In this blog post I will be covering how to setup and utilize MITRE’s new tool called Caldera. Caldera is a cyber adversary emulation system that operates on a server/agent model. On the server you can create adversary campaigns that are deployed to your agents. Your agents will periodically call back with their results and progress. Let’s begin!

Install/Setup Caldera on Ubuntu 16.04

Deploy Caldera with Ansible – prod

1. git clone https://github.com/Benster900/BlogProjects.git
2. cd BlogProjects/CalderaMitre
3. vim hosts and set [caldera]
4. mv group_vars/all.example group_vars/all
5. vim group_vars/all and set:
   1. base_domain
   2. caldera_pass
   3. cert info
6. ansible-playbook -i hosts deploy_caldera.yml -u
7. Browse to “https://<IP addr of Caldera server>” and login
   1. user: admin
   2. pass: {{ caldera_pass }}

Deploy Caldera with Docker – dev

1. git clone https://github.com/Benster900/BlogProjects.git
2. cd BlogProjects/CalderaMitre
3. docker build -t caldera .
4. docker run -d -p 8888:8888 –hostname=<FQDN> caldera
   1. A DNS entry MUST be made to point at the host running the Docker container. Caldera uses the hostname of the Docker container which is only accessible within the Docker network but “–hostname” flag corrects that.
   2. MongoDB is built into the docker container so this means the data will NOT persist.
5. Browse to “https://127.0.0.1:8888” and login
   1. user: admin
   2. pass: caldera

Deploy Caldera agents to Windows clients

1. vim hosts and set [win_agents]
2. mv group_vars/windows.example group_vars/windows
3. vim group_vars/windows and set:
   1. ansible_user: <Windows username>
   2. ansible_password: <Windows user password>
4. ansible-playbook -i hosts deploy_windows_agents.yml
5. Browse to “https://127.0.0.1:8888” and login
6. Select “Debug” then “Connected agents”

Becoming the hunter

Creating an adversary

To perform an Operation, CALDERA needs an Adversary to emulate. In CALDERA, an Adversary represents a real adversary’s tactics and techniques. When we create our operation we will select an Adversary to use which will dictate what techniques CALDERA performs during the operation.

1. Select “Threat” then “Create adversary”
   1. Enter “test_adversary” as the name
   2. Select different adversary tactics from the steps drop down menu
      1. get_computers
      2. get_domain
      3. get_local_profiles
   3. Select “http” for exfil method
   4. Leave exfil address as default
   5. Enter “8889” for exfil port
   6. Select “Submit”

Creating a network

Networks are just collections of host. They are a simple way for CALDERA to organize and group together computers.

1. Select “Networks” then “Create network”
   1. Enter “test_network” for name
   2. If you connected to a domain select the domain but this computer is NOT part of a domain
   3. Select the hosts you want to participate in the simulation
   4. Select “Submit”

Creating an operation

1. Select “Operations” then “Create operation”
   1. Enter “test_op” for name
   2. Select “test_adversay” for adversary
   3. Select “test_network” for network
   4. Select a starting host
      1. I only have one host for this demo
   5. Select “bootstrap rat” for start method
   6. Leave start path blank
   7. Select “active user” as the starting user
   8. Enter “explorer.exe” for parent process
   9. UNcheck “Auto-cleanup”
      1. I want to leave the artifacts behind for future posts 🙂
   10. Enter a desired command delay
   11. Enter a desired jitter
   12. Select “Submit”

Watch operation

In the Operation view, you can view the progress that CALDERA has made working on an operation. The operation’s status is displayed at the top of the screen next to the Operation’s name. Below the status, colored bubbles indicate the number of hosts and credentials that have been compromised during this operation.

 

 

Where to go from here?

MITRE has created a really awesome tool here for defenders. This tool can help you evaluate your security team’s effectiveness at detecting different red team tactics. Cyb3rWard0g provides a scoring system for tactics outlined in the MITRE ATT&CK framework. His scoring system starts at none(no detection) too excellent(automated detection).

In the coming months, I will be taking advantage of Cyb3rWardog’s scale and this tool for my threat hunting and incident response projects. A majority of my projects require an adversary and I want to quantify my progress at detecting various techniques. As my projects and skills progress, this tool provides the capability to reproduce an attack to accurately measure my effectiveness. Additionally, this tool provides the ability to extend the adversarial tactics and capabilities. Personally, I think it would be awesome to combine the Powershell Empire API and this tool :).

Resources/Sources

• Github: CALDERA
• CALDERA documentation
• Github: Blog posts – MitreCaldera