Introduction
CALDERA is a cybersecurity platform designed to easily automate adversary emulation, assist manual red teams, and automate incident response.
It is built on the MITER ATT&CK framework and is an active research project at MITER.
The framework consists of two components:
-
core system. This is the skeleton code that contains what is available in this repository. Includes an asynchronous command and control (C2) server with REST API and web interface.
-
plugin. These repositories extend the core framework functionality and provide additional functionality. Examples include proxies, reports, TTP collections, etc.
Official Github address: Caldera
environment
- kali linux
- miniconda
Download and install
- git clone https://github.com/mitre/caldera.git --recursive (After downloading the project in this step, the project size is about 300M. If you don’t download all the files due to network reasons, you can try the solution here. git clone submodule The problem of not downloading all is solved )
- After the download is complete, cd caldera
- pip3 install -r requirements.txt (you need to activate the conda environment first, the installation conda tutorial is skipped here)
- python3 server.py --insecure
If it runs successfully, it is roughly as follows:
Open the browser and enter the local IP: 8888 to access the web interface:
Username: redPassword
: admin
The home page is as follows:
On-line host
Simply launch a Windows host (create a win10 virtual machine in Vmware). As shown in the figure, click in turn:
Then select:
For the next platform, select windows, modify app.contact.http to your own, and copy the shell command in the red box:
First come to our Win10 virtual machine, first turn off the firewall and virus protection in the Windows Security Center in the settings:
Then open the power shell with administrator privileges and run the command you just copied and pasted:
Return to Caldera Web, you can see that the Win10 host has been successfully launched:
Execute the attack operation
In adversaries, you can see some preset attack strategies:
Let's just click on one, such as Collention. You can see the specific steps of the attack, modify the execution order, and edit a certain step. For each step, click to see the specific command:
Next, we will perform the Collection operation on the Windows 10 hosts that have been online, and click the red box buttons one by one:
It can be seen that the Collection series commands have been executed on the Win10 host we just launched. We can view the execution result of the command: