The folks at MITRE have created yet another awesome tool.  CALDERA uses the ATT&CK model to simulate adversary behavior. It’s a great way to generate logs for hunting, or see how your detection stacks up.  Here’s how I got it going.

I pretty much just followed along with the instructions on their github site.

  1. Installed a debian 9.2 VM as the Caldera server.
  2. Installed python 3.5, pip3, upgraded setuptools, did a git clone of the caldero repo, and did a pip -r requirements.txt.
  3. Installed mongodb 3.2 from source.
  4. Added ‘replSet = caldera’ to /etc/mongodb.conf and restarted mongodb
  5. Installed mono-develop with apt-get and compiled Crater with ‘buildall.bat’ on the Debian system.
  6. Renamed the Windows8 exe to ‘CraterMain.exe’ and dropped it in ‘caldera/dep/crater/crater’
  7. Started the caldera server. ‘python3 caldera/caldera/’

Next, I configured a Windows victim.

I built a 2012R2 Domain Controller, and downloaded a free Windows10 VM from here. Once one is setup, I can clone as many hosts as I want.

  1. Install python 3.5. I’m lazy so I set path in the installer
  2. Grab and install the Win64 Python 3.5 version pywin32 from here
  3. Install VS 2015 C++ Build tools
  4. Clone the agent repo and do ‘pip install -r requirements.txt’ and ‘pip install –upgrade setuptools’ in the root of it.
  5. Clone MITREs py2exe repo
  6. Open the VS2015 x64 command prompt, CD into the custom py2exe and run ‘python bdist’ followed by ‘python bdist_egg’
  7. cd into caldera-py2exe-master\dist and run easy_install py2exe
  8. cd back into the agent directory\caldera_agent and run ‘make.bat’
  9. Copy ‘cagent.exe’ to c:\program files\cagent\
  10. Goto c:\program files\cagent\ and pull the config file from the caldera server https://whatever:8888/conf.yml
  11. Don’t forget to mod your hosts file.
  12. Install/start the agent with ‘cagent.exe –startup auto install’ followed by ‘cagent.exe start’

I then logged into the Caldera server with admin/caldera, created a network, and ran several test operations.  It comes with a few adversary tactics built in.

More to come on importing new TTPs, expanding on the ATT&CK model, and writing Sysmon configs.

Categories: Security


Leave a Reply

Your email address will not be published. Required fields are marked *