Convert Figma logo to code with AI

mitre logocaldera

Automated Adversary Emulation Platform

5,572
1,063
5,572
57

Top Related Projects

Small and highly portable detection tests based on MITRE's ATT&CK.

An open library of adversary emulation plans designed to empower organizations to test their defenses based on real-world TTPs.

Quick Overview

CALDERA is an open-source, threat-emulation framework that allows security teams to test their defenses against advanced persistent threats (APTs) and other sophisticated cyber attacks. It provides a platform for automating the execution of complex attack scenarios, enabling organizations to assess their security posture and identify vulnerabilities.

Pros

  • Comprehensive Threat Emulation: CALDERA supports a wide range of attack techniques and tactics, allowing security teams to simulate advanced, real-world cyber threats.
  • Automated Execution: The framework automates the execution of attack scenarios, reducing the manual effort required to conduct comprehensive security assessments.
  • Customizable and Extensible: CALDERA is highly customizable, with the ability to add new plugins and capabilities to meet specific organizational needs.
  • Open-Source and Community-Driven: As an open-source project, CALDERA benefits from a community of contributors and users, ensuring ongoing development and support.

Cons

  • Complexity: The comprehensive nature of CALDERA can make it challenging for some organizations to set up and configure, especially for those with limited security expertise.
  • Potential for Misuse: While CALDERA is designed for legitimate security testing, it could potentially be misused by malicious actors to conduct unauthorized attacks.
  • Ethical Considerations: The use of CALDERA for security testing must be carefully managed to ensure compliance with relevant laws and regulations, as well as to avoid causing unintended harm.
  • Ongoing Maintenance: Maintaining and updating CALDERA requires dedicated resources and expertise, which may be a burden for some organizations.

Getting Started

To get started with CALDERA, follow these steps:

  1. Clone the CALDERA repository from GitHub:
git clone https://github.com/mitre/caldera.git
  1. Navigate to the project directory and install the required dependencies:
cd caldera
pip install -r requirements.txt
  1. Start the CALDERA server:
python server.py
  1. Access the CALDERA web interface by opening a web browser and navigating to http://localhost:8000.

  2. Explore the available attack techniques, create new campaigns, and customize the framework to meet your organization's specific security testing needs.

For more detailed instructions and documentation, please refer to the CALDERA GitHub repository.

Competitor Comparisons

Small and highly portable detection tests based on MITRE's ATT&CK.

Pros of Atomic Red Team

  • Simpler to use and implement, with a focus on individual tests
  • More extensive test coverage across various attack techniques
  • Easier to integrate into existing CI/CD pipelines

Cons of Atomic Red Team

  • Less comprehensive adversary emulation capabilities
  • Limited automation for complex attack scenarios
  • Lacks a centralized command and control interface

Code Comparison

Atomic Red Team test example:

attack_technique: T1003.001
display_name: OS Credential Dumping - LSASS Memory
atomic_tests:
  - name: Dump LSASS.exe Memory using ProcDump
    executor:
      command: |
        procdump.exe -accepteula -ma lsass.exe lsass_dump.dmp

Caldera operation example:

- id: 43b3754c-def4-4699-a673-1d85648fda6a
  name: Dump LSASS
  description: Dump LSASS memory using built-in Windows tools
  tactic: credential-access
  technique:
    attack_id: T1003
    name: OS Credential Dumping
  executors:
    windows:
      command: |
        C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump %lsass_pid% lsass.dmp full

Both repositories provide valuable tools for red team operations and security testing. Atomic Red Team offers a more straightforward approach with individual tests, while Caldera provides a more comprehensive adversary emulation framework with advanced automation capabilities.

An open library of adversary emulation plans designed to empower organizations to test their defenses based on real-world TTPs.

Pros of adversary_emulation_library

  • Provides detailed, real-world adversary emulation plans
  • Focuses on specific threat actors and their TTPs
  • Offers comprehensive documentation and resources for each emulation plan

Cons of adversary_emulation_library

  • Less automated and more manual execution compared to Caldera
  • Requires more expertise to implement and execute emulation plans
  • Limited to specific threat actors and scenarios

Code Comparison

adversary_emulation_library (PowerShell script example):

$domain = "example.com"
$username = "user"
$password = "password"
$credential = New-Object System.Management.Automation.PSCredential($username, (ConvertTo-SecureString $password -AsPlainText -Force))
New-PSDrive -Name "Z" -PSProvider FileSystem -Root "\\$domain\share" -Credential $credential

Caldera (YAML ability example):

- id: 43b3754c-def4-4699-a673-1d85648fda6a
  name: PowerShell Lateral Movement
  description: Move laterally using PowerShell remoting
  tactic: lateral-movement
  technique:
    attack_id: T1021.006
    name: Windows Remote Management
  platforms:
    windows:
      psh,pwsh:
        command: |
          $username = 'DOMAIN\user'
          $password = 'password'
          $secstr = New-Object -TypeName System.Security.SecureString
          $password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)}
          $cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $username, $secstr
          Invoke-Command -ComputerName target -Credential $cred -ScriptBlock { whoami }

Pros of detection-rules

  • Focuses on detection rules for Elastic Security, providing a comprehensive set of pre-built rules
  • Regularly updated with new rules and improvements based on emerging threats
  • Includes a rule testing framework for validation and quality assurance

Cons of detection-rules

  • Limited to Elastic Security ecosystem, not as versatile for other platforms
  • Requires Elastic Stack knowledge for optimal use and customization
  • Less emphasis on adversary emulation compared to CALDERA

Code Comparison

detection-rules (YAML rule example):

name: Potential DLL Side-Loading via Microsoft Antimalware Service Executable
type: eql
risk_score: 47
description: Detects potential DLL side-loading attempts using Microsoft Antimalware Service Executable
query: |
  process where event.type == "start" and
    process.name : "MsMpEng.exe" and
    not process.executable : ("C:\\ProgramData\\Microsoft\\Windows Defender\\*", "C:\\Program Files\\Windows Defender\\*")

CALDERA (Python ability example):

class Ability(Ability):
    async def execute(self, operation, agent, facts):
        command = 'whoami /groups'
        return await operation.execute_shell_command(agent, command)

The code snippets showcase the different focus areas of the two projects: detection-rules emphasizes threat detection rules, while CALDERA focuses on adversary emulation and red team operations.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Release Testing Status Security Status codecov Documentation Status

MITRE Caldera™

MITRE Caldera™ is a cyber security platform designed to easily automate adversary emulation, assist manual red-teams, and automate incident response.

