Home/Caldera abilities

Caldera emulation abilities

67 runnable adversary-emulation actions · command + platform · mapped to ATT&CK
All tactics build-capabilities · 1 collection · 16 command-and-control · 6 credential-access · 10 defense-evasion · 15 detection · 8 discovery · 67 execution · 9 exfiltration · 13 hunt · 4 impact · 8 lateral-movement · 10 persistence · 3 privilege-escalation · 8 response · 14 setup · 10 technical-information-gathering · 1 training · 6 verification · 2

Abilities

17 shown of 67
discovery ["darwin", "linux", "windows"] T1083 · File and Directory Discovery ↗
Print Working Directory
Print the current working directory on the system
Show command 
[{"platform": "darwin", "executor": "sh", "command": "pwd\n"}, {"platform": "linux", "executor": "sh", "command": "pwd\n"}, {"platform": "windows", "executor": "psh", "command": "pwd\n"}]
discovery ["windows"] T1012 · Query Registry ↗
Query Registry
Query Registry using PowerShell Get-ItemProperty
Show command 
[{"platform": "windows", "executor": "psh", "command": "Get-ItemProperty -Path HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\n"}]
Remote Host Ping
Ping a remote host to see if it is accessible
Show command 
[{"platform": "windows", "executor": "psh", "command": "ping #{remote.host.fqdn}\n"}]
discovery ["windows"] T1018 · Remote System Discovery ↗
Reverse nslookup IP
Find hostname of remote IP in domain
Show command 
[{"platform": "windows", "executor": "psh", "command": "nslookup #{remote.host.ip}\n"}]
discovery ["darwin", "linux"] T1046 · Network Service Scanning ↗
Scan IP for ports
Use dropped scanner to find open popular ports
Show command 
[{"platform": "darwin", "executor": "sh", "command": "python3 scanner.py -i #{remote.host.ip}\n"}, {"platform": "linux", "executor": "sh", "command": "python3 scanner.py -i #{remote.host.ip}\n"}]
discovery ["darwin", "linux", "windows"] T1016 · System Network Configuration Discovery ↗
Scan WIFI networks
View all potential WIFI networks on host
Show command 
[{"platform": "darwin", "executor": "sh", "command": "./#{payload:9f639067-370a-40ba-b7ac-6f1c15d5a158} scan\n"}, {"platform": "linux", "executor": "sh", "command": "./#{payload:9f639067-370a-40ba-b7ac-6f1c15d5a158} scan\n"}, {"platform": "windows", "executor": "psh", "command": ".\\#{payload:28f9bf43-4f14-4965-9bd9-b70fd6993d8e} -Scan\n"}]
Snag broadcast IP
Capture the local network broadcast IP address
Show command 
[{"platform": "darwin", "executor": "sh", "command": "ifconfig | grep broadcast"}]
discovery ["windows", "darwin", "linux"] T1057 · Process Discovery ↗
System processes
Identify system processes
Show command 
[{"platform": "windows", "executor": "psh", "command": "Get-Process"}, {"platform": "windows", "executor": "cmd", "command": "tasklist"}, {"platform": "windows", "executor": "donut_amd64", "command": ""}, {"platform": "darwin", "executor": "sh", "command": "ps aux"}, {"platform": "linux", "executor": "sh", "command": "ps aux"}]
UAC Status
Determine whether or not UAC is enabled
Show command 
[{"platform": "windows", "executor": "psh,pwsh", "command": "echo $(get-uac)\n"}]
USB Connected Device Discovery
find attached usb devices
Show command 
[{"platform": "darwin", "executor": "sh", "command": "system_profiler SPUSBDataType\n"}]
discovery ["darwin", "linux", "windows"] T1057 · Process Discovery ↗
View Processes
Display information about current system processes
Show command 
[{"platform": "darwin", "executor": "sh", "command": "ps\n"}, {"platform": "linux", "executor": "sh", "command": "ps\n"}, {"platform": "windows", "executor": "psh", "command": "get-process\n"}]
discovery ["windows"] T1135 · Network Share Discovery ↗
View admin shares
Network Share Discovery
Show command 
[{"platform": "windows", "executor": "pwsh,psh", "command": "Get-SmbShare | ConvertTo-Json"}]
discovery ["darwin", "linux"] T1120 · Peripheral Device Discovery ↗
View printer queue
View details of queued documents in printer queue
Show command 
[{"platform": "darwin", "executor": "sh", "command": "lpq -a"}, {"platform": "linux", "executor": "sh", "command": "lpq -a"}]
discovery ["windows"] T1135 · Network Share Discovery ↗
View remote shares
View the shares of a remote host
Show command 
[{"platform": "windows", "executor": "psh", "command": "net view \\\\#{remote.host.fqdn} /all"}, {"platform": "windows", "executor": "cmd", "command": "net view \\\\#{remote.host.fqdn} /all"}]
Virtual or Real
Determine if the system is virtualized or physical
Show command 
[{"platform": "windows", "executor": "psh", "command": "get-wmiobject win32_computersystem | fl model\n"}]
discovery ["linux"] T1057 · Process Discovery ↗
enumerate VMs
Enumerate running virtual machines on hypervisor
Show command 
[{"platform": "linux", "executor": "sh", "command": "acrnctl list\n"}]
discovery ["windows"] T1057 · Process Discovery ↗
tasklist Process Enumeration
Capture running processes and their loaded DLLs
Show command 
[{"platform": "windows", "executor": "psh", "command": "tasklist /m  >> $env:APPDATA\\vmtool.log;\ncat $env:APPDATA\\vmtool.log\n"}]
Showing 51-67 of 67
Prev 2 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Coverage workspace
Detection coverage
Coverage check
Telemetry ceiling
SIEM query builder
Sigma rules
SIEM rules
YARA rules
Network rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh