
MITRE CALDERA is an open-source cybersecurity platform developed by MITRE for automated adversary emulation and security assessment. It enables organizations to simulate real-world cyberattacks based on MITRE ATT&CK techniques to test and improve their defenses.
Key Features:
- Automated Red Teaming – Simulates adversary behaviors using predefined or custom attack chains.
- Modular Design – Supports plugins for extensibility (e.g., agents, adversary profiles, reporting).
- Purple Teaming – Helps both red and blue teams assess detection and response capabilities.
- Customization – Users can create their own adversary profiles and test specific TTPs (Tactics, Techniques, and Procedures).
- Agent-Based Execution – Deploys agents on endpoints to execute attack scenarios safely.
Use Cases:
- Testing security controls against simulated attacks.
- Validating incident detection and response processes.
- Automating adversary emulation for continuous security assessment.
Details on setup or specific attack scenarios:
Setting Up CALDERA for Attack Simulations
1. Installation
- Prerequisites: Python 3.8+, Git, and pip installed on your system.
- Clone the Repository:
git clone https://github.com/mitre/caldera.git --recursive cd caldera
- Install Dependencies:
pip install -r requirements.txt
- Run CALDERA:
python3 server.py --insecure
Access the web UI athttp://localhost:8888
(default credentials:admin:admin
). This default may not work in ver 5.0 – check conf/default.yml
2. Deploying Agents
CALDERA uses lightweight agents to simulate adversarial actions on endpoints.
- Default Agent: Sandcat (cross-platform, supports Windows, Linux, macOS).
- Deploy an Agent:
- From the CALDERA UI, navigate to Agents → Deploy.
- Generate an execution command and run it on the target endpoint.
3. Running Attack Simulations
- Select an Adversary Profile: Choose from prebuilt MITRE ATT&CK-based profiles or create a custom one.
- Execute Operations:
- Go to Operations → Create Operation
- Assign an agent and adversary profile
- Start the operation to simulate attack techniques.
- Monitor Results: View attack execution logs, responses, and detection gaps.
4. Customizing Attack Scenarios
- Modify Existing TTPs: Edit YAML-based adversary profiles to change attack techniques.
- Create New Adversary Profiles: Define a new attack sequence with custom scripts or commands.
- Use Plugins: Enhance CALDERA with plugins like Stockpile (TTP Library) and Manx (Remote Access Tool).
Use Case Examples
- Credential Dumping Simulation – Test if your security tools detect LSASS process memory access.
- Lateral Movement Testing – Simulate adversaries moving between hosts using SMB or RDP.
- Data Exfiltration Exercise – See if your DLP solutions flag unauthorized file transfers.
Creating Custom Attack Simulations in CALDERA
To build a tailored adversary emulation plan, you’ll need to create custom TTPs (Tactics, Techniques, and Procedures) and integrate them into an adversary profile.
1. Understanding CALDERA’s Structure
- Abilities – Define individual attack techniques (e.g., command execution, lateral movement).
- Adversary Profiles – Group multiple abilities into a structured attack sequence.
- Agents – Execute attacks on endpoints.
2. Creating a Custom TTP (Ability)
Abilities are stored in YAML format under caldera/data/abilities/
.
Each ability follows this structure:
yamlCopyEdit- id: a1b2c3d4e5f6
name: Custom Recon Command
description: Runs a system enumeration command
tactic: discovery
technique:
attack_id: T1082
name: System Information Discovery
platforms:
windows:
psh:
command: "Get-ComputerInfo"
requirements: []
id
– Unique identifier for the ability.name
– Descriptive title.tactic
– The MITRE ATT&CK tactic (e.g.,discovery
,execution
).technique
– Associated ATT&CK technique ID.platforms
– Specifies OS and execution method (PowerShell, Bash, etc.).command
– The actual command executed on the target.
Save this file in caldera/data/abilities/discovery/
as custom_recon.yml
.
3. Adding the TTP to an Adversary Profile
Adversary profiles define attack sequences. Create a new profile under caldera/data/adversaries/
yamlCopyEdit- id: f7g8h9i0j1k2
name: Custom Recon Attack
description: A simple discovery attack
atomic_ordering:
- a1b2c3d4e5f6
atomic_ordering
– Lists abilities in execution order.
Save ascustom_recon_profile.yml
.
4. Running the Custom Attack Simulation
- Restart CALDERA to load new configurations:bashCopyEdit
python server.py --insecure
- Deploy an Agent on the target machine.
- Launch the Custom Attack:
- Go to Operations → Create Operation
- Select Custom Recon Attack as the adversary profile
- Assign an agent and start the operation
- Analyze Results – View execution logs and detection gaps in the UI.
5. Expanding the Simulation
- Chaining Multiple TTPs – Add more techniques (e.g., privilege escalation, lateral movement).
- Evading Defenses – Modify scripts to bypass EDR detection (e.g., encoded PowerShell commands).
- Automating Response Testing – Check if your SIEM or SOAR detects and mitigates the attack.
Example for a specific attack scenario, like lateral movement or credential dumping:
Example: Simulating Lateral Movement Using CALDERA
Lateral movement techniques help assess an organization’s ability to detect and respond to adversaries moving across systems. In this example, we’ll create a CALDERA attack simulation that uses SMB-based remote command execution (ATT&CK ID: T1021.002).
