Feb 20 2025

CALDERA is an open-source cybersecurity platform

Category: cyber security,Open Sourcedisc7 @ 4:58 pm

MITRE CALDERA is an open-source cybersecurity platform developed by MITRE for automated adversary emulation and security assessment. It enables organizations to simulate real-world cyberattacks based on MITRE ATT&CK techniques to test and improve their defenses.

Key Features:

  • Automated Red Teaming – Simulates adversary behaviors using predefined or custom attack chains.
  • Modular Design – Supports plugins for extensibility (e.g., agents, adversary profiles, reporting).
  • Purple Teaming – Helps both red and blue teams assess detection and response capabilities.
  • Customization – Users can create their own adversary profiles and test specific TTPs (Tactics, Techniques, and Procedures).
  • Agent-Based Execution – Deploys agents on endpoints to execute attack scenarios safely.

Use Cases:

  • Testing security controls against simulated attacks.
  • Validating incident detection and response processes.
  • Automating adversary emulation for continuous security assessment.

Details on setup or specific attack scenarios:

Setting Up CALDERA for Attack Simulations

1. Installation

  • Prerequisites: Python 3.8+, Git, and pip installed on your system.
  • Clone the Repository: git clone https://github.com/mitre/caldera.git --recursive cd caldera
  • Install Dependencies: pip install -r requirements.txt
  • Run CALDERA: python3 server.py --insecure Access the web UI at http://localhost:8888 (default credentials: admin:admin). This default may not work in ver 5.0 – check conf/default.yml

2. Deploying Agents

CALDERA uses lightweight agents to simulate adversarial actions on endpoints.

  • Default Agent: Sandcat (cross-platform, supports Windows, Linux, macOS).
  • Deploy an Agent:
    • From the CALDERA UI, navigate to Agents → Deploy.
    • Generate an execution command and run it on the target endpoint.

3. Running Attack Simulations

  • Select an Adversary Profile: Choose from prebuilt MITRE ATT&CK-based profiles or create a custom one.
  • Execute Operations:
    • Go to Operations → Create Operation
    • Assign an agent and adversary profile
    • Start the operation to simulate attack techniques.
  • Monitor Results: View attack execution logs, responses, and detection gaps.

4. Customizing Attack Scenarios

  • Modify Existing TTPs: Edit YAML-based adversary profiles to change attack techniques.
  • Create New Adversary Profiles: Define a new attack sequence with custom scripts or commands.
  • Use Plugins: Enhance CALDERA with plugins like Stockpile (TTP Library) and Manx (Remote Access Tool).

Use Case Examples

  1. Credential Dumping Simulation – Test if your security tools detect LSASS process memory access.
  2. Lateral Movement Testing – Simulate adversaries moving between hosts using SMB or RDP.
  3. Data Exfiltration Exercise – See if your DLP solutions flag unauthorized file transfers.

Creating Custom Attack Simulations in CALDERA

To build a tailored adversary emulation plan, you’ll need to create custom TTPs (Tactics, Techniques, and Procedures) and integrate them into an adversary profile.

1. Understanding CALDERA’s Structure

  • Abilities – Define individual attack techniques (e.g., command execution, lateral movement).
  • Adversary Profiles – Group multiple abilities into a structured attack sequence.
  • Agents – Execute attacks on endpoints.

2. Creating a Custom TTP (Ability)

Abilities are stored in YAML format under caldera/data/abilities/.
Each ability follows this structure:

yamlCopyEdit- id: a1b2c3d4e5f6
  name: Custom Recon Command
  description: Runs a system enumeration command
  tactic: discovery
  technique:
    attack_id: T1082
    name: System Information Discovery
  platforms:
    windows:
      psh:
        command: "Get-ComputerInfo"
  requirements: []
  • id – Unique identifier for the ability.
  • name – Descriptive title.
  • tactic – The MITRE ATT&CK tactic (e.g., discovery, execution).
  • technique – Associated ATT&CK technique ID.
  • platforms – Specifies OS and execution method (PowerShell, Bash, etc.).
  • command – The actual command executed on the target.

Save this file in caldera/data/abilities/discovery/ as custom_recon.yml.

3. Adding the TTP to an Adversary Profile

Adversary profiles define attack sequences. Create a new profile under caldera/data/adversaries/

yamlCopyEdit- id: f7g8h9i0j1k2
  name: Custom Recon Attack
  description: A simple discovery attack
  atomic_ordering:
    - a1b2c3d4e5f6
  • atomic_ordering – Lists abilities in execution order.
    Save as custom_recon_profile.yml.

4. Running the Custom Attack Simulation

  1. Restart CALDERA to load new configurations:bashCopyEditpython server.py --insecure
  2. Deploy an Agent on the target machine.
  3. Launch the Custom Attack:
    • Go to Operations → Create Operation
    • Select Custom Recon Attack as the adversary profile
    • Assign an agent and start the operation
  4. Analyze Results – View execution logs and detection gaps in the UI.

5. Expanding the Simulation

  • Chaining Multiple TTPs – Add more techniques (e.g., privilege escalation, lateral movement).
  • Evading Defenses – Modify scripts to bypass EDR detection (e.g., encoded PowerShell commands).
  • Automating Response Testing – Check if your SIEM or SOAR detects and mitigates the attack.

Example for a specific attack scenario, like lateral movement or credential dumping:

Example: Simulating Lateral Movement Using CALDERA

Lateral movement techniques help assess an organization’s ability to detect and respond to adversaries moving across systems. In this example, we’ll create a CALDERA attack simulation that uses SMB-based remote command execution (ATT&CK ID: T1021.002).

1. Creating the Lateral Movement TTP (Ability)

We’ll define an ability that uses psexec (a common SMB-based remote execution tool).

YAML File: caldera/data/abilities/lateral_movement/smb_exec.yml

yamlCopyEdit- id: 12345abcde
  name: SMB Lateral Movement
  description: Executes a command on a remote system using SMB
  tactic: lateral-movement
  technique:
    attack_id: T1021.002
    name: SMB Remote Execution
  platforms:
    windows:
      cmd:
        command: |
          psexec \\#{remote.host} -u #{remote.user} -p #{remote.pass} -s cmd.exe /c "whoami > C:\Users\Public\loot.txt"
  requirements:
    - name: host.user
      relation: present
    - name: host.pass
      relation: present

Explanation:

  • Uses PsExec to execute whoami on a remote host.
  • Saves the output to C:\Users\Public\loot.txt for verification.
  • Uses #{remote.host}, #{remote.user}, and #{remote.pass} as dynamic variables.

Save this file in caldera/data/abilities/lateral_movement/.

2. Creating an Adversary Profile

Now, we bundle this TTP into an adversary profile.

YAML File: caldera/data/adversaries/lateral_move.yml

yamlCopyEdit- id: 67890fghij
  name: Lateral Movement Test
  description: Simulates an adversary moving laterally using SMB
  atomic_ordering:
    - 12345abcde

Save this file in caldera/data/adversaries/.

3. Running the Lateral Movement Simulation

  1. Restart CALDERA to load new configurations:bashCopyEditpython server.py --insecure
  2. Deploy an Agent on an initial compromised system.
  3. Create a New Operation:
    • Go to: Operations → Create Operation
    • Adversary Profile: Select Lateral Movement Test
    • Assign an Agent
    • Start the Operation
  4. Monitor Execution:
    • If successful, the target machine will have a new file: C:\Users\Public\loot.txt.
    • Review the logs to check execution results.

4. Enhancing the Simulation

  • Use PowerShell Remoting instead of psexec:yamlCopyEditcommand: | Invoke-Command -ComputerName #{remote.host} -Credential (New-Object System.Management.Automation.PSCredential(#{remote.user}, (ConvertTo-SecureString #{remote.pass} -AsPlainText -Force))) -ScriptBlock {whoami > C:\Users\Public\loot.txt}
  • Test Defense Evasion: Modify commands to use encoded PowerShell payloads.
  • Check SIEM Logs: Verify if your security tools detected and logged the lateral movement attempt.

Example: Simulating Lateral Movement on Linux Using SSH

Lateral movement on Linux often involves SSH-based remote command execution (MITRE ATT&CK ID: T1021.004). This simulation will test whether security controls detect an attacker moving across Linux systems via SSH.

1. Creating a Custom SSH Lateral Movement TTP (Ability)

YAML File: caldera/data/abilities/lateral_movement/ssh_exec.yml

yamlCopyEdit- id: abcde12345
  name: SSH Lateral Movement
  description: Executes a command on a remote Linux system via SSH
  tactic: lateral-movement
  technique:
    attack_id: T1021.004
    name: SSH Remote Execution
  platforms:
    linux:
      sh:
        command: |
          sshpass -p '#{remote.pass}' ssh -o StrictHostKeyChecking=no #{remote.user}@#{remote.host} "whoami > /tmp/loot.txt"
  requirements:
    - name: remote.user
      relation: present
    - name: remote.pass
      relation: present
    - name: remote.host
      relation: present

Explanation:

  • Uses sshpass to authenticate with the target machine.
  • Runs whoami on the remote machine and saves the output in /tmp/loot.txt.
  • Disables strict host key checking to avoid SSH warnings.

Save this file in caldera/data/abilities/lateral_movement/.

2. Creating an Adversary Profile

YAML File: caldera/data/adversaries/linux_lateral_move.yml

yamlCopyEdit- id: fghij67890
  name: Linux Lateral Movement Test
  description: Simulates an adversary moving laterally via SSH on Linux
  atomic_ordering:
    - abcde12345

Save this file in caldera/data/adversaries/.

3. Running the Lateral Movement Simulation

  1. Restart CALDERA to load the new configurations:bashCopyEditpython server.py --insecure
  2. Deploy an Agent on an initial Linux system.
  3. Ensure SSH Credentials Are Available:
    • Modify the agent to include SSH credentials using CALDERA’s fact system:cssCopyEditfact: {remote.user: "testuser", remote.pass: "password123", remote.host: "192.168.1.100"}
  4. Create a New Operation:
    • Go to: Operations → Create Operation
    • Adversary Profile: Select Linux Lateral Movement Test
    • Assign an Agent
    • Start the Operation
  5. Monitor Execution:
    • If successful, the target machine will have a file /tmp/loot.txt containing the username.
    • Check logs to verify execution.

4. Enhancing the Simulation

  • Use Key-Based Authentication Instead of Passwords:yamlCopyEditcommand: | ssh -i /home/#{remote.user}/.ssh/id_rsa #{remote.user}@#{remote.host} "whoami > /tmp/loot.txt"
  • Simulate Data Exfiltration: Copy files from the remote system using scp.
  • Test SIEM Detection: Ensure logs capture unauthorized SSH connections.

MITRE/Caldera: Automated Adversary Emulation Platform Github.com/mitre/caldera

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: Caldera, MITRE Caldera

Nov 28 2024

5 cybersecurity open-source tools 

Category: Open Sourcedisc7 @ 7:53 am

1. MISP (Malware Information Sharing Platform & Threat Sharing)

  • Purpose: Designed to facilitate sharing threat intelligence between organizations, MISP is invaluable for building a collaborative defense strategy against cyber threats.
  • Key Features:
    • Collects, stores, and shares indicators of compromise (IOCs) efficiently.
    • Supports STIX/TAXII for standardized threat intelligence sharing.
    • Offers real-time alerts, advanced tagging, and classification of incidents.
  • Use Case: Organizations use MISP to streamline incident response and threat intelligence management, making it a cornerstone of cybersecurity strategies.
  • Learn More: MISP Project

