Caldera emulation abilities
14 runnable adversary-emulation actions · command + platform · mapped to ATT&CK
All tactics
build-capabilities · 1 collection · 16 command-and-control · 6 credential-access · 10 defense-evasion · 15 detection · 8 discovery · 67 execution · 9 exfiltration · 13 hunt · 4 impact · 8 lateral-movement · 10 persistence · 3 privilege-escalation · 8 response · 14 setup · 10 technical-information-gathering · 1 training · 6 verification · 2
⚠
Abilities
14 shown of 14Collect Child Processes
Collect child processes from Sysmon logs
Show command
[{"platform": "windows", "executor": "psh", "command": "$time_range = (Get-Date) - (New-TimeSpan -Seconds $(#{sysmon.time.range}/1000));\nGet-WinEvent -FilterHashTable @{ Logname='Microsoft-Windows-Sysmon/Operational'; StartTime=$time_range; Id=1} | where -Property Message -Match '(?m)^ParentProcessGuid: {#{host.process.guid}}' | Format-List;\n"}, {"platform": "windows", "executor": "cmd", "command": "wevtutil qe Microsoft-Windows-Sysmon/Operational /q:\"*/System/TimeCreated[timediff(@SystemTime) <= #{sysmon.time.range}] and */EventData/Data[@Name='ParentProcessGuid']=#{host.process.guid} and Event[System[EventID=1]]\" /f:text\n"}]Collect GUID from PID
Collect process GUIDs by querying Sysmon for all events associated with the given PID
Show command
[{"platform": "windows", "executor": "psh", "command": "$time_range = (Get-Date) - (New-TimeSpan -Seconds $(#{sysmon.time.range}/1000));\nGet-WinEvent -FilterHashTable @{ Logname='Microsoft-Windows-Sysmon/Operational'; StartTime=$time_range; Id=1} | where -Property Message -Match '(?m)^ProcessId: #{host.process.id}\\b' | Format-List;\n"}, {"platform": "windows", "executor": "cmd", "command": "wevtutil qe Microsoft-Windows-Sysmon/Operational /q:\"*/System/TimeCreated[timediff(@SystemTime) <= #{sysmon.time.range}] and */EventData/Data[@Name='ProcessId']=#{host.process.id} /f:text\n"}]Collect Grandchild Processes
Collect grandchild processes from Sysmon logs
Show command
[{"platform": "windows", "executor": "psh", "command": "$time_range = (Get-Date) - (New-TimeSpan -Seconds $(#{sysmon.time.range}/1000));\nGet-WinEvent -FilterHashTable @{ Logname='Microsoft-Windows-Sysmon/Operational'; StartTime=$time_range; Id=1} | where -Property Message -Match '(?m)^ParentProcessId: #{host.process.childid}\\b' | Format-List;\n"}, {"platform": "windows", "executor": "cmd", "command": "wevtutil qe Microsoft-Windows-Sysmon/Operational /q:\"*/System/TimeCreated[timediff(@SystemTime) <= #{sysmon.time.range}] and */EventData/Data[@Name='ParentProcessId']=#{host.process.childid} and Event[System[EventID=1]]\" /f:text\n"}]Collect Parent's Child Proccesses
Collect all process creation events with the given parent process GUID
Show command
[{"platform": "windows", "executor": "psh", "command": "$time_range = (Get-Date) - (New-TimeSpan -Seconds $(#{sysmon.time.range}/1000));\nGet-WinEvent -FilterHashTable @{ Logname='Microsoft-Windows-Sysmon/Operational'; StartTime=$time_range; Id=1 } | where -Property Message -Match \"\\bParentProcessGuid: {#{host.process.parentguid}}\" | Format-List;\n"}, {"platform": "windows", "executor": "cmd", "command": "wevtutil qe Microsoft-Windows-Sysmon/Operational /q:\"*/System/TimeCreated[timediff(@SystemTime) <= #{sysmon.time.range}] and */System/EventID=1 and */EventData/Data[@Name='ParentProcessGuid']='#{host.process.parentguid}'\" /f:text"}]Delete known suspicious files
Use hash of known suspicious file to find instances of said file, and delete instances
Show command
[{"platform": "windows", "executor": "psh", "command": "Remove-Item -Path #{host.malicious.file} -Force;\n"}]Enable Inbound TCP/UDP firewall rule
Blocks inbound TCP and UDP traffic on a specific port
Show command
[{"platform": "windows", "executor": "psh, pwsh", "command": "New-NetFirewallRule -DisplayName \"Block in-bound UDP traffic to port #{host.port.unauthorized} from PID #{host.pid.unauthorized}\" -Group \"Caldira\" -Direction Inbound -Protocol UDP -Action Block -LocalPort #{host.port.unauthorized};\nNew-NetFirewallRule -DisplayName \"Block in-bound TCP traffic to port #{host.port.unauthorized} from PID #{host.pid.unauthorized}\" -Group \"Caldira\" -Direction Inbound -Protocol TCP -Action Block -LocalPort #{host.port.unauthorized};\n"}]Enable Outbound TCP/UDP firewall rule
Blocks outbound TCP and UDP traffic on a specific port
Show command
[{"platform": "windows", "executor": "psh, pwsh", "command": "New-NetFirewallRule -DisplayName \"Block out-bound UDP traffic to port #{remote.port.unauthorized} from PID #{host.pid.unauthorized}\" -Group \"Caldira\" -Direction Outbound -Protocol UDP -Action Block -RemotePort #{remote.port.unauthorized};\nNew-NetFirewallRule -DisplayName \"Block out-bound TCP traffic to port #{remote.port.unauthorized} from PID #{host.pid.unauthorized}\" -Group \"Caldira\" -Direction Outbound -Protocol TCP -Action Block -RemotePort #{remote.port.unauthorized};\n"}]Inoculate C2
