I implemented a new CALDERA Plugin - the Bounty Hunter! #2914
L015H4CK
started this conversation in
Show and tell
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hello everyone,
in the past years I have been working with CALDERA a lot to create more realistic training experiences for blue teams in cyber ranges. The result of my work is a new CALDERA plugin that I want to publish soon - the Bounty Hunter. The biggest asset of the Bounty Hunter Plugin is the new Bounty Hunter Planner that allows the emulation of complete, realistic cyberattack chains - including autonomous initial access and privilege escalation methods.
The attack behavior of an emulated adversary using the Bounty Hunter Planner has two special properties:
First, it is goal-oriented and reward-driven, similar to the Look-Ahead Planner, and second, it is variable due to weighted-randomness in its decision process. Furthermore, configurable ability reward updates during a running operation allow more complex and realistic attack chains.
I plan to release the plugin on GitHub as I would like to give it back to the community. Is it possible to include the plugin in the "Plugins -> More" section of CALDERA's README? Furthermore, I would also like to write a Blog article that describes the new Plugin in detail. Is it possible that my article will be published on CALDERA's official blog?
The following sections describe the Bounty Hunter Plugin and its functionality in more detail. Thank you for reading my post. I am looking forward to everyone's thoughts and responses!
Best regards,
L015H4CK
Plugin Description
A short list of the plugin's main features summarizing its functionalities is given below, as a detailed description would be too extensive in this context. I will happily provide a detailed description and usage instructions in the plugin's README once it is published or answer any specific questions that come up now.
Main Features of the Bounty Hunter Planner
Example Operation using the Bounty Hunter Planner
An example operation is depicted in the figure below.
The operation starts with a CALDERA agent running locally, i.e. on the same machine as the CALDERA server. First, the agent executes initial access methods, e.g. an ARP scan to find IP addresses it can reach, followed by a nmap scan of the found IP addresses. For example, the agent finds an IP address with open SSH port and decides to try to brute force the SSH credentials. After finding a valid username and password, it uses this information to copy a new agent on the target machine using scp and starts it via SSH. The planner then detects the newly registered agent and decides to run the actual attack on the target - concluding the initial access phase.
In the Post-Exploitation Phase, the planner checks which abilities are executable, i.e. abilities that have all fact-requirements satisfied. It then weighted-randomly picks the next executable ability depending on the abilities' future reward values.
When picking an ability that needs higher privileges, the planner tries to start a new elevated agent on the target that can execute this ability. After executing an ability, ability reward updates are performed according to the planners configuration to allow various more complex and realistic attack behaviors. This process it repeated until an ability that is defined as "final ability" is executed, i.e., a defined goal is reached.
Simulation of APT29 Day2 Scenario
The Bounty Hunter Planner was tested using the APT29 Day 2 data from the adversary emulation library of the Center for Threat Informed Defense. The resulting attack chain including fact-links between abilities is shown in the figure below.
The test showed that the Bounty Hunter is able to initially access a Windows Workstation using SSH Brute Force, elevate its privileges automatically using a Windows UAC Bypass and finally compromise the whole domain using a Kerberos Golden Ticket Attack. (Note: the attack steps are NOT part of the plugin but are included in the adversary emulation library!) To achieve its goal, the planner was only provided with an adversary profile that includes all CALDERA abilities in no certain order (including the APT29 Day 2 abilities), a high reward value of the final ability that executed a command using the Golden Ticket, and the name of the interface to scan initially. All other information needed for the successful execution, including the Domain Name, Domain Admin Credentials, SID values, and NTLM hashes, were collected autonomously.
Beta Was this translation helpful? Give feedback.
All reactions