2. OSForensics

  • Purpose: A digital forensics tool enabling investigators to uncover critical evidence from digital devices.
  • Key Features:
    • Recovers deleted files, emails, and passwords from devices.
    • Tracks USB interactions and recently accessed websites.
    • Supports memory forensics with tools like Volatility Workbench.
    • Generates detailed forensic reports.
  • Use Case: Widely used in legal investigations, incident response, and by forensic professionals to analyze compromised systems.
  • Learn More: OSForensics

3. ELK Stack (Elasticsearch, Logstash, Kibana)

  • Purpose: A highly adaptable SIEM solution for monitoring, detecting, and analyzing security threats.
  • Key Features:
    • Elasticsearch indexes and searches log data.
    • Logstash processes and enriches the log data from multiple sources.
    • Kibana visualizes security metrics and logs with interactive dashboards.
    • Provides seamless scaling for growing datasets and integration with third-party tools.
  • Use Case: Ideal for enterprises needing real-time log analysis and monitoring to proactively address threats.
  • Learn More: Elastic.co

4. AlienVault OSSIM

  • Purpose: Combines open-source tools into a cohesive SIEM platform for comprehensive security monitoring.
  • Key Features:
    • Asset discovery and vulnerability assessment.
    • Intrusion detection (IDS/HIDS) and behavioral anomaly detection.
    • Incident response with robust reporting tools.
  • Use Case: Suitable for small to medium businesses looking for affordable yet powerful threat detection capabilities.
  • Learn More: AlienVault OSSIM

5. FreeIPA

  • Purpose: An IAM tool tailored for centralized authentication, authorization, and account management in Linux/UNIX environments.
  • Key Features:
    • Built-in SSO via Kerberos.
    • Integration with DNS and certificate management.
    • Offers both CLI and GUI options for flexibility.
  • Use Case: Enterprises needing streamlined IAM solutions for securing access across Linux-based systems.
  • Learn More: FreeIPA

Here are some implementation tips for the highlighted tools:

1. MISP

  • Initial Setup:
    • Deploy MISP on a Linux server (CentOS, Ubuntu, or Debian). Prebuilt virtual machines are also available.
    • Use Docker containers for easier installation and maintenance.
    • Configure database settings and enable HTTPS for secure communication.
  • Best Practices:
    • Regularly update the taxonomy and tags for organizing IOCs.
    • Leverage the API to integrate MISP with SIEMs or ticketing systems.
    • Use its sharing groups feature to limit access to sensitive threat intelligence.
  • Resources:

2. OSForensics

  • Deployment:
    • Install on a forensic workstation or USB stick for portable use.
    • Combine with additional forensic tools like FTK or EnCase for broader capabilities.
  • Tips:
    • Use OSFClone to create disk images for analysis without modifying evidence.
    • Regularly train staff on the Volatility Workbench module for memory forensics.
    • Automate reporting templates for quicker investigations.
  • Resources:

3. ELK Stack

  • Installation:
    • Set up Elasticsearch, Logstash, and Kibana on Linux. Docker and Helm charts for Kubernetes simplify deployment.
    • Use Filebeat to collect logs from endpoints and forward them to Logstash.
  • Optimization:
    • Configure indices carefully to handle high-volume logs.
    • Implement role-based access control (RBAC) for Kibana to secure dashboards.
    • Enable alerts and anomaly detection using Kibana’s machine learning features.
  • Resources:

4. AlienVault OSSIM

  • Setup:
    • Install on-premises or use its hosted version. The installation ISO is available on its website.
    • Configure plugins for data collection from firewalls, IDS/IPS, and endpoint devices.
  • Usage Tips:
    • Regularly update correlation rules for detecting modern threats.
    • Use its vulnerability scanner to complement other risk assessment tools.
    • Train analysts to leverage its HIDS/IDS for actionable insights.
  • Resources:

