We covered threat emulation using Caldera which is a popular tool that can be used to emulate adversary and attacker’s behavious as well as execute detection and response actions. Caldera works as agent and server mode in which the agent is installed on the target machine and pulls instructions from the Caldera server that either execute TTPs or blue team response actions. This was part of TryHackMe Caldera room.
Blue Team Cyber Security & SOC Analyst Study Notes
Windows Active Directory Penetration Testing Study Notes
What is Caldera in Threat Emulation
CALDERA™ is an open-source framework designed to run autonomous adversary emulation exercises efficiently. It enables users to emulate real-world attack scenarios and assess the effectiveness of their security defences.
In addition, it provides a modular environment for red team engagements, supporting red team operators for the manual execution of TTPs and blue teamers for automated incident response actions.
Lastly, CALDERA is built on the MITRE ATT&CK framework and is an active research project at MITRE. All the credit goes to MITRE for creating this fantastic framework.
Caldera Use Cases
Security analysts can leverage the CALDERA framework in different cases, but the common usages of CALDERA are as follows:
- Autonomous Red Team Engagements: The original CALDERA use case. The framework is built to emulate known adversary profiles to see gaps across your organisation’s infrastructure. This use case allows you to test your defences and train your team on detecting threats.
- Manual Red Team Engagements: Aside from automating adversary profiles, CALDERA can be customised based on your red team engagement needs. It allows you to replace or extend the attack capabilities in case a custom set of TTPs are needed to be executed.
- Autonomous Incident Response: As mentioned, blue teamers can also use CALDERA to perform automated incident response actions through deployed agents. This functionality aids in identifying TTPs that other security tools may not detect or prevent.
Caldera Red Team Components
- Agents are programs continuously connecting to the CALDERA server to pull and execute instructions.
- Abilities are TTP implementations, which the agents execute.
- Adversaries are groups of abilities that are attributed to a known threat group.
- Operations run abilities on agent groups.
- Plugins provide additional functionality over the core usage of the framework.
Running Caldera Instance
ubuntu@tryhackme:~$ cd Rooms/caldera/caldera
ubuntu@tryhackme:~/Rooms/caldera/caldera$ source ../caldera_venv/bin/activate
(caldera_venv) ubuntu@tryhackme:~/Rooms/caldera/caldera$ python3 server.py --insecure
Caldera Blue Team Components
The Response Plugin
The Response plugin is the counterpart of the threat emulation plugins of CALDERA. It mainly contains abilities that focus on detection and response actions. You may view the summary of the response plugin by navigating to the response tab in the sidebar.
Response Plugin Abilities
Compared to the adversaries’ abilities that are mapped with MITRE ATT&CK Tactics and Techniques, the Response Plugin Abilities are classified by four different tactics, such as:
- Setup – Abilities that prepare information, such as baselines, that assists other abilities in determining outliers.
- Detect – Abilities that focus on finding suspicious behaviour by continuously acquiring information. Abilities under this tactic have the Repeatable field configured, meaning they will run and hunt as long as the operation runs.
- Response – Abilities that act on behalf of the user to initiate actions, such as killing a process, modifying firewall rules, or deleting a file.
- Hunt – Abilities that focus on searching for malicious Indicators of Compromise (IOCs) via logs or file hashes.
Check out the video below for detailed explanation.
Room Answers | TryHackMe CALDERA
What is the name of the agent that has the capability to communicate via HTTP, GitHub GIST, or DNS tunnelling?
Sandcat
What functionality determines the order of abilities’ execution?
planner
What is the name of the plugin that allows the simulation of human activity?
Human
What is the default IP value shown during the configuration of an agent?
0.0.0.0
How many abilities are included in the Enumeration profile?
5
What is the command executed by the tasklist Process Enumeration ability?
tasklist /m >> $env:APPDATA\vmtool.log;cat $env:APPDATA\vmtool.log
Based on the executed operation, what is the name of the ability that did not provide an output?
SysInternals PSTool Process Discovery
What is the name of the file downloaded by the first ability?
PhishingAttachment.xlsm
What is the name of the new process spawned by the second ability?
notepad.exe
How many accounts were identified by the fourth ability?
4
What is the name of the directory archived by the fifth ability?
Downloads
How many HTTP requests were made by the sixth ability?
23
What is the value of the ParentImage from the first log generated by any ability?
C:\Users\Public\chrome.exe
What is the name of the ability that generated a Sysmon Event ID 13?
Winlogon HKLM Shell Key Persistence – PowerShell
During the execution of the first ability, what is the title of the Sigma rule that flagged the usage of Invoke-WebRequest?
PowerShell Web Download
During the execution of the fifth ability, what is the value of the Match Strings field in Zip A Folder With PowerShell For Staging In Temp detection?
‘Compress-Archive ‘ in CommandLine, ‘ -Path ‘ in CommandLine, ‘ -DestinationPath ‘ in CommandLine, $env:TEMP\ in CommandLine
During the execution of the sixth ability, what is the title of the Sigma rule that flagged the usage of the string ‘join \’\’; $split’?
Hacktool – CrackMapExec PowerShell Obfuscation
How many instances of the Find unauthorized processes ability have failed during its first batch of execution?
3
Upon checking the Find unauthorized processes ability results, what is the name of the fact that returned a value aside from remote.port.unauthorized?
host.pid.unauthorized
What is the group value of the new firewall rule created by Enable Outbound TCP/UDP firewall rule ability?
Caldira
Aside from Enable Outbound TCP/UDP firewall rule, what is the name of another response ability that was executed after detecting the suspicious process?
Kill rogue process
What is the name of the PowerShell cmdlet executed by the ability referred to in Q4?
Stop-Process
Aside from the ps1 file, what is the name of the file created by the execution of “Download Macro-Enabled Phishing Attachment”? (Provide the TargetFilename value.)
C:\Users\Administrator\AppData\Local\Temp\2\PhishingAttachment.xlsm
What is the MatchString value of the Sigma rule that flagged the execution of Create a Process using obfuscated Win32_Process?
\WmiPrvSE.exe in ParentImage
What is the name of the service created by Execute a Command as a Service?
ARTService
Aside from the ps1 file, what is the name of the file created by the execution of “Powershell Cmdlet Scheduled Task”? (Provide the TargetFilename value)
C:\Windows\System32\Tasks\AtomicTask
Aside from the PowerShell detections, what is the name of the Sigma rule that flagged the execution of Create a new user in a command prompt?
New User Created Via Net.EXE
What is the name of the Sigma rule that flagged the execution of Clear Logs?
Suspicious Eventlog Clear or Configuration Change
What command is used by FIle and Directory Discovery (PowerShell) during its execution?
ls -recurse; get-childitem -recurse; gci -recurse
How many times did the Find files ability execute?
3
Video Walkthrough | TryHackMe CALDERA
Thats awesome content
Thank you !