It is built on the MITRE ATT&CK™ framework and is an active research project at MITRE.

The framework consists of two components:

  1. The core system. This is the framework code, consisting of what is available in this repository. Included is an asynchronous command-and-control (C2) server with a REST API and a web interface.
  2. Plugins. These repositories expand the core framework capabilities and providing additional functionality. Examples include agents, reporting, collections of TTPs and more.

Resources & Socials

Plugins

:star: Create your own plugin! Plugin generator: Skeleton :star:

Default

These plugins are supported and maintained by the Caldera team.

  • Access (red team initial access tools and techniques)
  • Atomic (Atomic Red Team project TTPs)
  • Builder (dynamically compile payloads)
  • Caldera for OT (ICS/OT capabilities for Caldera)
  • Compass (ATT&CK visualizations)
  • Debrief (operations insights)
  • Emu (CTID emulation plans)
  • Fieldmanual (documentation)
  • GameBoard (visualize joint red and blue operations)
  • Human (create simulated noise on an endpoint)
  • Magma (VueJS UI for Caldera v5)
  • Manx (shell functionality and reverse shell payloads)
  • Response (incident response)
  • Sandcat (default agent)
  • SSL (enable https for caldera)
  • Stockpile (technique and profile storehouse)
  • Training (certification and training course)

More

These plugins are ready to use but are not included by default and are not maintained by the Caldera team.

  • Arsenal (MITRE ATLAS techniques and profiles)
  • CalTack (embedded ATT&CK website)
  • Pathfinder (vulnerability scanning)
  • SAML (SAML authentication)

Requirements

These requirements are for the computer running the core framework:

  • Any Linux or MacOS
  • Python 3.8+ (with Pip3)
  • Recommended hardware to run on is 8GB+ RAM and 2+ CPUs
  • Recommended: GoLang 1.17+ to dynamically compile GoLang-based agents.
  • NodeJS (v16+ recommended for v5 VueJS UI)

Installation

Concise installation steps:

git clone https://github.com/mitre/caldera.git --recursive
cd caldera
pip3 install -r requirements.txt
python3 server.py --insecure --build

Full steps: Start by cloning this repository recursively, passing the desired version/release in x.x.x format. This will pull in all available plugins.

git clone https://github.com/mitre/caldera.git --recursive --tag x.x.x

Next, install the PIP requirements:

pip3 install -r requirements.txt

Super-power your Caldera server installation! Install GoLang (1.19+)

Finally, start the server.

python3 server.py --insecure --build

The --build flag automatically installs any VueJS UI dependencies, bundles the UI into a dist directory, writes the Magma plugin's .env file, and is served by the Caldera server. You will only have to use the --build flag again if you add any plugins or make any changes to the UI. Once started, log into http://localhost:8888 using the default credentials red/admin. Then go into Plugins -> Training and complete the capture-the-flag style training course to learn how to use Caldera.

In some situations the default configuration values can cause the UI to appear unresponsive due to misrouted requests. Modify the app.frontend.api_base_url config value and start the server using the --build flag to update the UI's request URL environment variable.

If you prefer to not use the new VueJS UI, revert to Caldera v4.2.0. Correspondingly, do not use the --build flag for earlier versions as not required.

User Interface Development

If you'll be developing the UI, there are a few more additional installation steps.

Requirements

  • NodeJS (v16+ recommended)

Setup

  1. Add the Magma submodule if you haven't already: git submodule add https://github.com/mitre/magma
  2. Install NodeJS dependencies: cd plugins/magma && npm install && cd ..
  3. Start the Caldera server with an additional flag: python3 server.py --uidev localhost

Your Caldera server is available at http://localhost:8888 as usual, but there will now be a hot-reloading development server for the VueJS front-end available at http://localhost:3000. Both logs from the server and the front-end will display in the terminal you launched the server from.

Docker Deployment

To build a Caldera docker image, ensure you have docker installed and perform the following actions:

# Recursively clone the Caldera repository if you have not done so
git clone https://github.com/mitre/caldera.git --recursive

# Build the docker image. Change image tagging as desired.
# WIN_BUILD is set to true to allow Caldera installation to compile windows-based agents.
# Alternatively, you can use the docker compose YML file via "docker-compose build"
cd caldera
docker build . --build-arg WIN_BUILD=true -t caldera:latest

# Run the image. Change port forwarding configuration as desired.
docker run -p 8888:8888 caldera:latest

To gracefully terminate your docker container, do the following:

# Find the container ID for your docker container running Caldera
docker ps

# Stop the container
docker stop [container ID]

Contributing

Refer to our contributor documentation.

Vulnerability Disclosures

Refer to our Vulnerability Disclosure Documentation for submitting bugs.

Licensing

To discuss licensing opportunities, please reach out to caldera@mitre.org or directly to MITRE's Technology Transfer Office.

Caldera Benefactor Program

If you are interested in partnering to support, sustain, and evolve MITRE Caldera™'s open source capabilities, please contact us at caldera@mitre.org.