5. FreeIPA

  • Installation:
    • Deploy FreeIPA on a Linux-based system. Red Hat-based distributions offer built-in packages.
    • Integrate with Active Directory for hybrid environments.
  • Best Practices:
    • Configure Kerberos for single sign-on and enable password policies.
    • Regularly monitor and audit access logs using built-in features.
    • Secure FreeIPA with SELinux and periodic updates.
  • Resources:

Open Source Intelligence Methods and Tools: A Practical Guide to Online Intelligence

Checkout previous posts on Open Source here

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: open source tools

Apr 30 2024

Tracecat: Open-source SOAR

Category: Open Source,Security Toolsdisc7 @ 7:11 am
Tracecat: Open-source SOAR

Tracecat is an open-source automation platform for security teams. The developers believe security automation should be accessible to everyone, especially understaffed small- to mid-sized teams. Core features, user interfaces, and day-to-day workflows are based on existing best practices from best-in-class security teams.

Use specialized AI models to label, summarize, and enrich alerts. Contextualize alerts with internal evidence and external threat intel:

  • Find cases using semantic search
  • MITRE ATT&CK labels
  • Whitelist / blacklist identities
  • Categorize related cases
  • MITRE D3FEND suggestions
  • Upload evidence and threat intel

Tracecat is not a 1-to-1 mapping of Tines / Splunk SOAR. The developers aim to give technical teams a Tines-like experience but with a focus on open-source and AI features.

While Tracecat is designed for security, its workflow automation and case management system are also suitable for various alerting environments, such as site reliability engineering, DevOps, and physical systems monitoring.

Turn security alerts into solvable cases:

  • Click-and-drag workflow builder â€“ Automate SecOps using pre-built actions (API calls, webhooks, data transforms, AI tasks, and more) combined into workflows. No code required.
  • Built-in case management system â€“ Open cases direct from workflows. Track and manage security incidents all-in-one platform.

Tracecat is cloud-agnostic and deploys anywhere that supports Docker. It’s available for free on GitHub.

Practical Threat Intelligence and Data-Driven Threat Hunting: A hands-on guide to threat hunting with the ATT&CK(TM) Framework and open source tools

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Tracecat

Apr 04 2024

Mantis: Open-source framework that automates asset discovery, reconnaissance, scanning

Category: Open Network,Open Source,OSINTdisc7 @ 7:53 am
Mantis: Open-source framework that automates asset discovery, reconnaissance, scanning

Mantis features

The framework conducts reconnaissance on active assets and completes its operation with a scan for vulnerabilities, secrets, misconfigurations, and potential phishing domains, utilizing open-source and proprietary tools.

Some of the features that make Mantis stand out are:

  • Automated discovery, recon, and scan
  • Distributed scanning (split a single scan across multiple machines)
  • Scan customization
  • Dashboard support
  • Vulnerability management
  • Advanced alerting
  • DNS service integration
  • Integrate new tools (existing and custom) in minutes

“Last year, we explored open-source frameworks our organization can use to monitor assets. We wanted to set up an asset discovery framework that allows us to add custom scripts, enable or disable tools to run based on configs, scale, and deploy the framework across a cluster of VMs. We also wanted to find a way to ingest domains from DNS services into our databases. This led us to create Mantis, an asset discovery framework that could help bug bounty hunters as well as security teams,” Prateek Thakare, lead developer of Mantis, told Help Net Security.

System requirements

  • Supported OS: Ubuntu, macOS
  • 4GB RAM
  • 2 cores
  • 16GB of storage

Mantis is CPU intensive, so it’s advisable to run it on a dedicated virtual machine.

Future plans and download

“We are planning to have our dashboard making it easier to view and monitor the assets. We will also work on improvising the discovery, recon, and scan process by adding new tools and custom scripts,” Thakare concluded.

Mantis is available for free on GitHub.

The OSINT Handbook: A practical guide to gathering and analyzing online information

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Mantis, Open-source framework