Home/Caldera abilities

Caldera emulation abilities

10 runnable adversary-emulation actions · command + platform · mapped to ATT&CK
All tactics build-capabilities · 1 collection · 16 command-and-control · 6 credential-access · 10 defense-evasion · 15 detection · 8 discovery · 67 execution · 9 exfiltration · 13 hunt · 4 impact · 8 lateral-movement · 10 persistence · 3 privilege-escalation · 8 response · 14 setup · 10 technical-information-gathering · 1 training · 6 verification · 2

Abilities

10 shown of 10
setup ["linux", "darwin"] x · x ↗
Backup Bash Profiles
If bash profile doesn't exist, create it, and then backup each profile.
Show command 
[{"platform": "linux", "executor": "sh", "command": "mkdir -p /tmp/sensitive_file_backups;\nuser_profiles=\".bashrc .bash_profile .bash_login .profile\";\noutput=\"\";\nhome_dir=$(echo \"/home/*\" | sed 's/\\\\\\*/\\*/g');\ndirs=$(find $home_dir -maxdepth 0 -type d);\ndirs=\"${dirs} /root\";\nfiles=\"\";\nfor dir in $dirs;\n  do for prof in $user_profiles;\n    do files=\"${files}${dir}/${prof} \";\n  done;\ndone;\nfiles=\"${files} /etc/profile /etc/bash.bashrc\";\nfor file in $files;\n  do if [ ! -f $file ];\n    then touch $file;\n  fi;\n  randname=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 13);\n  cp $file /tmp/sensitive_file_backups/$randname;\n  output=\"${output}${file}>${randname}\\n\";\ndone;\necho $output | sed '/^[[:space:]]*$/d'\n"}, {"platform": "darwin", "executor": "sh", "command": "mkdir -p /tmp/sensitive_file_backups;\nuser_profiles=\".bashrc .bash_profile .bash_login .profile\";\noutput=\"\";\nhome_dir=$(echo \"/Users/*\" | sed 's/\\\\\\*/\\*/g');\ndirs=$(find $home_dir -maxdepth 0 -type d);\ndirs=\"${dirs} /var/root\";\nfiles=\"\";\nfor dir in $dirs;\n  do for prof in $user_profiles;\n    do files=\"${files}${dir}/${prof} \";\n  done;\ndone;\nfiles=\"${files} /etc/profile /etc/bash.bashrc\";\nfor file in $files;\n  do if [ ! -f $file ];\n    then touch $file;\n  fi;\n  randname=$(head /dev/urandom | LC_CTYPE=C tr -dc A-Za-z0-9 | head -c 13);\n  cp $file /tmp/sensitive_file_backups/$randname;\n  output=\"${output}${file}>${randname}\\n\";\ndone;\necho $output | sed '/^[[:space:]]*$/d'\n"}]
setup ["windows"] x · x ↗
Backup Powershell Profiles
This ability creates backups of Powershell profiles, creating the profiles themselves if they do not exist.
Show command 
[{"platform": "windows", "executor": "psh", "command": "$files = @(\"$Profile\", \"$PsHome\\Profile.ps1\", \"$PsHome\\Microsoft.Powershell_profile.ps1\");\nNew-Item -ItemType Directory -Force -Path C:\\Users\\Public\\sensitive_file_backups | Out-Null;\n$output = '';\nForEach ($file in $files) {\n  if (-not (Test-Path $file)) {\n    New-Item -Path $file -ItemType File | Out-Null;\n  };\n  $randname = -join (( 0x41..0x5A) + ( 0x61..0x7A) | Get-Random -Count 13 | % {[char]$_});\n  Copy-Item $file -Destination \"C:\\Users\\Public\\sensitive_file_backups\\$randname\";\n  $output = \"$($output)$($file)>$($randname)`n\"\n};\n$output\n"}]
setup ["linux", "darwin", "windows"] x · x ↗
Backup Sensitive Directories
Create compressed backups of sensitive directories
Show command 
