Perishable threat intelligence – when a new attacker enters the fray or when an existing threat actor changes their tactics, inevitably the various security firms will publish threat intel on these attacks. IOCs expire quickly and grow more stale than the box of cereal your kids raided and failed to reseal in an instant. This does not, however, mean that threat intel should be completely ignored. In fact, it provides value in a few different spaces. In this blog post, I am going to focus on how to use threat intel with MITRE Caldera in order to mimic an adversary. You may want to do for this for a few different purposes. The first purpose might be in the event you are looking at doing a product evaluation. Can endpoint security tool X protect, detect, and help you respond to these attacks? The second way that this can be helpful is in training your SOC and responders. What does the telemetry look like? Do we have all the detections in place necessary to see all the various components across the kill chain in these specific attacks? By leveraging the threat intel in these ways, you can know if you are potentially able to handle these categories of attacks regardless of how attackers morph them. Since the defenders are almost always 1+ steps behind, it is important to utilize the threat intel to help ensure you have the tooling and expertise you need across entire categories within the kill chain.
MITRE Caldera: https://github.com/mitre/caldera
I HIGHLY recommend running through the content within the Training plugin once you have the product installed. It will give you a solid base in understanding with the product. If you complete the training, you even have the opportunity to turn in a flag to MITRE and they will send you a certificate of completion.
Step 1: Installing the Red Agent
I am going to be using a Windows 10 machine. In order to really see what an adversary would be able to do on the endpoint, I am going to disable all of the Defender oriented protections on the VM including real-time protection as well as any of the mitigating controls that are contained with Attack Surface Reduction (ASR) such as Controlled Folder Access, Exploit Guard, Network Protection, etc. There is a whole host of capabilities built right into Windows 10 that stop most attackers dead in their tracks if the protections are enabled and configured correctly. Windows 10 really is a secure operating system if the full Defender stack is enabled.
Next, I am going to deploy the Sandcat agent (54ndc47) to the machine. Since I do not have a user to phish or anything like that, I just go ahead and deploy the agent by hand to get communication rolling. Caldera does a great job of giving you a PowerShell command customized to your environment if you just fill in the IP of your Caldera machine.
All I have to do is bring the command over to my victim machine, run it, and I will have the ability to attack. Notice, however, the last line of the PowerShell command will actually run the agent in a hidden window. I like to see what is going on so I am going to run the command a little differently so that I can see what is happening with the agent. There are different command line options that can give you verbose output.
As you can see here, I am running the agent in a way that displays verbose output. This will let me know when activities hit the agent which is nice for the purposes of demoing and troubleshooting.
Above is the display of the new agent reporting into the red console within Caldera. Notice that I am running the agent as elevated. I would hope that any kind of phishing would land an attacker within a customer’s environment in the user space and not directly to admin, however, basic mitigations such as removing local admin and deploying tooling such as LAPS is still unfortunately not the norm. If at all possible, implement as many of mitigations from the Securing Privileged Access roadmap located here: https://aka.ms/sparoadmap. Basic account segmentation, credential hygiene and built in security controls available on/within most modern operating systems is enough to stymie the a significant portion of attackers except for the most determined adversaries conducting a targeted attack. Now that we have an agent reporting into Caldera, let us look at constructing a basic adversary.
Step 2: Constructing an Adversary
Within the Caldera Red dashboard, Navigate -> Adversaries. Hit the slider so that it moves from VIEW to ADD
Top center, it is kind of grayed out but find the spot that says “enter a profile name” and do so
On the far right, we have the option to link and objective, add an adversary, and/or add ability. For this demo, we are going to focus on MITRE tactics, techniques, and procedures (TPPs) so we are going to add an ability
This brings up a new screen that allows us to browse to the TTPs we want to add to our adversary. The first dropdown list displays a list of the different tactics aligned to the MITRE framework.
I am going to go with discovery. Once I select discovery, techniques are populated in the next drop down that once again align to the MITRE framework
I am going to select T1082 – System Information Discovery. This lights up 12 associated abilities. These are basic endpoint enumeration capabilities that let you snag the version of the OS and other basic system information from the endpoint. I am going to add a few of these to my adversary. When I select one of these, I can view the code and the associated information for each of the supported platforms. This is really nice as it shows how these abilities are constructed which can lend itself nicely to constructing your own custom TPPs down the road.
Down at the very bottom, hit Add to Adversary. Now, the new adversary looks like this:
I am going to add a few more for discovering additional system information NOTE – since I am going after a windows machine, I need to make sure whatever ability I select actually has Windows as an option or I would need to potentially add my own code. For example, if I select List OS Information, I can look at the bottom and see that there is code for Darwin (Mac) and Linux – but there is no Windows! I am thinking I could easily create a new ability and add an executor for this that would run the systeminfo command on the endpoint.
- Reset button to clear all options
- Generate new id (sets the GUID)
- Name = Custom – List OS Information
- Description = Identity System Info
- Tactic = discovery
- Technique ID= T1082
- Technique = System Information Discovery
- Add executor
- Platform = Windows
- Executor = psh
- Command = systeminfo
- Timeout = 60
Leave the rest. Save and then add it to our adversary.
Notice that this activity actually now covers all 3 platforms
At this point, you can add as many techniques that align to your threat intel into your new custom adversary. I am not going to add any more for demo purposes and instead I am going to go ahead and save my adversary
Now, I can run an operation against my agent that I had previously deployed. Let us see if I get results! Step 3: Run an Operation Navigate -> Operations Change view to Add
- Name = Customer Adversary Test Operation
- Group = red (in my environment there is only 1 group and the agent is assigned to this group)
- Adversary = Blog Post Demo Adversary
Leave the rest and hit start. This should attack my agent with basic recon TTPs. After I hit start, I have to wait for the agent to beacon but then I see the agent starting to run the activities I have associated with the operation
Troubleshooting – if your activities do not run (or they just are not displayed), you can download the report and it will potentially tell you which TPPs are not executed and even potentially why. For example, on first pass with this blog post I set the executor for the custom activity to cmd and it failed to load and run. I did not dig into the details (suspect it required cmd line param format for the executor) but I switched it to psh and now it runs just fine.
And I can view the details by clicking the star icon to the right
Cool stuff! With this, I can take perishable threat intel and use the Caldera tool to simulate the types of activities these actors are executing in the wild. This approach lets me test my tooling to ensure I have visibility and potentially protection and control in these spaces within my environment. I can train my SOC to look for these TPPs and the activities associated with various threat actors and campaigns. This can be very powerful if used in the right way.