Skip to content

3.0.0

Compare
Choose a tag to compare
@wbooth wbooth released this 17 Feb 15:37
· 2301 commits to master since this release
0cbac0c

Overview

Big improvements to usability, a new plugin called Emu that imports adversary emulation plans from CTID, P2P agent
communication, lateral movement tracking, and more!

Plugin Updates

NEW PLUGIN: Emu

This plugin imports adversary emulation plans from the Center for Threat Informed Defense

Learn more about the support emulation plans here:
https://github.com/center-for-threat-informed-defense/adversary_emulation_library

Debrief

Debrief is now tracking lateral movement through the new attack path graph in addition to some changes made to sandcat and core!

Learn more about the feature here:
https://caldera.readthedocs.io/en/latest/Lateral-Movement-Guide.html#displaying-lateral-movement-in-debrief

Builder

Allow for dynamic compilation of C#, C, C++, and Go binaries. Code will be built in Docker containers, requiring additional setup when CALDERA starts, but reducing dependencies on the server. Both C# and Go binaries can be built with libraries/modules.

New Features

Peer-to-Peer Communication

Peer to Peer functionality allows agents within internal networks to chain together to enable beaconing and communications where a direct connection is not possible. The implementation in sandcat allows for varied channels of communication as well, so that an agent can be configured for the environment is is being deployed in. Also present in caldera is functionality for discovery of peers, so that an agent can be deployed from a generic binary and discover if there are any available peers to connect out through if direct connection to the C2 server is not possible. The CALDERA server will display the proxy chain and protocols used to facilitate the communications in the agents page.

Lateral Movement Tracking

adds in the capability for caldera to track lateral movement via the originLinkID. This is passed in as an optional command line argument when executing an agent.

Learn more about the feature here:
https://caldera.readthedocs.io/en/latest/Lateral-Movement-Guide.html#displaying-lateral-movement-in-debrief

Manual Links

Allow users to run arbitrary commands on agents. Previously, only commands in abilities could be run. Add manual links from the operation screen.

Uploads

Similar to payload downloads in abilities, you can now specify file uploads in an ability YAML file. Supporting agents will upload the specified file(s) after completing an ability. File paths can be local or absolute.
Before, file uploads and exfiltration were performed using hardcoded commands (curl, powershell webclient, etc) that required HTTP(s) connection to the C2. In cases where the agent is using peer-to-peer and cannot directly access the server, old file upload commands wouldn’t work as intended. By adding in the upload capability as a separate ability and instruction component, supporting agents will use their contact method’s built-in upload functionality to send file bytes upstream, whether it is directly to the C2 server or to another agent proxy peer who will forward the bytes on their behalf.

Deadman Abilities

Users can now specify deadman abilities in the agents.yml config or via the agent GUI modal to have supporting agents run them prior to termination. Whereas all agents will receive bootstrap abilities for immediate execution upon their first successful beacon, the CALDERA server will only send deadman abilities to agents who have indicated through their beacons that they support deadman abilities. An example use case for this functionality is to specify an ability that will remove the agent executable once the agent terminates, or other defense evasion abilities like clearing logs.

Other Updates

  • Many various bugfixes and usability improvements