Reroute suspicious IP addresses to localhost by editing hosts file
Show command
[{"platform": "linux", "executor": "sh", "command": "if ! test -f hosts_backup; then cp /etc/hosts hosts_backup; fi;\necho \"127.0.0.1 #{remote.suspicious.url}\" >> /etc/hosts;\n"}, {"platform": "darwin", "executor": "sh", "command": "if ! test -f hosts_backup; then cp /etc/hosts hosts_backup; fi;\necho \"127.0.0.1 #{remote.suspicious.url}\" >> /etc/hosts;\n"}, {"platform": "windows", "executor": "psh", "command": "if (-not (Test-Path -Path .\\hosts_backup)) { Copy-Item -Path c:\\windows\\system32\\drivers\\etc\\hosts -Destination .\\hosts_backup; };\nAdd-Content c:\\windows\\system32\\drivers\\etc\\hosts \"127.0.0.1`t#{remote.suspicious.url}\";\n"}]Kill rogue process
Force kill any unauthorized processes
Show command
[{"platform": "linux", "executor": "sh", "command": "kill -9 #{host.pid.unauthorized}\n"}, {"platform": "darwin", "executor": "sh", "command": "kill -9 #{host.pid.unauthorized}\n"}, {"platform": "windows", "executor": "psh,pwsh", "command": "Stop-Process -Id #{host.pid.unauthorized} -Force\n"}, {"platform": "windows", "executor": "cmd", "command": "taskkill /pid #{host.pid.unauthorized} /f\n"}]Remove Unauthorized Cron Job
Removes newly added cron jobs
Show command
[{"platform": "linux", "executor": "sh", "command": "crontab -u #{host.user.name} -l > temp_crontab;\nline_number=$(grep -n '#{host.new.cronjob}' temp_crontab | cut -d':' -f1);\nif [ $line_number ]; then\n sed \"${line_number}d\" temp_crontab > new_crontab;\n crontab -u #{host.user.name} new_crontab;\n rm -f new_crontab;\nfi;\nrm -f temp_crontab new_crontab;\n"}, {"platform": "darwin", "executor": "sh", "command": "crontab -u #{host.user.name} -l > temp_crontab;\nline_number=$(grep -n '#{host.new.cronjob}' temp_crontab | cut -d':' -f1);\nif [ $line_number ]; then\n sed \"${line_number}d\" temp_crontab > new_crontab;\n crontab -u #{host.user.name} new_crontab;\n rm -f new_crontab;\nfi;\nrm -f temp_crontab new_crontab;\n"}]Remove Unauthorized Scheduled Task
Removes newly added scheduled tasks
Show command
[{"platform": "windows", "executor": "psh", "command": "Unregister-ScheduledTask -TaskName #{host.new.schtask} -Confirm:$false\n"}]Restore File Backup
Restore backups of files if file has been modified
Show command
[{"platform": "linux", "executor": "sh", "command": "cp -f /tmp/sensitive_file_backups/#{file.backup.name} #{file.sensitive.path}\n"}, {"platform": "darwin", "executor": "sh", "command": "cp -f /tmp/sensitive_file_backups/#{file.backup.name} #{file.sensitive.path}\n"}, {"platform": "windows", "executor": "psh", "command": "Copy-Item \"C:\\Users\\Public\\sensitive_file_backups\\#{file.backup.name}\" -Destination \"#{file.sensitive.path}\" -Force\n"}]Restore Modified Sensitive Directory
Restore sensitive directories with their backups if they have been modified
Show command
[{"platform": "linux", "executor": "sh", "command": "directory=\"#{directory.sensitive.path}\";\nmkdir -p $directory;\nrm -r ${directory}/*;\ntar -xzf /tmp/sensitive_file_backups/#{directory.sensitive.backup} -C $directory;\n"}, {"platform": "darwin", "executor": "sh", "command": "directory=\"#{directory.sensitive.path}\";\nmkdir -p $directory;\nrm -r ${directory}/*;\ntar -xzf /tmp/sensitive_file_backups/#{directory.sensitive.backup} -C $directory;\n"}, {"platform": "windows", "executor": "psh", "command": "$directory = \"#{directory.sensitive.path}\";\nNew-Item -ItemType Directory -Force -Path $directory | Out-Null;\nRemove-Item -Path \"$($directory)\\*\" -Recurse -EA silentlycontinue;\nExpand-Archive -LiteralPath \"C:\\Users\\Public\\sensitive_file_backups\\#{directory.sensitive.backup}\" -DestinationPath \"$($directory)\\\";\n"}]System Information from GUID
Collect system information from Sysmon event log given ProcessGUID. Ability timeout may need to be increased depending on Sysmon log size.
Show command
[{"platform": "windows", "executor": "psh", "command": "$time_range = (Get-Date) - (New-TimeSpan -Seconds $(#{sysmon.time.range}/1000));\nGet-WinEvent -FilterHashTable @{ Logname='Microsoft-Windows-Sysmon/Operational'; StartTime=$time_range; } | select TimeCreated,Id,ProviderName,RecordId,ProcessId,MachineName,Message | where -Property Message -Match \"\\bProcessGuid: {#{host.process.guid}}\" | Format-List;\n"}, {"platform": "windows", "executor": "cmd", "command": "wevtutil qe Microsoft-Windows-Sysmon/Operational /q:\"*/System/TimeCreated[timediff(@SystemTime) <= #{sysmon.time.range}] and */EventData/Data[@Name='ProcessGuid']='#{host.process.guid}'\" /f:text\n"}]Showing 1-14 of 14