Feb 20 2025

CALDERA is an open-source cybersecurity platform

Category: cyber security,Open Sourcedisc7 @ 4:58 pm

MITRE CALDERA is an open-source cybersecurity platform developed by MITRE for automated adversary emulation and security assessment. It enables organizations to simulate real-world cyberattacks based on MITRE ATT&CK techniques to test and improve their defenses.

Key Features:

  • Automated Red Teaming – Simulates adversary behaviors using predefined or custom attack chains.
  • Modular Design – Supports plugins for extensibility (e.g., agents, adversary profiles, reporting).
  • Purple Teaming – Helps both red and blue teams assess detection and response capabilities.
  • Customization – Users can create their own adversary profiles and test specific TTPs (Tactics, Techniques, and Procedures).
  • Agent-Based Execution – Deploys agents on endpoints to execute attack scenarios safely.

Use Cases:

  • Testing security controls against simulated attacks.
  • Validating incident detection and response processes.
  • Automating adversary emulation for continuous security assessment.

Details on setup or specific attack scenarios:

Setting Up CALDERA for Attack Simulations

1. Installation

  • Prerequisites: Python 3.8+, Git, and pip installed on your system.
  • Clone the Repository: git clone https://github.com/mitre/caldera.git --recursive cd caldera
  • Install Dependencies: pip install -r requirements.txt
  • Run CALDERA: python3 server.py --insecure Access the web UI at http://localhost:8888 (default credentials: admin:admin). This default may not work in ver 5.0 – check conf/default.yml

2. Deploying Agents

CALDERA uses lightweight agents to simulate adversarial actions on endpoints.

  • Default Agent: Sandcat (cross-platform, supports Windows, Linux, macOS).
  • Deploy an Agent:
    • From the CALDERA UI, navigate to Agents → Deploy.
    • Generate an execution command and run it on the target endpoint.

3. Running Attack Simulations

  • Select an Adversary Profile: Choose from prebuilt MITRE ATT&CK-based profiles or create a custom one.
  • Execute Operations:
    • Go to Operations → Create Operation
    • Assign an agent and adversary profile
    • Start the operation to simulate attack techniques.
  • Monitor Results: View attack execution logs, responses, and detection gaps.

4. Customizing Attack Scenarios

  • Modify Existing TTPs: Edit YAML-based adversary profiles to change attack techniques.
  • Create New Adversary Profiles: Define a new attack sequence with custom scripts or commands.
  • Use Plugins: Enhance CALDERA with plugins like Stockpile (TTP Library) and Manx (Remote Access Tool).

Use Case Examples

  1. Credential Dumping Simulation – Test if your security tools detect LSASS process memory access.
  2. Lateral Movement Testing – Simulate adversaries moving between hosts using SMB or RDP.
  3. Data Exfiltration Exercise – See if your DLP solutions flag unauthorized file transfers.

Creating Custom Attack Simulations in CALDERA

To build a tailored adversary emulation plan, you’ll need to create custom TTPs (Tactics, Techniques, and Procedures) and integrate them into an adversary profile.

1. Understanding CALDERA’s Structure

  • Abilities – Define individual attack techniques (e.g., command execution, lateral movement).
  • Adversary Profiles – Group multiple abilities into a structured attack sequence.
  • Agents – Execute attacks on endpoints.

2. Creating a Custom TTP (Ability)

Abilities are stored in YAML format under caldera/data/abilities/.
Each ability follows this structure:

yamlCopyEdit- id: a1b2c3d4e5f6
  name: Custom Recon Command
  description: Runs a system enumeration command
  tactic: discovery
  technique:
    attack_id: T1082
    name: System Information Discovery
  platforms:
    windows:
      psh:
        command: "Get-ComputerInfo"
  requirements: []
  • id – Unique identifier for the ability.
  • name – Descriptive title.
  • tactic – The MITRE ATT&CK tactic (e.g., discovery, execution).
  • technique – Associated ATT&CK technique ID.
  • platforms – Specifies OS and execution method (PowerShell, Bash, etc.).
  • command – The actual command executed on the target.

Save this file in caldera/data/abilities/discovery/ as custom_recon.yml.

3. Adding the TTP to an Adversary Profile

Adversary profiles define attack sequences. Create a new profile under caldera/data/adversaries/

yamlCopyEdit- id: f7g8h9i0j1k2
  name: Custom Recon Attack
  description: A simple discovery attack
  atomic_ordering:
    - a1b2c3d4e5f6
  • atomic_ordering – Lists abilities in execution order.
    Save as custom_recon_profile.yml.

4. Running the Custom Attack Simulation

  1. Restart CALDERA to load new configurations:bashCopyEditpython server.py --insecure
  2. Deploy an Agent on the target machine.
  3. Launch the Custom Attack:
    • Go to Operations → Create Operation
    • Select Custom Recon Attack as the adversary profile
    • Assign an agent and start the operation
  4. Analyze Results – View execution logs and detection gaps in the UI.

5. Expanding the Simulation

  • Chaining Multiple TTPs – Add more techniques (e.g., privilege escalation, lateral movement).
  • Evading Defenses – Modify scripts to bypass EDR detection (e.g., encoded PowerShell commands).
  • Automating Response Testing – Check if your SIEM or SOAR detects and mitigates the attack.

Example for a specific attack scenario, like lateral movement or credential dumping:

Example: Simulating Lateral Movement Using CALDERA

Lateral movement techniques help assess an organization’s ability to detect and respond to adversaries moving across systems. In this example, we’ll create a CALDERA attack simulation that uses SMB-based remote command execution (ATT&CK ID: T1021.002).

1. Creating the Lateral Movement TTP (Ability)

We’ll define an ability that uses psexec (a common SMB-based remote execution tool).

YAML File: caldera/data/abilities/lateral_movement/smb_exec.yml

yamlCopyEdit- id: 12345abcde
  name: SMB Lateral Movement
  description: Executes a command on a remote system using SMB
  tactic: lateral-movement
  technique:
    attack_id: T1021.002
    name: SMB Remote Execution
  platforms:
    windows:
      cmd:
        command: |
          psexec \\#{remote.host} -u #{remote.user} -p #{remote.pass} -s cmd.exe /c "whoami > C:\Users\Public\loot.txt"
  requirements:
    - name: host.user
      relation: present
    - name: host.pass
      relation: present

Explanation:

  • Uses PsExec to execute whoami on a remote host.
  • Saves the output to C:\Users\Public\loot.txt for verification.
  • Uses #{remote.host}, #{remote.user}, and #{remote.pass} as dynamic variables.

Save this file in caldera/data/abilities/lateral_movement/.

2. Creating an Adversary Profile

Now, we bundle this TTP into an adversary profile.

YAML File: caldera/data/adversaries/lateral_move.yml

yamlCopyEdit- id: 67890fghij
  name: Lateral Movement Test
  description: Simulates an adversary moving laterally using SMB
  atomic_ordering:
    - 12345abcde

Save this file in caldera/data/adversaries/.

3. Running the Lateral Movement Simulation

  1. Restart CALDERA to load new configurations:bashCopyEditpython server.py --insecure
  2. Deploy an Agent on an initial compromised system.
  3. Create a New Operation:
    • Go to: Operations → Create Operation
    • Adversary Profile: Select Lateral Movement Test
    • Assign an Agent
    • Start the Operation
  4. Monitor Execution:
    • If successful, the target machine will have a new file: C:\Users\Public\loot.txt.
    • Review the logs to check execution results.

4. Enhancing the Simulation

  • Use PowerShell Remoting instead of psexec:yamlCopyEditcommand: | Invoke-Command -ComputerName #{remote.host} -Credential (New-Object System.Management.Automation.PSCredential(#{remote.user}, (ConvertTo-SecureString #{remote.pass} -AsPlainText -Force))) -ScriptBlock {whoami > C:\Users\Public\loot.txt}
  • Test Defense Evasion: Modify commands to use encoded PowerShell payloads.
  • Check SIEM Logs: Verify if your security tools detected and logged the lateral movement attempt.

Example: Simulating Lateral Movement on Linux Using SSH

Lateral movement on Linux often involves SSH-based remote command execution (MITRE ATT&CK ID: T1021.004). This simulation will test whether security controls detect an attacker moving across Linux systems via SSH.

1. Creating a Custom SSH Lateral Movement TTP (Ability)

YAML File: caldera/data/abilities/lateral_movement/ssh_exec.yml

yamlCopyEdit- id: abcde12345
  name: SSH Lateral Movement
  description: Executes a command on a remote Linux system via SSH
  tactic: lateral-movement
  technique:
    attack_id: T1021.004
    name: SSH Remote Execution
  platforms:
    linux:
      sh:
        command: |
          sshpass -p '#{remote.pass}' ssh -o StrictHostKeyChecking=no #{remote.user}@#{remote.host} "whoami > /tmp/loot.txt"
  requirements:
    - name: remote.user
      relation: present
    - name: remote.pass
      relation: present
    - name: remote.host
      relation: present

Explanation:

  • Uses sshpass to authenticate with the target machine.
  • Runs whoami on the remote machine and saves the output in /tmp/loot.txt.
  • Disables strict host key checking to avoid SSH warnings.

Save this file in caldera/data/abilities/lateral_movement/.

2. Creating an Adversary Profile

YAML File: caldera/data/adversaries/linux_lateral_move.yml

yamlCopyEdit- id: fghij67890
  name: Linux Lateral Movement Test
  description: Simulates an adversary moving laterally via SSH on Linux
  atomic_ordering:
    - abcde12345

Save this file in caldera/data/adversaries/.