[{"platform": "linux", "executor": "sh", "command": "mkdir -p /tmp/sensitive_file_backups;\ndir_path=$(echo \"#{directory.sensitive.path}\" | sed 's/\\\\\\*/\\*/g');\ndirectories=$(find $dir_path -maxdepth 0 -type d 2>/dev/null);\noutput=\"\";\nfor directory in $directories;\n  do if [ -z \"$(ls -A $directory)\" ]; then\n    touch \"${directory}/.bak\";\n  fi;\n  randname=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 13);\n  tar -czf /tmp/sensitive_file_backups/${randname}.tar.gz -C $directory .;\n  output=\"${output}${directory}>${randname}.tar.gz\\n\";\ndone;\necho $output | sed '/^[[:space:]]*$/d'\n"}, {"platform": "darwin", "executor": "sh", "command": "mkdir -p /tmp/sensitive_file_backups;\ndir_path=$(echo \"#{directory.sensitive.path}\" | sed 's/\\\\\\*/\\*/g');\ndirectories=$(find $dir_path -maxdepth 0 -type d 2>/dev/null);\noutput=\"\";\nfor directory in $directories;\n  do if [ -z \"$(ls -A $directory)\" ]; then\n    touch \"${directory}/.bak\";\n  fi;\n  randname=$(head /dev/urandom | LC_CTYPE=C tr -dc A-Za-z0-9 | head -c 13);\n  tar -czf /tmp/sensitive_file_backups/${randname}.tar.gz -C $directory .;\n  output=\"${output}${directory}>${randname}.tar.gz\\n\";\ndone;\necho $output | sed '/^[[:space:]]*$/d'\n"}, {"platform": "windows", "executor": "psh", "command": "New-Item -ItemType Directory -Force -Path C:\\Users\\Public\\sensitive_file_backups | Out-Null;\n$output = '';\nGet-Item #{directory.sensitive.path} -EA silentlycontinue | Where-Object { $_ -is [System.IO.DirectoryInfo] } | foreach-object {\n  if ((Get-ChildItem $_.FullName -Force | Measure-Object).count -eq 0) {\n    echo '' > $($_.FullName + \"\\.bak\");\n  };\n  $randname = -join (( 0x41..0x5A) + ( 0x61..0x7A) | Get-Random -Count 13 | % {[char]$_});\n  Compress-Archive -Force -Path $($_.FullName + \"\\*\") -DestinationPath $(\"C:\\Users\\Public\\sensitive_file_backups\\\" + $randname + \".zip\");\n  $output = \"$($output)$($_.FullName)>$($randname).zip`n\";\n};\n$output;\n"}]
setup ["linux", "darwin", "windows"] x · x ↗
Backup Sensitive Files
Backup sensitive files to temp directory in case these files are maliciously modified
Show command 
[{"platform": "linux", "executor": "sh", "command": "mkdir -p /tmp/sensitive_file_backups;\nfilepath=$(echo \"#{file.sensitive.path}\" | sed 's/\\\\\\*/\\*/g');\nfiles=$(find $filepath -maxdepth 0 -type f 2>/dev/null);\noutput=\"\";\nfor file in $files;\n  do randname=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 13);\n  cp $file /tmp/sensitive_file_backups/$randname;\n  output=\"${output}${file}>${randname}\\n\";\ndone;\necho $output | sed '/^[[:space:]]*$/d'\n"}, {"platform": "darwin", "executor": "sh", "command": "mkdir -p /tmp/sensitive_file_backups;\nfilepath=$(echo \"#{file.sensitive.path}\" | sed 's/\\\\\\*/\\*/g');\nfiles=$(find $filepath -maxdepth 0 -type f 2>/dev/null);\noutput=\"\";\nfor file in $files;\n  do randname=$(head /dev/urandom | LC_CTYPE=C tr -dc A-Za-z0-9 | head -c 13);\n  cp $file /tmp/sensitive_file_backups/$randname;\n  output=\"${output}${file}>${randname}\\n\";\ndone;\necho $output | sed '/^[[:space:]]*$/d'\n"}, {"platform": "windows", "executor": "psh", "command": "New-Item -ItemType Directory -Force -Path C:\\Users\\Public\\sensitive_file_backups | Out-Null;\n$output = '';\nGet-Item #{file.sensitive.path} -EA silentlycontinue | Where-Object { -not ($_ -is [System.IO.DirectoryInfo]) } | foreach-object {\n  $randname = -join (( 0x41..0x5A) + ( 0x61..0x7A) | Get-Random -Count 13 | % {[char]$_});\n  Copy-Item $_.FullName -Destination \"C:\\Users\\Public\\sensitive_file_backups\\$randname\";\n  $output = \"$($output)$($_.FullName)>$($randname)`n\"\n};\n$output;\n"}]
setup ["linux", "darwin"] x · x ↗
Hash Bash Profiles
If bash profile doesn't exist, create it, and then hash each profile.
