Feb 20 2025

CALDERA is an open-source cybersecurity platform

Category: cyber security,Open Sourcedisc7 @ 4:58 pm

MITRE CALDERA is an open-source cybersecurity platform developed by MITRE for automated adversary emulation and security assessment. It enables organizations to simulate real-world cyberattacks based on MITRE ATT&CK techniques to test and improve their defenses.

Key Features:

  • Automated Red Teaming – Simulates adversary behaviors using predefined or custom attack chains.
  • Modular Design – Supports plugins for extensibility (e.g., agents, adversary profiles, reporting).
  • Purple Teaming – Helps both red and blue teams assess detection and response capabilities.
  • Customization – Users can create their own adversary profiles and test specific TTPs (Tactics, Techniques, and Procedures).
  • Agent-Based Execution – Deploys agents on endpoints to execute attack scenarios safely.

Use Cases:

  • Testing security controls against simulated attacks.
  • Validating incident detection and response processes.
  • Automating adversary emulation for continuous security assessment.

Details on setup or specific attack scenarios:

Setting Up CALDERA for Attack Simulations

1. Installation

  • Prerequisites: Python 3.8+, Git, and pip installed on your system.
  • Clone the Repository: git clone https://github.com/mitre/caldera.git --recursive cd caldera
  • Install Dependencies: pip install -r requirements.txt
  • Run CALDERA: python3 server.py --insecure Access the web UI at http://localhost:8888 (default credentials: admin:admin). This default may not work in ver 5.0 – check conf/default.yml

2. Deploying Agents

CALDERA uses lightweight agents to simulate adversarial actions on endpoints.

  • Default Agent: Sandcat (cross-platform, supports Windows, Linux, macOS).
  • Deploy an Agent:
    • From the CALDERA UI, navigate to Agents → Deploy.
    • Generate an execution command and run it on the target endpoint.

3. Running Attack Simulations

  • Select an Adversary Profile: Choose from prebuilt MITRE ATT&CK-based profiles or create a custom one.
  • Execute Operations:
    • Go to Operations → Create Operation
    • Assign an agent and adversary profile
    • Start the operation to simulate attack techniques.
  • Monitor Results: View attack execution logs, responses, and detection gaps.

4. Customizing Attack Scenarios

  • Modify Existing TTPs: Edit YAML-based adversary profiles to change attack techniques.
  • Create New Adversary Profiles: Define a new attack sequence with custom scripts or commands.
  • Use Plugins: Enhance CALDERA with plugins like Stockpile (TTP Library) and Manx (Remote Access Tool).

Use Case Examples

  1. Credential Dumping Simulation – Test if your security tools detect LSASS process memory access.
  2. Lateral Movement Testing – Simulate adversaries moving between hosts using SMB or RDP.
  3. Data Exfiltration Exercise – See if your DLP solutions flag unauthorized file transfers.

Creating Custom Attack Simulations in CALDERA

To build a tailored adversary emulation plan, you’ll need to create custom TTPs (Tactics, Techniques, and Procedures) and integrate them into an adversary profile.

1. Understanding CALDERA’s Structure

  • Abilities – Define individual attack techniques (e.g., command execution, lateral movement).
  • Adversary Profiles – Group multiple abilities into a structured attack sequence.
  • Agents – Execute attacks on endpoints.

2. Creating a Custom TTP (Ability)

Abilities are stored in YAML format under caldera/data/abilities/.
Each ability follows this structure:

yamlCopyEdit- id: a1b2c3d4e5f6
  name: Custom Recon Command
  description: Runs a system enumeration command
  tactic: discovery
  technique:
    attack_id: T1082
    name: System Information Discovery
  platforms:
    windows:
      psh:
        command: "Get-ComputerInfo"
  requirements: []
  • id – Unique identifier for the ability.
  • name – Descriptive title.
  • tactic – The MITRE ATT&CK tactic (e.g., discovery, execution).
  • technique – Associated ATT&CK technique ID.
  • platforms – Specifies OS and execution method (PowerShell, Bash, etc.).
  • command – The actual command executed on the target.

Save this file in caldera/data/abilities/discovery/ as custom_recon.yml.

3. Adding the TTP to an Adversary Profile

Adversary profiles define attack sequences. Create a new profile under caldera/data/adversaries/

yamlCopyEdit- id: f7g8h9i0j1k2
  name: Custom Recon Attack
  description: A simple discovery attack
  atomic_ordering:
    - a1b2c3d4e5f6
  • atomic_ordering – Lists abilities in execution order.
    Save as custom_recon_profile.yml.

4. Running the Custom Attack Simulation

  1. Restart CALDERA to load new configurations:bashCopyEditpython server.py --insecure
  2. Deploy an Agent on the target machine.
  3. Launch the Custom Attack:
    • Go to Operations → Create Operation
    • Select Custom Recon Attack as the adversary profile
    • Assign an agent and start the operation
  4. Analyze Results – View execution logs and detection gaps in the UI.

5. Expanding the Simulation

  • Chaining Multiple TTPs – Add more techniques (e.g., privilege escalation, lateral movement).
  • Evading Defenses – Modify scripts to bypass EDR detection (e.g., encoded PowerShell commands).
  • Automating Response Testing – Check if your SIEM or SOAR detects and mitigates the attack.

Example for a specific attack scenario, like lateral movement or credential dumping:

Example: Simulating Lateral Movement Using CALDERA

Lateral movement techniques help assess an organization’s ability to detect and respond to adversaries moving across systems. In this example, we’ll create a CALDERA attack simulation that uses SMB-based remote command execution (ATT&CK ID: T1021.002).