3. Running the Lateral Movement Simulation

  1. Restart CALDERA to load the new configurations:bashCopyEditpython server.py --insecure
  2. Deploy an Agent on an initial Linux system.
  3. Ensure SSH Credentials Are Available:
    • Modify the agent to include SSH credentials using CALDERA’s fact system:cssCopyEditfact: {remote.user: "testuser", remote.pass: "password123", remote.host: "192.168.1.100"}
  4. Create a New Operation:
    • Go to: Operations → Create Operation
    • Adversary Profile: Select Linux Lateral Movement Test
    • Assign an Agent
    • Start the Operation
  5. Monitor Execution:
    • If successful, the target machine will have a file /tmp/loot.txt containing the username.
    • Check logs to verify execution.

4. Enhancing the Simulation

  • Use Key-Based Authentication Instead of Passwords:yamlCopyEditcommand: | ssh -i /home/#{remote.user}/.ssh/id_rsa #{remote.user}@#{remote.host} "whoami > /tmp/loot.txt"
  • Simulate Data Exfiltration: Copy files from the remote system using scp.
  • Test SIEM Detection: Ensure logs capture unauthorized SSH connections.

MITRE/Caldera: Automated Adversary Emulation Platform Github.com/mitre/caldera

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: Caldera, MITRE Caldera

Sep 08 2023

CALDERA: FREE OPERATIONAL TECHNOLOGY OT ATTACK EMULATION TOOL TO SECURE ICS, SCADA AND PLC DEVICES

Category: OT/ICS,Scada Security,Security Toolsdisc7 @ 7:23 am
Caldera: Free Operational technology OT Attack Emulation Tool to secure ICS, SCADA and PLC devices

MITRE and the US Cybersecurity and Infrastructure Security Agency (CISA) have collaborated to develop a new open source tool that simulates cyber-attacks on operational technology (OT). The product was published recently.

The MITRE Calder for OT is now accessible to the general public as an addition to the open-source Caldera platform that may be found on GitHub. This would make it possible for cybersecurity specialists who deal with industrial control systems (ICS) to carry out automated adversary simulation exercises. These exercises will have the goal of testing and improving their cyber defenses on a constant basis. In addition to this, this includes security inspections as well as exercises involving red, blue, and purple teams.

This Caldera extension for OT was created via a collaborative effort between CISA and the Homeland Security Systems Engineering and Development Institute (HSSEDI). HSSEDI is a research and development institution that is financed by the federal government and is maintained and run by MITRE on behalf of the Department of Homeland Security (DHS).

The program contributes to the goal of the federal government to strengthen the security of vital infrastructure that is dependent on OT. Some examples of such infrastructure are water and electricity. This objective was elaborated upon in the United States’ National Cybersecurity Strategy, which was published in March 2023, and in the Executive Order on Improving the Nation’s Cybersecurity, which was issued by President Biden in May 2021.
Work done by CISA and HSSEDI to automate opponent emulation simulations in CISA’s Control Environment Laboratory Resource (CELR) served as the foundation for the OT extension, which was developed upon that work. This made it possible to identify hostile strategies that may be implemented in Caldera.

The defensive mechanisms and testing capabilities of critical infrastructure systems are slated to get a boost from the use of these plugins.

These plugins, which are stored in the “caldera-ot” repository, are essential instruments for the protection of operational technology (OT) settings.

They are made available as Git submodules, which enables researchers and experts in the security industry to quickly and readily access them.

The purpose of these plugins is to facilitate enemy simulation inside the OT environment. This was the driving force behind their development.

Because of this, companies are given the ability to strengthen their security defenses and better prepare for possible attacks.

In addition to this, it is compatible with classic use cases for Caldera, such as rigorous testing of security mechanisms and operator training.

The move that has been taken by MITRE marks a major step forward in the continuing endeavor to secure critical infrastructure systems and to strengthen security within the OT sector.

Pwn2Own Miami paid $400,000 USD for 26 zero-day exploits on ICS and SCADA products

A presentation titled “Emulating Adversary Actions in the Operational Environment with Caldera (TM) for OT” has also been made available by MITRE for individuals who are looking for further information of a more in-depth kind.

Users may apply the following command in order to install the whole collection of Caldera for OT plugins:

git clone https://github.com/mitre/caldera-ot.git –recursive


Individuals also have the option of configuring certain plugins on their own, which allows them to personalize their approach to OT security to meet their unique requirements.

At the moment, the following three important plugins are available:

  1. BACnet Catering to Building Automation and Control Networks (BACnet) protocol.
  2. DNP Addressing the Distributed Network Protocol 3 (DNP3).
  3. Modbus Supporting the Modbus protocol.

Open-Source OT Protocol Libraries That Are Unified And Exposed To Users. Caldera for OT plugins is a service provided by MITRE that aims to standardize and expose open-source OT protocol libraries, making them available for use as protocol-specific plugins. Each plugin comes with its own extensive documentation.

Aligning Security Operations with the MITRE ATT&CK Framework: Level up your security operations center for better security

Cyber Defence Strategy using NIST and MITRE ATT&CK Frameworks

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Caldera, MITRE ATT&CK, MITRE Caldera