CALDERA

Published by Matt Clemons on

The folks at MITRE have created yet another awesome tool.  CALDERA uses the ATT&CK model to simulate adversary behavior. It’s a great way to generate logs for hunting, or see how your detection stacks up.  Here’s how I got it going.

I pretty much just followed along with the instructions on their github site.

  1. Installed a debian 9.2 VM as the Caldera server.
  2. Installed python 3.5, pip3, upgraded setuptools, did a git clone of the caldero repo, and did a pip -r requirements.txt.
  3. Installed mongodb 3.2 from source.
  4. Added ‘replSet = caldera’ to /etc/mongodb.conf and restarted mongodb
  5. Installed mono-develop with apt-get and compiled Crater with ‘buildall.bat’ on the Debian system. https://github.com/mitre/caldera-crater
  6. Renamed the Windows8 exe to ‘CraterMain.exe’ and dropped it in ‘caldera/dep/crater/crater’
  7. Started the caldera server. ‘python3 caldera/caldera/caldera.py’

Next, I configured a Windows victim.

I built a 2012R2 Domain Controller, and downloaded a free Windows10 VM from here. https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/ Once one is setup, I can clone as many hosts as I want.

  1. Install python 3.5. I’m lazy so I set path in the installer
  2. Grab and install the Win64 Python 3.5 version pywin32 from here https://sourceforge.net/projects/pywin32/files/pywin32/Build%20220/
  3. Install VS 2015 C++ Build tools http://landinghub.visualstudio.com/visual-cpp-build-tools
  4. Clone the agent repo and do ‘pip install -r requirements.txt’ and ‘pip install –upgrade setuptools’ in the root of it.
  5. Clone MITREs py2exe repo https://github.com/mitre/caldera-py2exe
  6. Open the VS2015 x64 command prompt, CD into the custom py2exe and run ‘python setup.py bdist’ followed by ‘python setup.py bdist_egg’
  7. cd into caldera-py2exe-master\dist and run easy_install py2exe
  8. cd back into the agent directory\caldera_agent and run ‘make.bat’
  9. Copy ‘cagent.exe’ to c:\program files\cagent\
  10. Goto c:\program files\cagent\ and pull the config file from the caldera server https://whatever:8888/conf.yml
  11. Don’t forget to mod your hosts file.
  12. Install/start the agent with ‘cagent.exe –startup auto install’ followed by ‘cagent.exe start’

I then logged into the Caldera server with admin/caldera, created a network, and ran several test operations.  It comes with a few adversary tactics built in.

More to come on importing new TTPs, expanding on the ATT&CK model, and writing Sysmon configs.

Categories: Security

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

Security

Threathunting with Elasticsearch

All kinds of interesting information can be found using the Elasticsearch API. https://www.elastic.co/guide/en/elasticsearch/reference/current/search-search.html I find it easier than using Kibana, but Kibana was necessary to figure out the query language. Using the same queries, you Read more…

Hardware

Cisco router CA server

Easy way to create a CA server for testing purposes.

Linux

Cleared SAA-C02

I started with acloud.guru AWS Certified Solutions Architect Associate course. https://acloudguru.com/course/aws-certified-solutions-architect-associate-saa-c02 If you get the pro subscription, you get access to labs without having to create your own AWS accounts. I think it’s 50 bucks Read more…