Convert Figma logo to code with AI

mitre logocaldera

Automated Adversary Emulation Platform

6,082
1,149
6,082
69
View on GitHub

Top Related Projects

redcanaryco's avatar

atomic-red-team

10,490

Small and highly portable detection tests based on MITRE's ATT&CK.

center-for-threat-informed-defense's avatar

adversary_emulation_library

1,879

An open library of adversary emulation plans designed to empower organizations to test their defenses based on real-world TTPs.

elastic's avatar

detection-rules

2,271

Quick Overview

CALDERA is an open-source, threat-emulation framework that allows security teams to test their defenses against advanced persistent threats (APTs) and other sophisticated cyber attacks. It provides a platform for automating the execution of complex attack scenarios, enabling organizations to assess their security posture and identify vulnerabilities.

Pros

  • Comprehensive Threat Emulation: CALDERA supports a wide range of attack techniques and tactics, allowing security teams to simulate advanced, real-world cyber threats.
  • Automated Execution: The framework automates the execution of attack scenarios, reducing the manual effort required to conduct comprehensive security assessments.
  • Customizable and Extensible: CALDERA is highly customizable, with the ability to add new plugins and capabilities to meet specific organizational needs.
  • Open-Source and Community-Driven: As an open-source project, CALDERA benefits from a community of contributors and users, ensuring ongoing development and support.

Cons

  • Complexity: The comprehensive nature of CALDERA can make it challenging for some organizations to set up and configure, especially for those with limited security expertise.
  • Potential for Misuse: While CALDERA is designed for legitimate security testing, it could potentially be misused by malicious actors to conduct unauthorized attacks.
  • Ethical Considerations: The use of CALDERA for security testing must be carefully managed to ensure compliance with relevant laws and regulations, as well as to avoid causing unintended harm.
  • Ongoing Maintenance: Maintaining and updating CALDERA requires dedicated resources and expertise, which may be a burden for some organizations.

Getting Started

To get started with CALDERA, follow these steps:

  1. Clone the CALDERA repository from GitHub:
git clone https://github.com/mitre/caldera.git
  1. Navigate to the project directory and install the required dependencies:
cd caldera
pip install -r requirements.txt
  1. Start the CALDERA server:
python server.py

  1. Access the CALDERA web interface by opening a web browser and navigating to http://localhost:8000.

  2. Explore the available attack techniques, create new campaigns, and customize the framework to meet your organization's specific security testing needs.

For more detailed instructions and documentation, please refer to the CALDERA GitHub repository.

Competitor Comparisons

redcanaryco logo

atomic-red-team

10,490

Small and highly portable detection tests based on MITRE's ATT&CK.

Pros of Atomic Red Team

  • Simpler to use and implement, with a focus on individual tests
  • More extensive test coverage across various attack techniques
  • Easier to integrate into existing CI/CD pipelines

Cons of Atomic Red Team

  • Less comprehensive adversary emulation capabilities
  • Limited automation for complex attack scenarios
  • Lacks a centralized command and control interface

Code Comparison

Atomic Red Team test example:

attack_technique: T1003.001
display_name: OS Credential Dumping - LSASS Memory
atomic_tests:
  - name: Dump LSASS.exe Memory using ProcDump
    executor:
      command: |
        procdump.exe -accepteula -ma lsass.exe lsass_dump.dmp

Caldera operation example:

- id: 43b3754c-def4-4699-a673-1d85648fda6a
  name: Dump LSASS
  description: Dump LSASS memory using built-in Windows tools
  tactic: credential-access
  technique:
    attack_id: T1003
    name: OS Credential Dumping
  executors:
    windows:
      command: |
        C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump %lsass_pid% lsass.dmp full

Both repositories provide valuable tools for red team operations and security testing. Atomic Red Team offers a more straightforward approach with individual tests, while Caldera provides a more comprehensive adversary emulation framework with advanced automation capabilities.

center-for-threat-informed-defense logo

adversary_emulation_library

1,879

An open library of adversary emulation plans designed to empower organizations to test their defenses based on real-world TTPs.