1. Creating the Lateral Movement TTP (Ability)
We’ll define an ability that uses psexec
(a common SMB-based remote execution tool).
YAML File: caldera/data/abilities/lateral_movement/smb_exec.yml
yamlCopyEdit- id: 12345abcde
name: SMB Lateral Movement
description: Executes a command on a remote system using SMB
tactic: lateral-movement
technique:
attack_id: T1021.002
name: SMB Remote Execution
platforms:
windows:
cmd:
command: |
psexec \\#{remote.host} -u #{remote.user} -p #{remote.pass} -s cmd.exe /c "whoami > C:\Users\Public\loot.txt"
requirements:
- name: host.user
relation: present
- name: host.pass
relation: present
Explanation:
- Uses PsExec to execute
whoami
on a remote host. - Saves the output to
C:\Users\Public\loot.txt
for verification. - Uses
#{remote.host}
,#{remote.user}
, and#{remote.pass}
as dynamic variables.
Save this file in caldera/data/abilities/lateral_movement/
.
2. Creating an Adversary Profile
Now, we bundle this TTP into an adversary profile.
YAML File: caldera/data/adversaries/lateral_move.yml
yamlCopyEdit- id: 67890fghij
name: Lateral Movement Test
description: Simulates an adversary moving laterally using SMB
atomic_ordering:
- 12345abcde
Save this file in caldera/data/adversaries/
.
3. Running the Lateral Movement Simulation
- Restart CALDERA to load new configurations:bashCopyEdit
python server.py --insecure
- Deploy an Agent on an initial compromised system.
- Create a New Operation:
- Go to: Operations → Create Operation
- Adversary Profile: Select Lateral Movement Test
- Assign an Agent
- Start the Operation
- Monitor Execution:
- If successful, the target machine will have a new file:
C:\Users\Public\loot.txt
. - Review the logs to check execution results.
- If successful, the target machine will have a new file:
4. Enhancing the Simulation
- Use PowerShell Remoting instead of
psexec
:yamlCopyEditcommand: | Invoke-Command -ComputerName #{remote.host} -Credential (New-Object System.Management.Automation.PSCredential(#{remote.user}, (ConvertTo-SecureString #{remote.pass} -AsPlainText -Force))) -ScriptBlock {whoami > C:\Users\Public\loot.txt}
- Test Defense Evasion: Modify commands to use encoded PowerShell payloads.
- Check SIEM Logs: Verify if your security tools detected and logged the lateral movement attempt.
Example: Simulating Lateral Movement on Linux Using SSH
Lateral movement on Linux often involves SSH-based remote command execution (MITRE ATT&CK ID: T1021.004). This simulation will test whether security controls detect an attacker moving across Linux systems via SSH.
1. Creating a Custom SSH Lateral Movement TTP (Ability)
YAML File: caldera/data/abilities/lateral_movement/ssh_exec.yml
yamlCopyEdit- id: abcde12345
name: SSH Lateral Movement
description: Executes a command on a remote Linux system via SSH
tactic: lateral-movement
technique:
attack_id: T1021.004
name: SSH Remote Execution
platforms:
linux:
sh:
command: |
sshpass -p '#{remote.pass}' ssh -o StrictHostKeyChecking=no #{remote.user}@#{remote.host} "whoami > /tmp/loot.txt"
requirements:
- name: remote.user
relation: present
- name: remote.pass
relation: present
- name: remote.host
relation: present
Explanation:
- Uses
sshpass
to authenticate with the target machine. - Runs
whoami
on the remote machine and saves the output in/tmp/loot.txt
. - Disables strict host key checking to avoid SSH warnings.
Save this file in caldera/data/abilities/lateral_movement/
.
2. Creating an Adversary Profile
YAML File: caldera/data/adversaries/linux_lateral_move.yml
yamlCopyEdit- id: fghij67890
name: Linux Lateral Movement Test
description: Simulates an adversary moving laterally via SSH on Linux
atomic_ordering:
- abcde12345
Save this file in caldera/data/adversaries/
.
3. Running the Lateral Movement Simulation
- Restart CALDERA to load the new configurations:bashCopyEdit
python server.py --insecure
- Deploy an Agent on an initial Linux system.
- Ensure SSH Credentials Are Available:
- Modify the agent to include SSH credentials using CALDERA’s fact system:cssCopyEdit
fact: {remote.user: "testuser", remote.pass: "password123", remote.host: "192.168.1.100"}
- Modify the agent to include SSH credentials using CALDERA’s fact system:cssCopyEdit
- Create a New Operation:
- Go to: Operations → Create Operation
- Adversary Profile: Select Linux Lateral Movement Test
- Assign an Agent
- Start the Operation
- Monitor Execution:
- If successful, the target machine will have a file
/tmp/loot.txt
containing the username. - Check logs to verify execution.
- If successful, the target machine will have a file
4. Enhancing the Simulation
- Use Key-Based Authentication Instead of Passwords:yamlCopyEdit
command: | ssh -i /home/#{remote.user}/.ssh/id_rsa #{remote.user}@#{remote.host} "whoami > /tmp/loot.txt"
- Simulate Data Exfiltration: Copy files from the remote system using
scp
. - Test SIEM Detection: Ensure logs capture unauthorized SSH connections.
MITRE/Caldera: Automated Adversary Emulation Platform Github.com/mitre/caldera
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services