Show command 
[{"platform": "linux", "executor": "sh", "command": "mkdir -p /tmp/sensitive_file_backups;\nuser_profiles=\".bashrc .bash_profile .bash_login .profile\";\noutput=\"\";\nhome_dir=$(echo \"/home/*\" | sed 's/\\\\\\*/\\*/g');\ndirs=$(find $home_dir -maxdepth 0 -type d);\ndirs=\"${dirs} /root\";\nfiles=\"\";\nfor dir in $dirs;\n  do for prof in $user_profiles;\n    do files=\"${files}${dir}/${prof} \";\n  done;\ndone;\nfiles=\"${files} /etc/profile /etc/bash.bashrc\";\nfor file in $files;\n  do if [ ! -f $file ];\n    then touch $file;\n  fi;\n  hash=$(sha256sum $file | cut -d' ' -f1);\n  output=\"${output}${file}>${hash}\\n\";\ndone;\necho $output | sed '/^[[:space:]]*$/d'\n"}, {"platform": "darwin", "executor": "sh", "command": "mkdir -p /tmp/sensitive_file_backups;\nuser_profiles=\".bashrc .bash_profile .bash_login .profile\";\noutput=\"\";\nhome_dir=$(echo \"/Users/*\" | sed 's/\\\\\\*/\\*/g');\ndirs=$(find $home_dir -maxdepth 0 -type d);\ndirs=\"${dirs} /var/root\";\nfiles=\"\";\nfor dir in $dirs;\n  do for prof in $user_profiles;\n    do files=\"${files}${dir}/${prof} \";\n  done;\ndone;\nfiles=\"${files} /etc/profile /etc/bash.bashrc\";\nfor file in $files;\n  do if [ ! -f $file ];\n    then touch $file;\n  fi;\n  hash=$(shasum -a 256 $file | cut -d' ' -f1);\n  output=\"${output}${file}>${hash}\\n\";\ndone;\necho $output | sed '/^[[:space:]]*$/d'\n"}]
setup ["windows"] x · x ↗
Hash Powershell Profiles
This ability creates file hashes of Powershell profiles, creating the profiles themselves if they do not exist.
Show command 
[{"platform": "windows", "executor": "psh", "command": "$files = @(\"$Profile\", \"$PsHome\\Profile.ps1\", \"$PsHome\\Microsoft.Powershell_profile.ps1\");\n$output = @();\nForEach ($file in $files) {\n  if (-not (Test-Path $file)) {\n    New-Item -Path $file -ItemType File | Out-Null;\n  };\n  $output += $(Get-FileHash $file -EA silentlycontinue | foreach-object {$_.Path + '>' + $_.Hash});\n};\n$output\n"}]
setup ["linux", "darwin", "windows"] x · x ↗
Hash Sensitive Directories
Acquire hashes of compressed sensitive directories as a baseline to check if they are changed in the future
Show command 
[{"platform": "linux", "executor": "sh", "command": "output=\"\";\ndir_path=$(echo \"#{directory.sensitive.path}\" | sed 's/\\\\\\*/\\*/g');\ndirectories=$(find $dir_path -maxdepth 0 -type d 2>/dev/null);\nfor directory in $directories;\n  do if [ -z \"$(ls -A $directory)\" ]; then\n    touch \"${directory}/.bak\";\n  fi;\n  tar -czf /tmp/dir_sens_comp -C $directory .;\n  hash=$(sha256sum /tmp/dir_sens_comp | cut -d' ' -f1);\n  output=\"${output}${directory}>${hash}\\n\";\n  rm -f /tmp/dir_sens_comp;\ndone;\necho $output | sed '/^[[:space:]]*$/d'\n"}, {"platform": "darwin", "executor": "sh", "command": "output=\"\";\ndir_path=$(echo \"#{directory.sensitive.path}\" | sed 's/\\\\\\*/\\*/g');\ndirectories=$(find $dir_path -maxdepth 0 -type d 2>/dev/null);\nfor directory in $directories;\n  do if [ -z \"$(ls -A $directory)\" ]; then\n    touch \"${directory}/.bak\";\n  fi;\n  tar -cf - -C $directory . | gzip --no-name > /tmp/dir_sens_comp;\n  hash=$(shasum -a 256 /tmp/dir_sens_comp | cut -d' ' -f1);\n  output=\"${output}${directory}>${hash}\\n\";\n  rm -f /tmp/dir_sens_comp;\ndone;\necho $output | sed '/^[[:space:]]*$/d'\n"}, {"platform": "windows", "executor": "psh", "command": "$output = '';\nGet-Item #{directory.sensitive.path} -EA silentlycontinue | Where-Object { $_ -is [System.IO.DirectoryInfo] } | foreach-object {\n  if ((Get-ChildItem $_.FullName -Force | Measure-Object).count -eq 0) {\n    echo '' > $($_.FullName + \"\\.bak\");\n  };\n  Compress-Archive -Force -Path $($_.FullName + \"\\*\") -DestinationPath $(\"C:\\Users\\Public\\dir_sens_comp.zip\");\n  $hash = (Get-FileHash C:\\Users\\Public\\dir_sens_comp.zip).Hash;\n  Remove-Item -Force C:\\Users\\Public\\dir_sens_comp.zip;\n  $output = \"$($output)$($_.FullName)>$($hash)`n\";\n};\n$output;\n"}]
setup ["linux", "darwin", "windows"] x · x ↗
Hash Sensitive Files
Acquire hashes of sensitive files as a baseline to check if they are changed in the future
Show command 
[{"platform": "linux", "executor": "sh", "command": "output=\"\";\nfilepath=$(echo \"#{file.sensitive.path}\" | sed 's/\\\\\\*/\\*/g');\nfiles=$(find $filepath -maxdepth 0 -type f 2>/dev/null);\nfor file in $files;\n  do hash=$(sha256sum $file | cut -d' ' -f1);\n  output=\"${output}${file}>${hash}\\n\";\ndone;\necho $output | sed '/^[[:space:]]*$/d'\n"}, {"platform": "darwin", "executor": "sh", "command": "output=\"\";\nfilepath=$(echo \"#{file.sensitive.path}\" | sed 's/\\\\\\*/\\*/g');\nfiles=$(find $filepath -maxdepth 0 -type f 2>/dev/null);\nfor file in $files;\n  do hash=$(shasum -a 256 $file | cut -d' ' -f1);\n  output=\"${output}${file}>${hash}\\n\";\ndone;\necho $output | sed '/^[[:space:]]*$/d'\n"}, {"platform": "windows", "executor": "psh", "command": "Get-FileHash #{file.sensitive.path} -EA silentlycontinue | foreach-object {$_.Path + '>' + $_.Hash}\n"}]
setup ["windows"] x · x ↗
Scheduled Tasks Baseline
Capture the scheduled tasks that exist at the start of the operation
Show command 
[{"platform": "windows", "executor": "psh", "command": "Get-ScheduledTask > C:\\Users\\Public\\baseline_schtasks_list.txt\n"}]
setup ["linux", "darwin"] x · x ↗
User Cron Jobs Baseline
Capture the cron jobs that exist at the start of the operation
Show command 
[{"platform": "linux", "executor": "sh", "command": "echo '' > /tmp/cron_jobs;\nfor user in $(getent passwd | cut -f1 -d:); do\n  $(crontab -u $user -l 2>/dev/null | grep -v '\\#' | while read -r job; do\n    echo \"${user}>${job}\" >> /tmp/cron_jobs;\n  done);\ndone;\ncat /tmp/cron_jobs | sort > /tmp/baseline_cronjobs_list.txt;\nrm /tmp/cron_jobs;\n"}, {"platform": "darwin", "executor": "sh", "command": "echo '' > /tmp/cron_jobs;\nfor user in $(dscl . list /Users | grep -v \"^_\"); do\n  $(crontab -u $user -l 2>/dev/null | grep -v '\\#' | while read -r job; do\n    echo \"${user}>${job}\" >> /tmp/cron_jobs;\n  done);\ndone;\ncat /tmp/cron_jobs | sort > /tmp/baseline_cronjobs_list.txt;\nrm /tmp/cron_jobs;\n"}]
Showing 1-10 of 10
Prev 1 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Coverage workspace
Detection coverage
Coverage check
Telemetry ceiling
SIEM query builder
Sigma rules
SIEM rules
YARA rules
Network rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh