2.6.1

Update README.md

2.5.0

Big features

• Potential links is a new functionality which allows you to view all the commands from the entire TTP database that each agent could run. You can filter these by tactic and technique. At any point during a running operation, you can now add these potential links, one-by-one, to the operation. This is our second way of allowing “human in the loop” behavior.
• Groups and Adversary profiles are now optional when running an operation. You can instead (or in addition) add a max operation time - which is 300 seconds by default - which will stop an operation automatically after it has been open for that duration. This means you can run an operation with no adversary but add potential links until the max operation time is hit. If you want to run an adversary-less operation you should select the operation option to keep open for max time.
• We now have automated and versioned documentation - which is now available when you click the “Docs” tab in the navigation bar.

Smaller items

• A new YouTube video tutorial has been created. It is now linked from the project README.
• The base_world class was given two new static functions: “generate_number” and “is_base64”
• Several new libraries were added to the requirements.txt
• The operation modal was given several new additions to show more information when running an operation. This modal also swallowed up the reports modal, as they were duplicating much of the functionality. Downloading reports can now be done through the operation modal.

Rest API changes:

• New endpoints have been created:
  • /plugin/chain/potential-links (PUT): Adds potential links to an operation
  • /plugin/chain/potential-links (POST): Returns all potential links for an operation
  • /internals (*): Designed to return the properties of a given c_link object.

Plugin changes:

Compass

• A new plugin which allows you to view and add new adversaries from the ATT&CK matrix directly. This plugin utilizes the ATT&CK Navigator.

Mock

• This plugin was rewritten to drop scenarios (which had hard-coded results for simulated agents) and instead programmatically create random output to be used for the results. This ensures mock operations are now non-deterministic.

Sandcat

• A new C2 option was added. This new option allows you to run the same operations as before - but instead of traffic going over HTTP, it can go over GitHub private Gists. The server will add commands to a new Gist file, each agent will pick up the Gist files execute the command(s) and place the results in a new Gist file for the server to pick up and save. This way, the agents and server never directly communicate.

Stockpile

• Many new abilities (TTPs) have been added, as well as a new "Super Spy" adversary profile, which performs basic surveillance techniques.
• Two new obfuscators were added:
  • Base64: encodes all commands in base64 and executes them as such, to hide the commands from the defense.
  • Base64Jumble: encodes all commands in base64 - then adds some padding to make it invalid base64 text - and executes them as such. This should bypass any detection of base64 commands.

Breaking changes:

We expect plugin developers to only interact with the core system (and other plugins) through the list of services passed to their plugin and through importing the c_[object] modules in the core code. As such, each release we will highlight the changes in these two areas, as they could introduce breaking changes to a plugin.

Services

app_svc

• A new check_authorization decorator was added, which ensures any function in the code base that uses it checks if the user is logged in.

planning_svc

• The “generate_and_trim_links” function was made public (it was private previously).
• Several new functions were added: “update_planner”, “get_potential_links”, “apply_potential_links”, “change_operation_state” and “get_link_pin”

Objects

c_agent:

• an optional parameter “timeout” was added, which will allow you to customize the timeout period per ability. Abilities previously all used a 60 second timeout without a way to modify it.

c_adversary:

• a new function “has_ability” was added, which returns True/False whether the adversary contains a specific ability

c_fact:

• an optional parameter “collected_by” was added, which will show you which agent collected the given fact.

c_link:

• an optional parameter “pin” was added, which will allow you to add a special string on the object for custom use. This is intended to serve as an encryption key per link - but it is currently not hooked up to anything.
• an optional parameter “id” was added, which allows you to create a link object with a specific ID instead of the link creating its own one.

c_obfuscator:

• A new required parameter “description” was added

c_operation:

• A new function “redacted_report” allows you to see a version of the report function but with sensitive data redacted.
• A new status was added to the available operation states, “OUT_OF_TIME”
• Several operation object parameters were made optional instead of required, with natural default values: obfuscator and phases_enabled.
• Two new optional parameters were added: auto_close and max_time. Each have reasonable default values.
• A new function “is_closeable” will determine if an operation should be closed or remain open.
• The “active_agents” function was made public (it was previously private)

c_planner:

• A new required parameter “planner_id” was added

2.4.0

Breaking changes:

• Plugins now accept a single ‘services’ parameter, instead of ‘app’ and ‘services’. The app parameter was removed because it is now accessible through the app_svc.application object, which is contained in the services list.
• The required initialize function in a plugin’s hook file has been renamed to enable. This change was made to be more transparent of the underlying functionality.
• We renamed the core conf/local.yml to conf/default.yml.

Restructuring changes:

• The core code swallowed the GUI and Chain plugins. This introduced new templates/ and static/ directories containing the front-end elements of these plugins. New rest_api and rest_svc modules were created to handle the back-end logic.
• The UI design was improved significantly to make it more intuitive for new users.
• We introduced CI elements to build all repositories and check for PEP-8 compliance.
• The entire backend was reworked so we could remove the SQL database entirely. All transient data is now represented in Python object form (c_ objects in the code base). All permanent data can be found in the data/results directory and data/object_store file.
• We added support for Docker container deployments of the CALDERA server.

New features:

When mentioning a “modal” we mean the pop-up box on the website/GUI when you select different links, such as the agents modal, adversaries modal, etc.

Agents

• When the agent is downloaded, now in addition to getting a different file hash each time, each agent gets a random file name as well. This is intended to make it more difficult to detect, as before defenses could trigger off of sandcat.go.
• We now allow you to run multiple agents on the same machine. This required converting the agent “paw print” (unique identifier) to a 6-character integer, instead of a combination of hostname+username.
• We now track the privilege level of the agent when it is started
• We now track the PID and hostname of each agent and show them on the agent modal
• The agents modal allows you to filter the viewable columns
• We added in 2 new delivery-commands for Windows hosts, allowing you to start the agent in memory instead of on disk. This was coupled with a change to the agent code allowing it to run this way.

Adversaries

• We added in the ability to update existing, built-in adversary profiles from the GUI.
• We added in a new pop-up modal box for viewing, updating and creating TTPs from the GUI, including uploading new payloads. Newly created abilities and adversaries will be saved in the data/ directory.
• A new concept called adversary “packs” was introduced, which allows you to chain adversaries together in an easy-to-use way.

Abilities

• We added in dozens of new TTP files (abilities) and several new adversary profiles.
• TTP parsers were all rewritten from regex to python, to allow for more powerful parsing of output.
• We added in “rules” which allows you to set boundaries around where CALDERA is allowed to move. You can create a rule to contain CALDERA to a specific IP network, not touch specific files or users, etc. A rule can be created around any fact.

Operations

• Added an option to run an operation, ignoring phases for an adversary.
• Added an option to run an operation, obfuscating all the commands. The obfuscation converts the commands to base64 and ensures they are executed that way, instead of plain-text. This feature was put in place as an extendable object, so we hope others will add obfuscation options in the future (beyond just base64). This allows a defense to test how they could detect an adversary who runs TTPs in abnormal ways.
• We added in a new scheduling feature, allowing you to schedule an operation to run daily at the same time.
• Added color-coding to the “links” on the timeline view when watching a running operation. This allows you to more easily understand how the operation is progressing.
• Added a progress bar to view what % the operation is complete.

General

• 3 new GUI pages were added to the advanced tab:

1. C2: gives a description of all C2 mechanisms available
2. Planners: gives a description of all available planners.
3. Sources: shows all fact sources, and allows you to edit them. This includes the ability to view, edit and create rules for each source.

• Added a new concept called special_payloads, which allows you to define a custom function to execute when specific payloads are downloaded. Good examples of this are sandcat.go and reverse.go, both of which use this functionality to dynamically compile upon request.

Plugin changes

54ndc47

• We added in a new optional parameter called sleep, which allows you to delay the starting of the agent for n-number of seconds.
• We added a new /ping endpoint to test connectivity of the agent to the server. This was added in combination with a new interface inside the agent code, which makes adding your own C2 communication channel more accessible.
• Added new shell code executors to allow the execution of arbitrary shell code across multiple operating systems.

Mock plugin

• This plugin was extended to allow running simulated scenarios using a more fine-grained approach. Now, instead of just simulating a response per agent, you can specific a response per agent per anticipated fact used. While this sounds confusing, you may want to just take this plugin for a spin!

Terminal plugin

• This plugin was completely rewritten. Now, instead of having a terminal window pop up when using this plugin, there is a new GUI page which allows you to launch reverse-shells and manage sessions for each. This includes a basic terminal “emulator” so you can manually interact with any of your agents from the comfort of your browser.
• Similar to the 54ndc47 agent, the reverse-shell payload (reverse.go) will now download with a different random name each time.

2.3.2

updating 2.3.2

2.2.0

• Upgraded open-source adversary
• More robust ability schemas
• Many Chain mode GUI updates, including light/dark modes
• New 54ndc47 agent, written in cross-compiled GoLang

2.6.0

Big features

• A new plugin - Response - was added, which allows a user to run automated incident response in the same way we run adversary emulation exercises.
• A new plugin - Atomic - was added, which imports all the open-source Red Canary tests into CALDERA as abilities
• A new plugin - Access - was added, which lays the foundation for doing initial access inside CALDERA. Included in this plugin out of the gate are a website cloner and the ability to load a rubber ducky (USB) with a Sandcat agent delivery command.
• We built out the user authentication, allowing you to log in as either a red or blue user. See the default.yml file for the default credentials for either group. Red users are intended to be red-team operators and blue users blue-team operators. Plugins can now be designated as either red or blue - and they'll be visible only to the given authentication group.
• The entire front-end was rebuilt to be modular. Each component (modal window) is now loaded dynamically on request and refreshes itself automatically.
• The terminal plugin now includes a full, realistic terminal emulator for reverse shells - which will work on any Linux, MacOS or Windows computer. This is coupled with our new Manx agent, which will spin up a reverse-shell on a host and provide the operator with the terminal emulator within the browser.
• We now automatically create reports for operations and every instruction sent to an agent - and store them in the /tmp directory when the server shuts down.
• We include bootstrap instructions - which are instructions sent to an agent on its first beacon. These are described in the conf/agents.yml.

Smaller items

• All documentation has been updated

2.5.1

Big features

• You can now run an operation with a varying amount of "visibility" (or probability of being detected). This is a new option when you start an operation, under stealth. This range is from 1 (very stealthy) to 100 (very visible). Each ability is automatically assigned a default visibility of 50 when it is loaded into the database. By default, an operation will run with a visibility=50 and it will run all abilities that are <= the visibility of the operation. When abilities are run inside of an operation, they are evaluated based on the new "adjustments" block on the fact source chosen for the operation. These adjustments look at all facts inside the operation and determine whether or not to modify an ability's visibility score. From the GUI, when the operation is running, all links which have high visibility will show up as pink. These will be accompanied by a "+" button which allows you to add them into the operation, if you'd like.

Smaller items

• Our default logging now disables, by default, all logging except for the specific logging statements within the CALDERA code base. This means all logs from external libraries (like asyncio) will be ignored.

Rest API changes:

None

Plugin changes:

Stockpile

• A few new abilities have been added

Breaking changes:

We expect plugin developers to only interact with the core system (and other plugins) through the list of services passed to their plugin and through importing the c_[object] modules in the core code. As such, each release we will highlight the changes in these two areas, as they could introduce breaking changes to a plugin.

In general

• The data/facts directory has been renamed to data/sources, globally (including in plugins).

Services

file_svc

• A new function was added: get_file
• A new function was added: create_exfil_sub_directory

rest_svc

• A new function was promoted from private to public: construct_agents_for_group.

base_planning_svc

• A new base function was added: remove_links_above_visibility, which allows a planner to trim down the links according to the new visibility object score.

Objects

c_visibility:

• This is a new object, which hold information about an ability's probability of getting detected by the defense.

c_link:

• Now creates a new visibility object for each instance of c_link.
• A new function, can_ignore, will return whether the c_link instance is in a state that can be ignored (discarded or high_viz, currently)
• A new state was added, HIGH_VIZ, which a link will be if it is determined to be high visibility (as in, higher than the operation threshold).

c_operation:

• The allow_untrusted parameter was removed. This is no longer an option.
• The max_time parameter was removed. This is no longer an option.
• A new function was added, has_fact, which will return True/False if a given trait+value pairing is in the operation fact list.
• The OUT_OF_TIME state has been removed
• A new optional parameter, ignore_enforcement_modules has been added.

c_source:

• A new optional parameter, adjustments, has been added. This contains all the adjusted visibility scores for abilities, as determined by the fact source passed in.

2.3.1

BROKEN - USE 2.3.2, or newer.

Patch version with multiple bug fixes and a few features added.

Most notable feature is the addition of shell code executors, available inside 54ndc47.

2.3.0

BROKEN - USE 2.3.2, or newer.

Many new updates and breaking changes since 2.2.0.

Some key updates are:

1. The abilities format has changed, most notably around the addition of executors.
2. All mutable files (abilities, adversaries, facts and planners) are now stored in the Stockpile plugin's data/ directory.
3. The app uses an in-memory SQL database instead of a file-based DB (still SQLite, however).
4. A new plugin, terminal, adds shell capabilities.
5. Many new UI features have been added to Chain mode.
6. Two new executors, pwsh (PowerShell core) and cmd (command prompt) have been added.

2.1.0

BROKEN - USE 2.2.0, 2.3.2, or newer.

Revamped terminal, with new view and enhanced options. This release also contains more abilities and adversaries, along with a handful of small enhancements around each component of the application.