Pros of adversary_emulation_library

  • Provides detailed, real-world adversary emulation plans
  • Focuses on specific threat actors and their TTPs
  • Offers comprehensive documentation and resources for each emulation plan

Cons of adversary_emulation_library

  • Less automated and more manual execution compared to Caldera
  • Requires more expertise to implement and execute emulation plans
  • Limited to specific threat actors and scenarios

Code Comparison

adversary_emulation_library (PowerShell script example):

$domain = "example.com"
$username = "user"
$password = "password"
$credential = New-Object System.Management.Automation.PSCredential($username, (ConvertTo-SecureString $password -AsPlainText -Force))
New-PSDrive -Name "Z" -PSProvider FileSystem -Root "\\$domain\share" -Credential $credential

Caldera (YAML ability example):

- id: 43b3754c-def4-4699-a673-1d85648fda6a
  name: PowerShell Lateral Movement
  description: Move laterally using PowerShell remoting
  tactic: lateral-movement
  technique:
    attack_id: T1021.006
    name: Windows Remote Management
  platforms:
    windows:
      psh,pwsh:
        command: |
          $username = 'DOMAIN\user'
          $password = 'password'
          $secstr = New-Object -TypeName System.Security.SecureString
          $password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)}
          $cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $username, $secstr
          Invoke-Command -ComputerName target -Credential $cred -ScriptBlock { whoami }
elastic logo

detection-rules

2,271

Pros of detection-rules

  • Focuses on detection rules for Elastic Security, providing a comprehensive set of pre-built rules
  • Regularly updated with new rules and improvements based on emerging threats
  • Includes a rule testing framework for validation and quality assurance

Cons of detection-rules

  • Limited to Elastic Security ecosystem, not as versatile for other platforms
  • Requires Elastic Stack knowledge for optimal use and customization
  • Less emphasis on adversary emulation compared to CALDERA

Code Comparison

detection-rules (YAML rule example):

name: Potential DLL Side-Loading via Microsoft Antimalware Service Executable
type: eql
risk_score: 47
description: Detects potential DLL side-loading attempts using Microsoft Antimalware Service Executable
query: |
  process where event.type == "start" and
    process.name : "MsMpEng.exe" and
    not process.executable : ("C:\\ProgramData\\Microsoft\\Windows Defender\\*", "C:\\Program Files\\Windows Defender\\*")

CALDERA (Python ability example):

class Ability(Ability):
    async def execute(self, operation, agent, facts):
        command = 'whoami /groups'
        return await operation.execute_shell_command(agent, command)

The code snippets showcase the different focus areas of the two projects: detection-rules emphasizes threat detection rules, while CALDERA focuses on adversary emulation and red team operations.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Release Testing Status Security Status codecov Documentation Status

MITRE Caldera™

MITRE Caldera™ is a cyber security platform designed to easily automate adversary emulation, assist manual red-teams, and automate incident response.

It is built on the MITRE ATT&CK™ framework and is an active research project at MITRE.

The framework consists of two components:

  1. The core system. This is the framework code, consisting of what is available in this repository. Included is an asynchronous command-and-control (C2) server with a REST API and a web interface.
  2. Plugins. These repositories expand the core framework capabilities and providing additional functionality. Examples include agents, reporting, collections of TTPs and more.

Resources & Socials

User Survey

It is always incredibly helpful for our team to hear from users about their Caldera use cases and the value that Caldera provides for their learning, research, or cyber security work. If you or your team uses Caldera significantly, we would greatly appreciate hearing from you.

📋 Survey - https://forms.office.com/g/ByBWxYTf8e

Plugins

:star: Create your own plugin! Plugin generator: Skeleton :star:

Default

These plugins are supported and maintained by the Caldera team.

  • Access (red team initial access tools and techniques)
  • Atomic (Atomic Red Team project TTPs)
  • Builder (dynamically compile payloads)
  • Caldera for OT (ICS/OT capabilities for Caldera)
  • Compass (ATT&CK visualizations)
  • Debrief (operations insights)
  • Emu (CTID emulation plans)
  • Fieldmanual (documentation)
  • GameBoard (visualize joint red and blue operations)
  • Human (create simulated noise on an endpoint)
  • Magma (VueJS UI for Caldera v5)
  • Manx (shell functionality and reverse shell payloads)
  • Response (incident response)
  • Sandcat (default agent)
  • SSL (enable https for caldera)
  • Stockpile (technique and profile storehouse)
  • Training (certification and training course)

More

These plugins are ready to use but are not included by default and are not maintained by the Caldera team.

Requirements

These requirements are for the computer running the core framework:

  • Any Linux or MacOS
  • Python 3.9+ (with Pip3)
  • Recommended hardware to run on is 8GB+ RAM and 2+ CPUs
  • Recommended: GoLang 1.17+ to dynamically compile GoLang-based agents.
  • NodeJS (v16+ recommended for v5 VueJS UI)

Installation

Concise installation steps:

git clone https://github.com/mitre/caldera.git --recursive
cd caldera
pip3 install -r requirements.txt
python3 server.py --insecure --build

Full steps: Start by cloning this repository recursively, passing the desired version/release in x.x.x format. This will pull in all available plugins.

git clone https://github.com/mitre/caldera.git --recursive --tag x.x.x

Next, install the PIP requirements:

pip3 install -r requirements.txt

Super-power your Caldera server installation! Install GoLang (1.19+)

Finally, start the server.

python3 server.py --insecure --build

The --build flag automatically installs any VueJS UI dependencies, bundles the UI into a dist directory and is served by the Caldera server. You will only have to use the --build flag again if you add any plugins or make any changes to the UI. Once started, log into http://localhost:8888 using the default credentials red/admin. Then go into Plugins -> Training and complete the capture-the-flag style training course to learn how to use Caldera.

If you prefer to not use the new VueJS UI, revert to Caldera v4.2.0. Correspondingly, do not use the --build flag for earlier versions as not required.

Additionally, please note security recommendations for deploying Caldera.

Docker Installation

Local build:

git clone https://github.com/mitre/caldera.git --recursive
cd caldera
docker build --build-arg VARIANT=full -t caldera .
docker run -it -p 8888:8888 caldera

Adjust the port forwarding (-p) and build args (--build-arg) as desired to make ports accessible or change the Caldera variant. The ports that you expose depend on which contacts you plan on using (see Dockerfile and docker-compose.yml for reference).

Pre-Built Image (from GitHub Container Registry):

docker run -p 8888:8888 ghcr.io/mitre/caldera:latest

This container may be slightly outdated, we recommend building the container yourself.

To gracefully terminate your docker container, do the following:

# Find the container ID for your docker container running Caldera
docker ps

# Stop the container
docker stop <container ID>

There are two variants available, full and slim. The slim variant doesn't include files necessary for the emu and atomic plugins, which will be downloaded on-demand if the plugins are ever enabled. The full variant is suitable for operation in environments without an internet connection. Slim images on GHCR are prefixed with "slim".

Docker Container Notes

  • The Caldera container will automatically generate keys/usernames/password on first start.
  • If you wish to override the default configuration or avoid automatically generated keys/passwords, consider bind-mounting your own configuration file with the -v <your_path>/conf.yml:/usr/src/app/conf/local.yml flag.
  • Data stored by Caldera is ephemeral by default. If you wish to make it persistent, use docker volumes and/or bind mounts (-v <path_to_your_data_or_volume_name>:/usr/src/app/data/). Ensure that the directory structure is the same as in the data/ directory on GitHub, as Caldera will refuse to create these sub-directories if they are missing. Lastly, make sure that the configuration file is also made persistent to prevent issues with encryption keys.
  • The builder plugin will not work within Docker.
  • If you wish to modify data used by the atomic plugin, clone the Atomic Red Team repository outside the container, apply your modifications and bind-mount it (-v) to /usr/src/app/plugins/atomic/data/atomic-red-team within the container.
  • If you wish to modify data used by emu, clone the adversary_emulation_library repository locally and bind-mount it (-v) to /usr/src/app/plugins/emu/data/adversary-emulation-plans.

Additionally, please note security recommendations for deploying Caldera.

User Interface Development

If you'll be developing the UI, there are a few more additional installation steps.

Requirements

  • NodeJS (v16+ recommended)

Setup

  1. Add the Magma submodule if you haven't already: git submodule add https://github.com/mitre/magma
  2. Install NodeJS dependencies: cd plugins/magma && npm install && cd ..
  3. Start the Caldera server with an additional flag: python3 server.py --uidev localhost

Your Caldera server is available at http://localhost:8888 as usual, but there will now be a hot-reloading development server for the VueJS front-end available at http://localhost:3000. Both logs from the server and the front-end will display in the terminal you launched the server from.

Security

The Caldera team highly reccommends standing up the Caldera server on a secure environment/network, and not exposing it to the internet. The Caldera server does not have a hardened and thoroughly pentested web application interface, but only basic authentication and security features. Both MITRE and MITRE's US Government sponsors nearly exclusively only use Caldera on secure environments and do not rely on Caldera's own security protocols for proper cyber security.

Vulnerability Disclosures

Refer to our Vulnerability Disclosure Documentation for submitting bugs.

Recent Vulnerability Disclosures

🚨Security Notice🚨: (17 Feb 2025 10:00 EST) Please pull v5.1.0+ for a recent security patch for CVE-2025-27364. Please update your Caldera instance, especially if you host Caldera on a publicly accessible network. Vulnerability walkthrough.

Contributing

Refer to our contributor documentation.

Licensing

To discuss licensing opportunities, please reach out to caldera@mitre.org or directly to MITRE's Technology Transfer Office.

Caldera Benefactor Program

If you are interested in partnering to support, sustain, and evolve MITRE Caldera™'s open source capabilities, please contact us at caldera@mitre.org.