:

    Are you running the Ubuntu host in a virtual machine or on hardware? I can’t seem to get any hosts to connect to the containerized deploy under a virtual machine. I see a connection from my Windows hosts over 8888, but they never show in the connection list.

    • spartan2194 says:

      Try running “docker run -d -p 8888:8888 –hostname=[FQDN] caldera”. A DNS entry MUST be made to point at the host running the Docker container. By default, Caldera uses the hostname of the Docker container which is only accessible by the docker network but the ‘–hostname’ flag corrects that. The README will be updated shortly. Thanks!

  2. Kyle Howson says:

    Hello, I tried to run both the installation and docker image but get the same error…

    Traceback (most recent call last):
    File “caldera.py”, line 16, in
    from app import server
    File “/opt/caldera/caldera/app/server.py”, line 13, in
    from aiohttp import web, WSCloseCode
    File “/usr/local/lib/python3.5/dist-packages/aiohttp/web.py”, line 15, in
    from . import (hdrs, web_exceptions, web_fileresponse, web_middlewares,
    File “/usr/local/lib/python3.5/dist-packages/aiohttp/web_middlewares.py”, line 5, in
    from aiohttp.web_urldispatcher import SystemRoute
    File “/usr/local/lib/python3.5/dist-packages/aiohttp/web_urldispatcher.py”, line 20, in
    from yarl import URL, unquote
    ImportError: cannot import name ‘unquote’

    Any Recommendations on how to get past this?

  3. justplay says:

    why the status is always pending?

    • spartan2194 says:

      Hey JustPlay,

      On your Windows host install Wireshark, start a Wireshark capture, and then start the CALDERA agent. Verify that the agent is calling back to the right port(8888 by default) and to the correct IP address. Next, verify the CALDERA config for the agent is correct, config can be viewed by browsing to https://:8888/conf.yml. Lastly, I would look at the CALDERA documentation to setup an agent.

Leave a Reply

Your email address will not be published. Required fields are marked *