This repo contains changes made to the Adversary Plugin repo for CALDERA 2.0.
Video: Available here
Files that were changed include:
- The following steps:
- dump_creds, a fileless Mimikatz in PowerShell action using
CustomCommandLine(see below); - certutil_download, which can download files using the Certutil LOLbin;
- rundll32_execution, which can execute commands using the RunDLL32/MSHTA LOLbin;
- webserver_install, which prepares a webserver installation (creates
OPSoftwareobject, see below); and, - webshell_execution, which uses the above three actions to set up a reverse webshell.
- dump_creds, a fileless Mimikatz in PowerShell action using
- operation.py, which introduces
OPSoftware, which is used by some of the above actions (to implement LOLbins); and, - command.py, which introduces
CustomCommandLine, which can obfuscate commands and apply masquerading.
Note that this still a proof of concept, as it requires you to supplydrop_fileandfile_gfunctions in order to make CALDERA aware of renamed binaries in case of masquerading. See e.g. dump_creds. This should be further optimised.
Make sure you have the most recent version of CALDERA (for instructions check the CALDERA repo).
You can either copy in the files manually to your caldera/plugins/adversary folder, or:
- In the main
caldera/folder, run the following command:git config --file=.gitmodules -e
- Update the
plugins/adversaryentry, pointing it tohttps://github.com/wietze/bsides-ldn-2019.git
(orgit@github.com:wietze/bsides-ldn-2019.gitif you're using SSH) - Run the following command to update to the latest version of this repo:
git submodule sync && git submodule update --remote --merge
If you want to return to the original MITRE repository, follow steps 1-3 again, but use https://github.com/mitre/adversary.git in step 2.
(or git@github.com:mitre/adversary.git if you're using SSH)