1. Creating the Lateral Movement TTP (Ability)

We’ll define an ability that uses psexec (a common SMB-based remote execution tool).

YAML File: caldera/data/abilities/lateral_movement/smb_exec.yml

yamlCopyEdit- id: 12345abcde
  name: SMB Lateral Movement
  description: Executes a command on a remote system using SMB
  tactic: lateral-movement
  technique:
    attack_id: T1021.002
    name: SMB Remote Execution
  platforms:
    windows:
      cmd:
        command: |
          psexec \\#{remote.host} -u #{remote.user} -p #{remote.pass} -s cmd.exe /c "whoami > C:\Users\Public\loot.txt"
  requirements:
    - name: host.user
      relation: present
    - name: host.pass
      relation: present

Explanation:

  • Uses PsExec to execute whoami on a remote host.
  • Saves the output to C:\Users\Public\loot.txt for verification.
  • Uses #{remote.host}, #{remote.user}, and #{remote.pass} as dynamic variables.

Save this file in caldera/data/abilities/lateral_movement/.

2. Creating an Adversary Profile

Now, we bundle this TTP into an adversary profile.

YAML File: caldera/data/adversaries/lateral_move.yml

yamlCopyEdit- id: 67890fghij
  name: Lateral Movement Test
  description: Simulates an adversary moving laterally using SMB
  atomic_ordering:
    - 12345abcde

Save this file in caldera/data/adversaries/.

3. Running the Lateral Movement Simulation

  1. Restart CALDERA to load new configurations:bashCopyEditpython server.py --insecure
  2. Deploy an Agent on an initial compromised system.
  3. Create a New Operation:
    • Go to: Operations → Create Operation
    • Adversary Profile: Select Lateral Movement Test
    • Assign an Agent
    • Start the Operation
  4. Monitor Execution:
    • If successful, the target machine will have a new file: C:\Users\Public\loot.txt.
    • Review the logs to check execution results.

4. Enhancing the Simulation

  • Use PowerShell Remoting instead of psexec:yamlCopyEditcommand: | Invoke-Command -ComputerName #{remote.host} -Credential (New-Object System.Management.Automation.PSCredential(#{remote.user}, (ConvertTo-SecureString #{remote.pass} -AsPlainText -Force))) -ScriptBlock {whoami > C:\Users\Public\loot.txt}
  • Test Defense Evasion: Modify commands to use encoded PowerShell payloads.
  • Check SIEM Logs: Verify if your security tools detected and logged the lateral movement attempt.

Example: Simulating Lateral Movement on Linux Using SSH

Lateral movement on Linux often involves SSH-based remote command execution (MITRE ATT&CK ID: T1021.004). This simulation will test whether security controls detect an attacker moving across Linux systems via SSH.

1. Creating a Custom SSH Lateral Movement TTP (Ability)

YAML File: caldera/data/abilities/lateral_movement/ssh_exec.yml

yamlCopyEdit- id: abcde12345
  name: SSH Lateral Movement
  description: Executes a command on a remote Linux system via SSH
  tactic: lateral-movement
  technique:
    attack_id: T1021.004
    name: SSH Remote Execution
  platforms:
    linux:
      sh:
        command: |
          sshpass -p '#{remote.pass}' ssh -o StrictHostKeyChecking=no #{remote.user}@#{remote.host} "whoami > /tmp/loot.txt"
  requirements:
    - name: remote.user
      relation: present
    - name: remote.pass
      relation: present
    - name: remote.host
      relation: present

Explanation:

  • Uses sshpass to authenticate with the target machine.
  • Runs whoami on the remote machine and saves the output in /tmp/loot.txt.
  • Disables strict host key checking to avoid SSH warnings.

Save this file in caldera/data/abilities/lateral_movement/.

2. Creating an Adversary Profile

YAML File: caldera/data/adversaries/linux_lateral_move.yml

yamlCopyEdit- id: fghij67890
  name: Linux Lateral Movement Test
  description: Simulates an adversary moving laterally via SSH on Linux
  atomic_ordering:
    - abcde12345

Save this file in caldera/data/adversaries/.

3. Running the Lateral Movement Simulation

  1. Restart CALDERA to load the new configurations:bashCopyEditpython server.py --insecure
  2. Deploy an Agent on an initial Linux system.
  3. Ensure SSH Credentials Are Available:
    • Modify the agent to include SSH credentials using CALDERA’s fact system:cssCopyEditfact: {remote.user: "testuser", remote.pass: "password123", remote.host: "192.168.1.100"}
  4. Create a New Operation:
    • Go to: Operations → Create Operation
    • Adversary Profile: Select Linux Lateral Movement Test
    • Assign an Agent
    • Start the Operation
  5. Monitor Execution:
    • If successful, the target machine will have a file /tmp/loot.txt containing the username.
    • Check logs to verify execution.

4. Enhancing the Simulation

  • Use Key-Based Authentication Instead of Passwords:yamlCopyEditcommand: | ssh -i /home/#{remote.user}/.ssh/id_rsa #{remote.user}@#{remote.host} "whoami > /tmp/loot.txt"
  • Simulate Data Exfiltration: Copy files from the remote system using scp.
  • Test SIEM Detection: Ensure logs capture unauthorized SSH connections.

MITRE/Caldera: Automated Adversary Emulation Platform Github.com/mitre/caldera

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: Caldera, MITRE Caldera

Leave a Reply

You must be logged in to post a comment. Login now.