We covered threat emulation using Caldera which is a popular tool that can be used to emulate adversary and attacker’s behavious as well as execute detection and response actions. Caldera works as agent and server mode in which the agent is installed on the target machine and pulls instructions from the Caldera server that either execute TTPs or blue team response actions. This was part of TryHackMe Caldera room.

Blue Team Cyber Security & SOC Analyst Study Notes

Windows Active Directory Penetration Testing Study Notes

What is Caldera in Threat Emulation

CALDERA™ is an open-source framework designed to run autonomous adversary emulation exercises efficiently. It enables users to emulate real-world attack scenarios and assess the effectiveness of their security defences.

In addition, it provides a modular environment for red team engagements, supporting red team operators for the manual execution of TTPs and blue teamers for automated incident response actions.

Lastly, CALDERA is built on the MITRE ATT&CK framework and is an active research project at MITRE. All the credit goes to MITRE for creating this fantastic framework.

Caldera Use Cases

Security analysts can leverage the CALDERA framework in different cases, but the common usages of CALDERA are as follows:

  • Autonomous Red Team Engagements: The original CALDERA use case. The framework is built to emulate known adversary profiles to see gaps across your organisation’s infrastructure. This use case allows you to test your defences and train your team on detecting threats.
  • Manual Red Team Engagements: Aside from automating adversary profiles, CALDERA can be customised based on your red team engagement needs. It allows you to replace or extend the attack capabilities in case a custom set of TTPs are needed to be executed.
  • Autonomous Incident Response: As mentioned, blue teamers can also use CALDERA to perform automated incident response actions through deployed agents. This functionality aids in identifying TTPs that other security tools may not detect or prevent.

Caldera Red Team Components

  1. Agents are programs continuously connecting to the CALDERA server to pull and execute instructions.
  2. Abilities are TTP implementations, which the agents execute.
  3. Adversaries are groups of abilities that are attributed to a known threat group.
  4. Operations run abilities on agent groups.
  5. Plugins provide additional functionality over the core usage of the framework.

Running Caldera Instance

ubuntu@tryhackme:~$ cd Rooms/caldera/caldera

ubuntu@tryhackme:~/Rooms/caldera/caldera$ source ../caldera_venv/bin/activate

(caldera_venv) ubuntu@tryhackme:~/Rooms/caldera/caldera$ python3 server.py --insecure

Caldera Blue Team Components

The Response Plugin

The Response plugin is the counterpart of the threat emulation plugins of CALDERA. It mainly contains abilities that focus on detection and response actions. You may view the summary of the response plugin by navigating to the response tab in the sidebar.

Response Plugin Abilities

Compared to the adversaries’ abilities that are mapped with MITRE ATT&CK Tactics and Techniques, the Response Plugin Abilities are classified by four different tactics, such as:

  • Setup – Abilities that prepare information, such as baselines, that assists other abilities in determining outliers.
  • Detect – Abilities that focus on finding suspicious behaviour by continuously acquiring information. Abilities under this tactic have the Repeatable field configured, meaning they will run and hunt as long as the operation runs.
  • Response – Abilities that act on behalf of the user to initiate actions, such as killing a process, modifying firewall rules, or deleting a file.
  • Hunt – Abilities that focus on searching for malicious Indicators of Compromise (IOCs) via logs or file hashes.

Check out the video below for detailed explanation.

Room Answers | TryHackMe CALDERA

What is the name of the agent that has the capability to communicate via HTTP, GitHub GIST, or DNS tunnelling?

Sandcat

What functionality determines the order of abilities’ execution? 

planner

What is the name of the plugin that allows the simulation of human activity?

Human

What is the default IP value shown during the configuration of an agent?

0.0.0.0

How many abilities are included in the Enumeration profile?

5

What is the command executed by the tasklist Process Enumeration ability?

tasklist /m >> $env:APPDATA\vmtool.log;cat $env:APPDATA\vmtool.log

Based on the executed operation, what is the name of the ability that did not provide an output?

SysInternals PSTool Process Discovery

What is the name of the file downloaded by the first ability?

PhishingAttachment.xlsm

What is the name of the new process spawned by the second ability?

notepad.exe

How many accounts were identified by the fourth ability?

4

What is the name of the directory archived by the fifth ability?

Downloads

How many HTTP requests were made by the sixth ability?

23

What is the value of the ParentImage from the first log generated by any ability?

C:\Users\Public\chrome.exe

What is the name of the ability that generated a Sysmon Event ID 13?

Winlogon HKLM Shell Key Persistence – PowerShell

During the execution of the first ability, what is the title of the Sigma rule that flagged the usage of Invoke-WebRequest?

PowerShell Web Download

During the execution of the fifth ability, what is the value of the Match Strings field in Zip A Folder With PowerShell For Staging In Temp detection?

‘Compress-Archive ‘ in CommandLine, ‘ -Path ‘ in CommandLine, ‘ -DestinationPath ‘ in CommandLine, $env:TEMP\ in CommandLine

During the execution of the sixth ability, what is the title of the Sigma rule that flagged the usage of the string ‘join \’\’; $split’?

Hacktool – CrackMapExec PowerShell Obfuscation

How many instances of the Find unauthorized processes ability have failed during its first batch of execution?

3

Upon checking the Find unauthorized processes ability results, what is the name of the fact that returned a value aside from remote.port.unauthorized?

host.pid.unauthorized

What is the group value of the new firewall rule created by Enable Outbound TCP/UDP firewall rule ability?

Caldira

Aside from Enable Outbound TCP/UDP firewall rule, what is the name of another response ability that was executed after detecting the suspicious process?

Kill rogue process

What is the name of the PowerShell cmdlet executed by the ability referred to in Q4?

Stop-Process

Aside from the ps1 file, what is the name of the file created by the execution of “Download Macro-Enabled Phishing Attachment”? (Provide the TargetFilename value.)

C:\Users\Administrator\AppData\Local\Temp\2\PhishingAttachment.xlsm

What is the MatchString value of the Sigma rule that flagged the execution of Create a Process using obfuscated Win32_Process?

\WmiPrvSE.exe in ParentImage

What is the name of the service created by Execute a Command as a Service?

ARTService

Aside from the ps1 file, what is the name of the file created by the execution of “Powershell Cmdlet Scheduled Task”? (Provide the TargetFilename value)

C:\Windows\System32\Tasks\AtomicTask

Aside from the PowerShell detections, what is the name of the Sigma rule that flagged the execution of Create a new user in a command prompt?

New User Created Via Net.EXE

What is the name of the Sigma rule that flagged the execution of Clear Logs?

Suspicious Eventlog Clear or Configuration Change

What command is used by FIle and Directory Discovery (PowerShell) during its execution?

ls -recurse; get-childitem -recurse; gci -recurse

How many times did the Find files ability execute?

3

Video Walkthrough | TryHackMe CALDERA

, ,
Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles