(Pre-)compromise operations for MITRE CALDERA

Overview

(Pre-)compromise operations for CALDERA

Extend your CALDERA operations over the entire adversary killchain. In contrast to MITRE's access plugin, caldera-precomp attempts to traverse the first phases of the killchain (reconnaissance, initial access, command and control) in an autonomous manner.

Even more so than post-compromise operation, the (pre-)compromise domain is full of uncertainty and subject to constant change. For this reason and a multitude of other reasons, the scenarios implemented in the plugin are unlikely to be very effective in the real world - they have mainly been built as a proof-of-concept. However, the underlying architecture of the plugin forms a great platform for autonomous (pre-)compromise operation. Use the plugin as a learning resource, or a basis for developing your own AAE applications that traverse the entire killchain.

Usage

⚠️ Only use this against resources that you own and/or are authorised to attack
  • The plugin needs a target scope to start with - see fact sources.
  • The plugin has been built and tested against MITRE CALDERA 4.0.0-alpha.
  • The plugin assumes availability of tooling required to run abilities on initial agents - Docker and bundled payloads have been used where possible to limit setup complexity.

Plugin architecture

Agents and agent groups

  • initial agents are used as a vantage point for the operation - they are installed on hosts that are controlled by us. We recommend spawning multiple on a range of OS'es and architectures - it can be useful to have both Windows and Linux-based agents to maximise support for tooling used by abilities.
  • rce agents are used as a 'mask' for situations where remote code execution is possible. This is part of a workaround that is further documented here.
  • target agents are spawned on remote hosts. This plugin does not interact with target agents, but they can be used to transition towards post-compromise adversary emulation using other CALDERA plugins.

Adversaries

The plugin implements two types of adversaries - ones that follow predefined scenarios albeit in an autonomous manner, and one that works unrestricted and leverages all abilities the plugin implements.

Scenarios

  • precomp-scenario-vulnexp scans the IP range for public-facing Microsoft Exchange servers and checks whether they are vulnerable to ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207). If it finds any vulnerable hosts, it exploits the vulnerability, extracting all email addresses from the Exchange Server and dropping a webshell. The webshell is then used to spawn a Sandcat agent on the remote Exchange server.
  • precomp-scenario-spray scans public-facing websites for e-mail addresses and the target IP range for public-facing RDP servers. The resulting information is used to execute a password spray against RDP. If successful, the adversary logs in to RDP and spawns a Sandcat agent on the remote host.

Autonomous

  • precomp-unrestricted implements all abilities that are part of the plugin and thus traverses any path it can find within the boundaries of the plugin.

Fact sources

  • target.domain takes a domain name (example.com)
  • target.range takes an IP address or range of addresses in CIDR notation (10.0.0.0/28)

These fact traits can be instantiated multiple times.

Planning

The included precomp-planner ensures three conditions apply for the links it generates:

  • For agents in the initial group, a combination of an ability and facts is only executed by one of these agents (since initial agents are identical from a tactical perspective)
  • RCE agents only execute abilities in the command-and-control tactic (in our scenarios, we want to 'upgrade' to full C2 as soon as possible)
  • Target agents do not execute any abilities

While this behaviour is sufficient for our use case, it might not be for other scenarios. Modify the planner logic as you like.

Handling RCE

When designing abilities that are part of the tactical phases of inital access or lateral movement, procedures often yield the ability to execute code on a target host (remote code execution). In these situations, actually executing code on the remote host requires two separate actions: one that is run locally, to establish the 'pipe' through which commands can be executed, and the action that is run remotely.

Given CALDERA's current capability, it is not possible to separate these two actions - both will have to be combined into one ability. Doing this goes directly against the philosophy of the framework - to strive for atomicity in designing abilities, while letting the framework make decisions in how to use them.

To solve this without modifying the CALDERA framework itself, we forked and modified MITRE's Sandcat agent to essentially act as a 'mask' for remote code execution - it runs locally, but acts like a remote agent and ensures any commands sent to it are executed on the remote host. This 'workaround' can be used as an intermediate stage to gaining full C2 (by installing an agent on the remote host).

An example of this agent being used in an ability can be found here. The modified agent can be found here. Compiled versions of this agent (for Linux and Windows) can be found in the payloads of this plugin.

Arguments

  • rcePlatform: the platform of the remote host (e.g. windows, darwin).
  • rceExecutor: the executor to use for remotely executed commands (e.g. psh, sh).
  • rceCommand: the command to use to 'instantiate' RCE (e.g. ssh root@remote-host COMMAND). This command needs to include a substitution marker (COMMAND), allowing the RCE agent to inject actions that need to be executed on the remote system.
  • rcePayloadname: if necessary, the payload to download from the CALDERA server that is a prerequisite to executing the rceCommand.
You might also like...
Cross-platform .NET Core pre-commit hooks

dotnet-core-pre-commit Cross-platform .NET Core pre-commit hooks How to use Add this to your .pre-commit-config.yaml - repo: https://github.com/juan

Pre-1.0 door/chest sound injector for Minecraft
Pre-1.0 door/chest sound injector for Minecraft

doorjector Pre-1.0 door/chest sound injector for Minecraft. While the game is running, doorjector hotswaps the new sounds for the old right before the

Provides guideline on how to configure pre-commit hooks in your own python project
Provides guideline on how to configure pre-commit hooks in your own python project

Pre-commit Configuration Guide The main aim of this repository is to act as a guide on how to configure the pre-commit hooks in your existing python p

Template for pre-commit hooks

Pre-commit hook template This repo is a template for a pre-commit hook. Try it out by running: pre-commit try-repo https://github.com/stefsmeets/pre-c

Some out-of-the-box hooks for pre-commit

pre-commit-hooks Some out-of-the-box hooks for pre-commit. See also: https://github.com/pre-commit/pre-commit Using pre-commit-hooks with pre-commit A

Cairo hooks for pre-commit
Cairo hooks for pre-commit

pre-commit-cairo Cairo hooks for pre-commit. See pre-commit for more details Using pre-commit-cairo with pre-commit Add this to your .pre-commit-confi

Incident Response Process and Playbooks | Goal: Playbooks to be Mapped to MITRE Attack Techniques
Incident Response Process and Playbooks | Goal: Playbooks to be Mapped to MITRE Attack Techniques

PURPOSE OF PROJECT That this project will be created by the SOC/Incident Response Community Develop a Catalog of Incident Response Playbook for every

A lightweight Python module to interact with the Mitre Att&ck Enterprise dataset.

enterpriseattack - Mitre's Enterprise Att&ck A lightweight Python module to interact with the Mitre Att&ck Enterprise dataset. Built to be used in pro

MITRE ATT&CK Lookup Tool

MITRE ATT&CK Lookup Tool attack-lookup is a tool that lets you easily check what Tactic, Technique, or Sub-technique ID maps to what name, and vice ve

PyTorch implementation of the Transformer in Post-LN (Post-LayerNorm) and Pre-LN (Pre-LayerNorm).
PyTorch implementation of the Transformer in Post-LN (Post-LayerNorm) and Pre-LN (Pre-LayerNorm).

Transformer-PyTorch A PyTorch implementation of the Transformer from the paper Attention is All You Need in both Post-LN (Post-LayerNorm) and Pre-LN (

Codes to pre-train T5 (Text-to-Text Transfer Transformer) models pre-trained on Japanese web texts

t5-japanese Codes to pre-train T5 (Text-to-Text Transfer Transformer) models pre-trained on Japanese web texts. The following is a list of models that

Code for our SIGIR 2022 accepted paper : P3 Ranker: Mitigating the Gaps between Pre-training and Ranking Fine-tuning with Prompt-based Learning and Pre-finetuning

P3 Ranker Implementation for our SIGIR2022 accepted paper: P3 Ranker: Mitigating the Gaps between Pre-training and Ranking Fine-tuning with Prompt-bas

SCOOP (Scalable COncurrent Operations in Python)
SCOOP (Scalable COncurrent Operations in Python)

SCOOP (Scalable COncurrent Operations in Python) is a distributed task module allowing concurrent parallel programming on various environments, from h

An object-oriented approach to Python file/directory operations.

Unipath An object-oriented approach to file/directory operations Version: 1.1 Home page: https://github.com/mikeorr/Unipath Docs: https://github.com/m

A series of convenience functions to make basic image processing operations such as translation, rotation, resizing, skeletonization, and displaying Matplotlib images easier with OpenCV and Python.
A series of convenience functions to make basic image processing operations such as translation, rotation, resizing, skeletonization, and displaying Matplotlib images easier with OpenCV and Python.

imutils A series of convenience functions to make basic image processing functions such as translation, rotation, resizing, skeletonization, and displ

A collection of over 5.1 million sub-domains and assets belonging to public bug bounty programs, compiled into a repo, for performing bulk operations.
A collection of over 5.1 million sub-domains and assets belonging to public bug bounty programs, compiled into a repo, for performing bulk operations.

📂 Public Bug Bounty Targets Data By BugBountyResources A collection of over 5.1M sub-domains and assets belonging to bug bounty targets, all put in a

A cross platform package to do curses-like operations, plus higher level APIs and widgets to create text UIs and ASCII art animations
A cross platform package to do curses-like operations, plus higher level APIs and widgets to create text UIs and ASCII art animations

ASCIIMATICS Asciimatics is a package to help people create full-screen text UIs (from interactive forms to ASCII animations) on any platform. It is li

Deep learning operations reinvented (for pytorch, tensorflow, jax and others)
Deep learning operations reinvented (for pytorch, tensorflow, jax and others)

This video in better quality. einops Flexible and powerful tensor operations for readable and reliable code. Supports numpy, pytorch, tensorflow, and

The goal of pandas-log is to provide feedback about basic pandas operations. It provides simple wrapper functions for the most common functions that add additional logs

pandas-log The goal of pandas-log is to provide feedback about basic pandas operations. It provides simple wrapper functions for the most common funct

Owner
Diederik Bakker
MSc Cyber Security @ University of Twente
Diederik Bakker
A lightweight Python module to interact with the Mitre Att&ck Enterprise dataset.

enterpriseattack - Mitre's Enterprise Att&ck A lightweight Python module to interact with the Mitre Att&ck Enterprise dataset. Built to be used in pro

xakepnz 7 Jan 1, 2023
Reference python implementation of Chia pool operations for pool operators

This repository provides a sample server written in python, which is meant to server as a basis for a Chia Pool. While this is a fully functional implementation, it requires some work in scalability and security to run in production.

Chia Network 451 Dec 13, 2022
Additional useful operations for Python

Pyteal Extensions Additional useful operations for Python Available Operations MulDiv64: calculate m1*m2/d with no overflow on multiplication (TEAL 3+

Ulam Labs 11 Dec 14, 2022
This repository contains various tools useful for offensive operations (reversing, etc) regarding the PE (Portable Executable) format

PE-Tools This repository contains various tools useful for offensive operations (reversing, etc) regarding the PE (Portable Executable) format Install

stark0de 4 Oct 13, 2022
Cisco IOS-XE Operations Program. Shows operational data using restconf and yang

XE-Ops View operational and config data from devices running Cisco IOS-XE software. NoteS The build folder is the latest build. All other files are fo

null 18 Jul 23, 2022
A simple but fully functional calculator that will take multiple operations.

Functional-Calculator A simple but fully functional calculator that will take multiple operations. Usage Run the following command through terminal: p

Uzziel Ariel 1 Dec 22, 2022
:fishing_pole_and_fish: List of `pre-commit` hooks to ensure the quality of your `dbt` projects.

pre-commit-dbt List of pre-commit hooks to ensure the quality of your dbt projects. BETA NOTICE: This tool is still BETA and may have some bugs, so pl

Offbi 262 Nov 25, 2022
Pre-commit hook for upgrading type hints

This is a pre-commit hook configured to automatically upgrade your type hints to the new native types implemented in PEP 585.

snok 54 Nov 14, 2022
validation for pre-commit.ci configuration

pre-commit-ci-config validation for pre-commit.ci configuration installation pip install pre-commit-ci-config api pre_commit_ci_config.SCHEMA a cfgv s

pre-commit.ci 17 Jul 11, 2022
Simple dotfile pre-processor with a per-file configuration

ix (eeks) Simple dotfile pre-processor with a per-file configuration Summary (TL;DR) ix.py is all you need config is an ini file. files to be processe

Poly 12 Dec 16, 2021