Home/Caldera abilities

Caldera emulation abilities

8 runnable adversary-emulation actions · command + platform · mapped to ATT&CK
All tactics build-capabilities · 1 collection · 16 command-and-control · 6 credential-access · 10 defense-evasion · 15 detection · 8 discovery · 67 execution · 9 exfiltration · 13 hunt · 4 impact · 8 lateral-movement · 10 persistence · 3 privilege-escalation · 8 response · 14 setup · 10 technical-information-gathering · 1 training · 6 verification · 2

Abilities

8 shown of 8
detection ["windows"] x · x ↗
Acquire suspicious files
Get information from AV about suspicious files
Show command 
[{"platform": "windows", "executor": "psh", "command": "if (Test-Path C:\\Users\\Public\\malicious_files.txt -PathType Leaf) {\n  $hashes = Get-Content C:\\Users\\Public\\malicious_files.txt -Raw;\n  Remove-Item C:\\Users\\Public\\malicious_files.txt;\n  $hashes;\n}\n"}]
detection ["windows"] T1065 · Uncommonly Used Port ↗
Find atypical open ports
Compare open ports against a known baseline
Show command 
[{"platform": "windows", "executor": "psh, pwsh", "command": "function getFullList($portList){\n    $final = @();\n    foreach ($p in $portList) {\n        if ($p -like \"*-*\") {\n            $minmax = $p.Split(\"-\");\n            for ($i = ($minmax[0] -as [int]); $i -lt ($minmax[1] -as [int]); $i++) {\n                $final += ($i -as [string]);\n            };\n        } else {\n            $final += $p;\n        };\n    };\n    return $final;\n};\n$basePorts = @(\"135\",\"139\",\"389\",\"445\",\"636\",\"1000-5000\",\"9389\",\"49152-65535\");\n$allPorts = getFullList $basePorts;\n$pidToPort = @();\nforeach ($port in (Get-NetTCPConnection -RemoteAddress 0.0.0.0 -state Listen)){\n    if ($allPorts -notcontains $port.LocalPort){\n        $pidToPort += , @{pid=$port.OwningProcess;port=$port.LocalPort};\n    }\n};\n$pidToPort | ConvertTo-Json;\n"}]
detection ["darwin", "linux", "windows"] x · x ↗
Find unauthorized processes
Search for processes which should not be on the host
Show command 
[{"platform": "darwin", "executor": "sh", "command": "ps aux | grep -v grep | grep #{remote.port.unauthorized} | awk '{print $2}'\n"}, {"platform": "linux", "executor": "sh", "command": "ps aux | grep -v grep | grep #{remote.port.unauthorized} | awk '{print $2}'\n"}, {"platform": "windows", "executor": "psh,pwsh", "command": "Get-NetTCPConnection -RemotePort \"#{remote.port.unauthorized}\" -EA silentlycontinue | where-object { write-host $_.OwningProcess }\n"}]
detection ["linux", "darwin", "windows"] x · x ↗
Modified Sensitive Directory
Checks sensitive directory hashes against previously stored hashes to determine if the directory has been modified
Show command 
[{"platform": "linux", "executor": "sh", "command": "directory=\"#{directory.sensitive.path}\";\nif [ -d $directory ];\n  then tar -czf /tmp/dir_sens_comp -C $directory .;\n  hash=$(sha256sum /tmp/dir_sens_comp | cut -d' ' -f1);\n  rm -f /tmp/dir_sens_comp;\n  if [ \"$hash\" != \"#{directory.sensitive.hash}\" ];\n    then echo $directory;\n  fi;\nelse echo $directory;\nfi;\n"}, {"platform": "darwin", "executor": "sh", "command": "directory=\"#{directory.sensitive.path}\";\nif [ -d $directory ];\n  then tar -cf - -C $directory . | gzip --no-name > /tmp/dir_sens_comp;\n  hash=$(shasum -a 256 /tmp/dir_sens_comp | cut -d' ' -f1);\n  rm -f /tmp/dir_sens_comp;\n  if [ \"$hash\" != \"#{directory.sensitive.hash}\" ];\n    then echo $directory;\n  fi;\nelse echo $directory;\nfi;\n"}, {"platform": "windows", "executor": "psh", "command": "$directory = \"#{directory.sensitive.path}\";\nif (Test-Path -PathType Container $directory) {\n  Compress-Archive -Force -Path $($directory + \"\\*\") -DestinationPath C:\\Users\\Public\\dir_sens_comp.zip;\n  $hash = (Get-FileHash C:\\Users\\Public\\dir_sens_comp.zip).Hash;\n  Remove-Item -Force C:\\Users\\Public\\dir_sens_comp.zip;\n  if ($hash -ne \"#{directory.sensitive.hash}\") {\n    echo $directory;\n  }\n} else {\n  echo $directory;\n}\n"}]
detection ["linux", "darwin", "windows"] x · x ↗
Modified Sensitive Files
Checks sensitive file hashes against previously stored hashes to determine if the file has been modified
Show command 
[{"platform": "linux", "executor": "sh", "command": "filepath=\"#{file.sensitive.path}\";\nif [ ! -f $filepath ] || [ \"$(sha256sum $filepath | cut -d' ' -f1)\" != \"#{file.sensitive.hash}\" ];\n  then echo $filepath;\nfi\n"}, {"platform": "darwin", "executor": "sh", "command": "filepath=\"#{file.sensitive.path}\";\nif [ ! -f $filepath ] || [ \"$(shasum -a 256 $filepath | cut -d' ' -f1)\" != \"#{file.sensitive.hash}\" ];\n  then echo $filepath;\nfi\n"}, {"platform": "windows", "executor": "psh", "command": "if (-not (Test-Path -PathType Leaf #{file.sensitive.path}) -or (Get-FileHash #{file.sensitive.path}).Hash -ne \"#{file.sensitive.hash}\") { echo #{file.sensitive.path} }\n"}]
detection ["linux", "darwin"] x · x ↗
New Cron Jobs
Checks to see if a new (unauthorized) cron job has been added
Show command 
[{"platform": "linux", "executor": "sh", "command": "set -f;\nfor user in $(getent passwd | cut -f1 -d:); do\n  $(crontab -u $user -l 2>/dev/null | grep -v '\\#' | while read -r job; do\n    echo \"${user}>${job}\" >> /tmp/cron_jobs;\n  done);\ndone;\ncat /tmp/cron_jobs | sort > /tmp/new_cronjobs_list.txt;\nnew_jobs=$(comm -13 /tmp/baseline_cronjobs_list.txt /tmp/new_cronjobs_list.txt);\nrm -f /tmp/cron_jobs;\nrm -f /tmp/new_cronjobs_list.txt;\nIFS=$(echo '\\n');\necho $new_jobs;\n"}, {"platform": "darwin", "executor": "sh", "command": "set -f;\nfor user in $(dscl . list /Users | grep -v \"^_\"); do\n  $(crontab -u $user -l 2>/dev/null | grep -v '\\#' | while read -r job; do\n    echo \"${user}>${job}\" >> /tmp/cron_jobs;\n  done);\ndone;\ncat /tmp/cron_jobs | sort > /tmp/new_cronjobs_list.txt;\nnew_jobs=$(comm -13 /tmp/baseline_cronjobs_list.txt /tmp/new_cronjobs_list.txt);\nrm -f /tmp/cron_jobs;\nrm -f /tmp/new_cronjobs_list.txt;\nIFS=$(echo '\\n');\necho $new_jobs;\n"}]
detection ["windows"] x · x ↗
New Scheduled Tasks
Checks to see if a new (unauthorized) scheduled task has been added
Show command 
[{"platform": "windows", "executor": "psh", "command": "Get-ScheduledTask > C:\\Users\\Public\\new_schtasks_list.txt;\n$new_schtasks =  $(Get-Content .\\new_schtasks_list.txt) | Where-Object {$_ -notIn $(Get-Content .\\baseline_schtasks_list.txt)} |foreach-object {(-split $_)[1]};\nRemove-Item -Path C:\\Users\\Public\\new_schtasks_list.txt -Force;\n$new_schtasks\n"}]
detection ["linux", "darwin"] x · x ↗
Suspicious URLs in mail
Finds suspicious URLs in received mail
Show command 
[{"platform": "linux", "executor": "sh", "command": "find /var/mail -type f -exec grep \"From.*@.*\\..*\" {} \\; | cut -d'@' -f2 | cut -d' ' -f1 | sort --uniq\n"}, {"platform": "darwin", "executor": "sh", "command": "find /var/mail -type f -exec grep \"From.*@.*\\..*\" {} \\; | cut -d'@' -f2 | cut -d' ' -f1 | sort --uniq\n"}]
Showing 1-8 of 8
Prev 1 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Coverage workspace
Detection coverage
Coverage check
Telemetry ceiling
SIEM query builder
Sigma rules
SIEM rules
YARA rules
Network rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh