Home/Caldera abilities

Caldera emulation abilities

211 runnable adversary-emulation actions · command + platform · mapped to ATT&CK
All tactics build-capabilities · 1 collection · 16 command-and-control · 6 credential-access · 10 defense-evasion · 15 detection · 8 discovery · 67 execution · 9 exfiltration · 13 hunt · 4 impact · 8 lateral-movement · 10 persistence · 3 privilege-escalation · 8 response · 14 setup · 10 technical-information-gathering · 1 training · 6 verification · 2

Abilities

11 shown of 211
setup ["windows"] x · x ↗
Scheduled Tasks Baseline
Capture the scheduled tasks that exist at the start of the operation
Show command 
[{"platform": "windows", "executor": "psh", "command": "Get-ScheduledTask > C:\\Users\\Public\\baseline_schtasks_list.txt\n"}]
setup ["linux", "darwin"] x · x ↗
User Cron Jobs Baseline
Capture the cron jobs that exist at the start of the operation
Show command 
[{"platform": "linux", "executor": "sh", "command": "echo '' > /tmp/cron_jobs;\nfor user in $(getent passwd | cut -f1 -d:); do\n  $(crontab -u $user -l 2>/dev/null | grep -v '\\#' | while read -r job; do\n    echo \"${user}>${job}\" >> /tmp/cron_jobs;\n  done);\ndone;\ncat /tmp/cron_jobs | sort > /tmp/baseline_cronjobs_list.txt;\nrm /tmp/cron_jobs;\n"}, {"platform": "darwin", "executor": "sh", "command": "echo '' > /tmp/cron_jobs;\nfor user in $(dscl . list /Users | grep -v \"^_\"); do\n  $(crontab -u $user -l 2>/dev/null | grep -v '\\#' | while read -r job; do\n    echo \"${user}>${job}\" >> /tmp/cron_jobs;\n  done);\ndone;\ncat /tmp/cron_jobs | sort > /tmp/baseline_cronjobs_list.txt;\nrm /tmp/cron_jobs;\n"}]
technical-information-gathering ["darwin,linux"] T1254 · Conduct active scanning ↗
NMAP scan
Scan an external host for open ports and services
Show command 
[{"platform": "darwin,linux", "executor": "sh", "command": "./scanner.sh #{target.ip}\n"}]
training ["linux", "darwin", "windows"] x · x ↗
Add New Cronjob/Scheduled Task
Certification ability to create a new cronjob or scheduled task
Show command 
[{"platform": "linux", "executor": "sh", "command": "crontab -l > new_crontab;\necho '0 * * * * /bin/echo bad_cronjob' >> new_crontab;\ncrontab new_crontab;\nrm -f new_crontab;\n"}, {"platform": "darwin", "executor": "sh", "command": "crontab -l > new_crontab;\necho '0 * * * * /bin/echo bad_cronjob' >> new_crontab;\ncrontab new_crontab;\nrm -f new_crontab;\n"}, {"platform": "windows", "executor": "psh", "command": "$action = New-ScheduledTaskAction -Execute \"calc.exe\";\n$trigger = New-ScheduledTaskTrigger -Daily -At 9am;\nRegister-ScheduledTask -Action $action -Trigger $trigger -TaskName \"FindMe\" -Description \"Pretend malicious scheduled action\";"}]
training ["linux", "darwin"] x · x ↗
Create Process on Unauthorized Port
Certification ability to create a listening process on an unauthorized port
Show command 
[{"platform": "linux", "executor": "sh", "command": "nc -nlv 7011 &\n"}, {"platform": "darwin", "executor": "sh", "command": "nc -nlv 7011 &"}]
training ["linux"] x · x ↗
Delete Pretend Malicious Mail
Delete previously stored pretend malicious mail
Show command 
[{"platform": "linux", "executor": "sh", "command": "rm -f /var/mail/victim"}]
training ["linux", "darwin", "windows"] x · x ↗
Modify Bash/Powershell Profile
Add a line to the Bash or Powershell profile
Show command 
[{"platform": "linux", "executor": "sh", "command": "touch ~/.bashrc;\necho '#Find this change!' >> ~/.bashrc;\n"}, {"platform": "darwin", "executor": "sh", "command": "touch ~/.bashrc;\necho '#Find this change!' >> ~/.bashrc;\n"}, {"platform": "windows", "executor": "psh", "command": "if (Test-Path $Profile) {\n  echo '#Find this change!' >> $Profile;\n} else {\n  echo '#Find this change!' > $Profile;\n}\n"}]
training ["windows"] x · x ↗
Pretend Malicious File
Create a pretend malicious file to be acted on
Show command 
[{"platform": "windows", "executor": "psh", "command": "echo 'Malicious file' > C:\\Users\\Public\\malicious;\n(Get-FileHash C:\\Users\\Public\\malicious).Hash > C:\\Users\\Public\\malicious_files.txt\n"}]
training ["linux"] x · x ↗
Pretend Malicious Mail
Send an email with a pretend evil domain to be acted on
Show command 
[{"platform": "linux", "executor": "sh", "command": "mv ./phish_email.txt /var/mail/victim\n"}]
verification ["windows"] x · x ↗
GameBoard Plugin Manual Detection - GUID
GameBoard plugin guid detection placeholder ability
Show command 
[{"platform": "windows", "executor": "psh", "command": ";\n"}]
verification ["windows"] x · x ↗
GameBoard Plugin Manual Detection - PID
GameBoard plugin pid detection placeholder ability
Show command 
[{"platform": "windows", "executor": "psh", "command": ";\n"}]
Showing 201-211 of 211
Prev 5 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Coverage workspace
Detection coverage
Coverage check
Telemetry ceiling
SIEM query builder
Sigma rules
SIEM rules
YARA rules
Network rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh