The folks at MITRE have created yet another awesome tool.  CALDERA uses the ATT&CK model to simulate adversary behavior. It’s a great way to generate logs for hunting, or see how your detection stacks up.  Here’s how I got it going.

I pretty much just followed along with the instructions on their github site.

  1. Installed a debian 9.2 VM as the Caldera server.
  2. Installed python 3.5, pip3, upgraded setuptools, did a git clone of the caldero repo, and did a pip -r requirements.txt.
  3. Installed mongodb 3.2 from source.
  4. Added ‘replSet = caldera’ to /etc/mongodb.conf and restarted mongodb
  5. Installed mono-develop with apt-get and compiled Crater with ‘buildall.bat’ on the Debian system. https://github.com/mitre/caldera-crater
  6. Renamed the Windows8 exe to ‘CraterMain.exe’ and dropped it in ‘caldera/dep/crater/crater’
  7. Started the caldera server. ‘python3 caldera/caldera/caldera.py’

Next, I configured a Windows victim.

I built a 2012R2 Domain Controller, and downloaded a free Windows10 VM from here. https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/ Once one is setup, I can clone as many hosts as I want.

  1. Install python 3.5. I’m lazy so I set path in the installer
  2. Grab and install the Win64 Python 3.5 version pywin32 from here https://sourceforge.net/projects/pywin32/files/pywin32/Build%20220/
  3. Install VS 2015 C++ Build tools http://landinghub.visualstudio.com/visual-cpp-build-tools
  4. Clone the agent repo and do ‘pip install -r requirements.txt’ and ‘pip install –upgrade setuptools’ in the root of it.
  5. Clone MITREs py2exe repo https://github.com/mitre/caldera-py2exe
  6. Open the VS2015 x64 command prompt, CD into the custom py2exe and run ‘python setup.py bdist’ followed by ‘python setup.py bdist_egg’
  7. cd into caldera-py2exe-master\dist and run easy_install py2exe
  8. cd back into the agent directory\caldera_agent and run ‘make.bat’
  9. Copy ‘cagent.exe’ to c:\program files\cagent\
  10. Goto c:\program files\cagent\ and pull the config file from the caldera server https://whatever:8888/conf.yml
  11. Don’t forget to mod your hosts file.
  12. Install/start the agent with ‘cagent.exe –startup auto install’ followed by ‘cagent.exe start’

I then logged into the Caldera server with admin/caldera, created a network, and ran several test operations.  It comes with a few adversary tactics built in.

More to come on importing new TTPs, expanding on the ATT&CK model, and writing Sysmon configs.

Categories: Security

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *