Simulating attacks and APT Groups with MITRE’s CALDERA

Thinking of good cybersecurity measures is a different ballgame than actually testing it. Often people think that having a good firewall, strong passwords, or anti-virus software is providing them with good protection. But only when you really test what happens during an attack, you can make sure you have the correct protection in place. This is where MITRE’s CALDERA makes your life a whole lot easier.

CALDERA cyber security framework for autonomous breach-and-simulation exercises.

CALDERA is developped by MITRE and available on GitHub. Yes, the same MITRE as that good old Att&ck map we often see in cybersecurity tools. It’s main purpose is to give you the possibility to simulated a real attack beyond just simply checking if there is antivirus running. This saves a whole lot of time in testing you cybersecurity measures.

In this blog I will tell you more about the way CALDERA works, and how you can set it up for yourself. At this time the last stable version of CALDERA is 2.8.1.

Using a simple to use web application, you can create all sort of attacks you wish to carry out. The MITRE Att&ck framework is used to create a lot of different attacks grouped into known categories as: Initial access, Privilege Escalation, Lateral Movement, and so on. This lets you choose a specific action like Automated Exfiltration, which is known as T1020 in the framework. Using these different actions you can set up your own operation to execute to a target, or even recreate a known Advanced Persistent Threat (APT) group mode of operations.

Installing MITRE CALDERA

At the base of all these operations and attacks are different agents you can deploy to your “victim”. You can preconfigure them from the CALDERA web application and deploy them in a way you see fit. After the agent has been installed it will dial back in to wait for any pending or new tasks.

There is some requirement for running CALDERA. The following is needed to make this all happen:

  • Any Linux or MacOS
  • Python 3.6.1+ (with Pip3)
  • Google Chrome is our only supported browser
  • Recommended hardware to run on is 8GB+ RAM and 2+ CPUs

First I go into my /opt folder and clone the CALDERA repositiory from GitHub.

cd /opt
git clone https://github.com/mitre/caldera.git --recursive --branch 2.8.1 

After cloning the repo, in my case with version 2.8.1, you need to install (or update) Python3-pip and install the PIP requirements.

cd caldera

sudo apt install -y python3-pip (if not present on your machine)

pip3 install -r requirements.txt

Just to make sure you have the most recent version of the programming language ‘go’ running, update it via apt.

sudo apt-get install golang -y

And last but not least, run the server from the console using Python3. The –insecure parameter disables the use of SSL. Just leave it out when you want to run it with a certificate.

python3 server.py --insecure

Deploying agents to your victims

Since we are simulating the attacks on known machines they are not really victims. But for the sake of the story, let’s keep calling them like this.

When the installation of Caldera is done, you can log in to the control panel by using the URL: http://0.0.0.0:8888. The default login is red/admin. At this time Google Chrome is the only supported browser for CALDERA and I did notice some weird behavior when using Firefox.

After you are logged in, you will have access to the control panel for the “red”-activities.

Before you can start and simulate attacks, you need to make sure the target machines have an agent running. There are different agents available for you to use. When choosing an agent and the Operating System it runs on, you immediately get the needed command for installation. If you want to deploy a remote agent, be sure to change the IP-address for Caldera on the configuration page, since the default IP is set to 0.0.0.0. You can do it centrally on the Configuration page, or manually when deploying an agent.

When an agent is successfully deployed and can communicate with the server, you will see the agent showing up on the agent page. The green pid lets you know that the agent is trusted. When it turns red there is something wrong with the agent, or you need to refresh the trust with the server.

When you select an agent you can see some additional information. It is also possible to add an agent to a group, for example: “Windows Agents”. This makes targeting a specific group of agents much easier.

Running the first attack operation on a target

With the agent deployed and ready for action, you can now start and run a so-called operation. An operation is a collection of specific actions you want to use on the victim machine. In this example, I will start with a predefined operation aimed at automatically exfiltrating data to the CALDERA server. This operation is called Thief and can be selected on the Operations page.

First I give the operation a name (Test Thief Operation) and set the scope to the group “red” which contains my Windows 10 virtual machine with the agent. Next, I choose the adversary Thief and set the operation to Auto close operation and run immediately. You can configure some extra parameters for autonomous action, stealth, and a specific moment to run the operation.

When the operation launches, either direct or scheduled, all tasks that are being executed are display on the right. The progress and state are displayed with a colored ring, and when there is information learned you will see a gold star behind the action.

When you click a gold star you see the output of that action. In this case, I chose the exfiltration action which clearly shows that it succeeded.

The content in the staged.zip archive on the victim’s machine is now exfiltrated to my local Kali machine running CALDERA.

Build custom operations

Now that the process for installing agents and running operations is clear, you can also start and make your own custom operations. IF you want to simulate attacks used by well-known APTs you can check out MITRE Groups to search the group you want and see which techniques are commonly used by this group.

Let’s take the Lazarus Group for example, which is linked to North Korea. The image below gives you a very short overview of the used techniques from this APT. If you visit the Lazarus Group on the MITRE Groups website there is way more about them.

I have created a custom adversary with the name G0032 – Lazarus Group – Persistence and added a few of the techniques which are used by this group. For example, The Tactic Persistence contains a technique for Account Manipulation also used in the Lazarus Group malware WhiskeyDelta-Two, which contains a function that attempts to rename the administrator’s account. Let’s add that to my custom adversary.

With the new adversary created, it is time to add some abilities related to this Hacker group. I picked T1098 – Account Manipulation from the list of known abilities and added it to my new adversary.

You can have more than one ability so that it fits the attack simulation you want. For this example, I also added Create or Modify System process: Windows Service, which contains an ability to take advantage of the Windows Fax Service to launch Powershell.

When you’re new adversary contains all the necessary abilities you want, just choose it in a new operation and launch it against your victim.

Modular expansion with plugins

CALDERA makes use of a system of plugins to expand the possibilities of the platform. There are a few plugins available by default and you can choose to add more to your installation. Here are some of the plugins for CALDERA you can enable:

  • Access (red team initial access tools and techniques)
  • Atomic (Atomic Read Team project TTPs)
  • Builder (dynamically compile payloads)
  • Compass (ATT&CK visualizations)
  • Debrief (operations insights)
  • Fieldmanual (documentation)
  • GameBoard (visualize joint red and blue operations)
  • Human (create simulated noise on an endpoint)
  • Manx (shell functionality and reverse shell payloads)
  • Mock (simulate agents in operations)
  • Response (incident response)
  • Sandcat (default agent)
  • SSL (enable https for caldera)
  • Stockpile (technique and profile storehouse)
  • Training (certification and training course)


[box type=”warning” align=”” class=”” width=””]All information in this post is for educational use only! Do not use it at others when you do not have explicit approval to do so. I am not responsible for your actions. Using this knowledge for illegal activities could land you in jail![/box]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.