(Pre-)compromise operations for MITRE CALDERA

Overview

(Pre-)compromise operations for CALDERA

Extend your CALDERA operations over the entire adversary killchain. In contrast to MITRE's access plugin, caldera-precomp attempts to traverse the first phases of the killchain (reconnaissance, initial access, command and control) in an autonomous manner.

Even more so than post-compromise operation, the (pre-)compromise domain is full of uncertainty and subject to constant change. For this reason and a multitude of other reasons, the scenarios implemented in the plugin are unlikely to be very effective in the real world - they have mainly been built as a proof-of-concept. However, the underlying architecture of the plugin forms a great platform for autonomous (pre-)compromise operation. Use the plugin as a learning resource, or a basis for developing your own AAE applications that traverse the entire killchain.

Usage

⚠️ Only use this against resources that you own and/or are authorised to attack
  • The plugin needs a target scope to start with - see fact sources.
  • The plugin has been built and tested against MITRE CALDERA 4.0.0-alpha.
  • The plugin assumes availability of tooling required to run abilities on initial agents - Docker and bundled payloads have been used where possible to limit setup complexity.

Plugin architecture

Agents and agent groups

  • initial agents are used as a vantage point for the operation - they are installed on hosts that are controlled by us. We recommend spawning multiple on a range of OS'es and architectures - it can be useful to have both Windows and Linux-based agents to maximise support for tooling used by abilities.
  • rce agents are used as a 'mask' for situations where remote code execution is possible. This is part of a workaround that is further documented here.
  • target agents are spawned on remote hosts. This plugin does not interact with target agents, but they can be used to transition towards post-compromise adversary emulation using other CALDERA plugins.

Adversaries

The plugin implements two types of adversaries - ones that follow predefined scenarios albeit in an autonomous manner, and one that works unrestricted and leverages all abilities the plugin implements.

Scenarios

  • precomp-scenario-vulnexp scans the IP range for public-facing Microsoft Exchange servers and checks whether they are vulnerable to ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207). If it finds any vulnerable hosts, it exploits the vulnerability, extracting all email addresses from the Exchange Server and dropping a webshell. The webshell is then used to spawn a Sandcat agent on the remote Exchange server.
  • precomp-scenario-spray scans public-facing websites for e-mail addresses and the target IP range for public-facing RDP servers. The resulting information is used to execute a password spray against RDP. If successful, the adversary logs in to RDP and spawns a Sandcat agent on the remote host.

Autonomous

  • precomp-unrestricted implements all abilities that are part of the plugin and thus traverses any path it can find within the boundaries of the plugin.

Fact sources

  • target.domain takes a domain name (example.com)
  • target.range takes an IP address or range of addresses in CIDR notation (10.0.0.0/28)

These fact traits can be instantiated multiple times.

Planning

The included precomp-planner ensures three conditions apply for the links it generates:

  • For agents in the initial group, a combination of an ability and facts is only executed by one of these agents (since initial agents are identical from a tactical perspective)
  • RCE agents only execute abilities in the command-and-control tactic (in our scenarios, we want to 'upgrade' to full C2 as soon as possible)
  • Target agents do not execute any abilities

While this behaviour is sufficient for our use case, it might not be for other scenarios. Modify the planner logic as you like.

Handling RCE

When designing abilities that are part of the tactical phases of inital access or lateral movement, procedures often yield the ability to execute code on a target host (remote code execution). In these situations, actually executing code on the remote host requires two separate actions: one that is run locally, to establish the 'pipe' through which commands can be executed, and the action that is run remotely.

Given CALDERA's current capability, it is not possible to separate these two actions - both will have to be combined into one ability. Doing this goes directly against the philosophy of the framework - to strive for atomicity in designing abilities, while letting the framework make decisions in how to use them.

To solve this without modifying the CALDERA framework itself, we forked and modified MITRE's Sandcat agent to essentially act as a 'mask' for remote code execution - it runs locally, but acts like a remote agent and ensures any commands sent to it are executed on the remote host. This 'workaround' can be used as an intermediate stage to gaining full C2 (by installing an agent on the remote host).

An example of this agent being used in an ability can be found here. The modified agent can be found here. Compiled versions of this agent (for Linux and Windows) can be found in the payloads of this plugin.

Arguments

  • rcePlatform: the platform of the remote host (e.g. windows, darwin).
  • rceExecutor: the executor to use for remotely executed commands (e.g. psh, sh).
  • rceCommand: the command to use to 'instantiate' RCE (e.g. ssh [email protected] COMMAND). This command needs to include a substitution marker (COMMAND), allowing the RCE agent to inject actions that need to be executed on the remote system.
  • rcePayloadname: if necessary, the payload to download from the CALDERA server that is a prerequisite to executing the rceCommand.
Owner
Diederik Bakker
MSc Cyber Security @ University of Twente
Diederik Bakker
Easy installer for running Amazon AVS Device SDK on Raspberry Pi

avs-device-sdk-pi Scripts to enable Alexa voice activation using Picovoice Porcupine If you like the work, find it useful and if you would like to get

4 Nov 14, 2022
A PG3D API Made with Python

PG3D Python API A Pixel Gun 3D Python API (Public Ver) Features Count: 29 How To Use? import api as pbn Examples pbn.isBanned(192819483) - True pbn.f

Karim 2 Mar 24, 2022
A simple but fully functional calculator that will take multiple operations.

Functional-Calculator A simple but fully functional calculator that will take multiple operations. Usage Run the following command through terminal: p

Uzziel Ariel 1 Dec 22, 2022
Cairo-bloom - A naive bloom filter implementation in Cairo

🥀 cairo-bloom A naive bloom filter implementation in Cairo. A Bloom filter is a

Sam Barnes 37 Oct 01, 2022
Gives you more advanced math in python.

AdvancedPythonMath Gives you more advanced math in python. Functions .simplex(args: {number}) .circ(args: {raidus}) .pytha(args: {leg_a + leg_2}) .slo

Voidy Devleoper 1 Dec 25, 2021
BasicVSR++ function for VapourSynth

BasicVSR++ BasicVSR++: Improving Video Super-Resolution with Enhanced Propagation and Alignment Ported from https://github.com/open-mmlab/mmediting De

Holy Wu 34 Nov 28, 2022
Master Duel Card Translator Project

Master Duel Card Translator Project A tool for translating card effects in Yu-Gi-Oh! Master Duel. Quick Start (for Chinese version only) Download the

67 Dec 23, 2022
All solutions for the 2021 Advent of Code event.

Advent of Code 2021 Solutions All solutions for the 2021 Advent of Code event. Setup Create a file called .session. Go to adventofcode.com and copy th

Bruce Berrios 6 Dec 26, 2021
Replay Felica Exchange For Python

FelicaReplay Replay Felica Exchange Description Standalone Replay Module Usage Save FelicaRelay (=2.0) output to file, then python replay.py [FILE].

3 Jul 14, 2022
Cash in on Expressed Barcode Tags (EBTs) from NGS Sequencing Data with Python

Cash in on Expressed Barcode Tags (EBTs) from NGS Sequencing Data with Python Cashier is a tool developed by Russell Durrett for the analysis and extr

3 Sep 11, 2022
3x+1 recreated in Python

3x-1 3x+1 recreated in Python If a number is odd it is multiplied by 3 and 1 is added to the product. If a number is even it is divided by 2. These ru

4 Aug 19, 2022
This is a repository built by the community for the community.

Nutshell Machine Learning Machines can see, hear and learn. Welcome to the future 🌍 The repository was built with a tree-like structure in mind, it c

Edem Gold 82 Nov 18, 2022
Cvdl-hw2 - Find Contour, Camera Calibration, Augmented Reality and Stereo Disparity Map

opevcvdl-hw2 This project uses openCV and Qt to achieve the requirements. Version Python 3.7 opencv-contrib-python 3.4.2.17 Matplotlib 3.1.1 pyqt5 5.1

Kenny Cheng 3 Aug 17, 2022
Ferramenta de monitoramento do risco de colapso no sistema de saúde em municípios brasileiros com a Covid-19.

FarolCovid 🚦 Ferramenta de monitoramento do risco de colapso no sistema de saúde em municípios brasileiros com a Covid-19. Monitoring tool & simulati

Impulso 49 Jul 10, 2022
Import modules and files straight from URLs.

Import Python code from modules straight from the internet.

Nate 2 Jan 15, 2022
Add your recently blog and douban states in your GitHub Profile

Add your recently blog and douban states in your GitHub Profile

Bingjie Yan 4 Dec 12, 2022
Automated Birthday Wisher built using Python

Automated Birthday Wisher This Automation of wishing Birthday is achieved using Python. Never forget to wish birthday! Table of contents Overview Scre

yashviradia 1 Nov 29, 2021
Discord's own Dumbass made for shits n' Gigs!

FWB3 Discord's own Dumbass made for shits n' Gigs! Please note: This bot is made to be stupid and funny, If you want to get into bot development you'r

1 Dec 06, 2021
With Christmas and New Year ahead, it is time for some festive coding. Here is a Christmas Card for you all!

Christmas Card With Christmas and New Year ahead, it is time for some festive coding! Here is a Christmas Card for you all! NOTE: I have not made this

CodeMaster7000 1 Dec 25, 2021
SpellingBeeSolver - This program generates solutions to NYT style spelling bee problems.

SpellingBeeSolver This program generates solutions to NYT style spelling bee problems. The initial version of this program is being written in Python

1 Jan 01, 2022