# pyCaldera

## Setup

First we need to import the python API library and set our API key and Caldera server URL.
> NOTE: API keys can be fetched for red and blue groups from `conf/local.yml`

In [18]:
import caldera_api as api
CALDERA_URL = 'http://3.141.7.127:8888'
CALDERA_API_KEY = input('Enter API key: ')

In [19]:
debug = True
caldera = api.Caldera(CALDERA_API_KEY, CALDERA_URL, debug=debug)


                          ###                           
                       #######                          
                 ### ### #######                        
                ######  ##############                  
               ##  ###  ##########   ##                 
              ### ###############    ####               
            ####################### ######              
           #################################            
          ####################################          
        #######################################         MITRE Caldera
       ##########################################           Python API
     ##############################################     
    ################################################    
   ##################################################   
                                                        
 ######   ####   ##     ######   ###### ######    ####  
###      ##  ##  ##     ##  ###  ##     ##  ###  ##  ## 
###

In [3]:
health = caldera.get_server_health()
print(f"✅ Authed to {health['application']} {health['version']} as {health['access']}")

Caldera 5.0.0

Plugins:
+-------------+---------------------------------------------------------------------+---------+
| Plugin Name | Description                                                         | Enabled |
+-------------+---------------------------------------------------------------------+---------+
|    access   | A toolkit containing initial access throwing modules                |   True  |
|    atomic   | The collection of abilities in the Red Canary Atomic test project   |  False  |
|   compass   | Use the compass to Navigate Caldera                                 |   True  |
|   debrief   | some good bones                                                     |   True  |
|     emu     | The collection of abilities from the CTID Adversary Emulation Plans |  False  |
| fieldmanual | Holds and serves Caldera documentation                              |   True  |
|  gameboard  | Monitor a red-and-blue team operation                               |  False  |
|    human    | 

## List Abilities

First, we can see what abilities Caldera is currently loaded with, in this case just showing a subset in a table.

In [4]:
current_abilities = caldera.get_abilities(print_table=False)
print(f"Caldera currently has {len(current_abilities)} abilities")

URL: http://3.141.7.127:8888/api/v2/abilities?
Caldera currently has 167 abilities


In [5]:
caldera._generate_abilities_table(current_abilities[:5], print_table=False)

ID,Name,Tactic,Technique,Executors,Platforms,Description
36eecb80-ede3-442b-8774-956e906aff02,1-min sleep,defense-evasion,T1497.003,"psh, sh","darwin, linux, windows",Pause all operations to avoid making
,,,,,,noise
c7ec57cd-933e-42b6-99a4-e852a9e57a33,Account Discovery (all),discovery,T1087.002,cmd,windows,The net utility is executed via cmd to
,,,,,,enumerate domain user accounts.
364ea817-bbb9-4083-87dd-94b9dba45f6f,Account Discovery (targeted),discovery,T1087.002,"psh, cmd",windows,The net utility is executed via cmd to
,,,,,,enumerate detailed information about a
,,,,,,specific user account.
2afae782-6d0a-4fbd-a6b6-d1ce90090eac,Account-type Admin Enumerator,discovery,T1069.002,psh,windows,Use PowerView to query the Active
,,,,,,Directory server to determine remote
,,,,,,admins


## Import New Abilities

First we'll enumerate over the contents of the neighbouring `abilities` directory and save the YAML contents into a list

In [6]:
import yaml, os
new_abilities_dict = []
# walk over the abilities directory and load the YAML into the new_abilities_dict

for root, dirs, files in os.walk('abilities'):
    for file in files:
        if file.endswith('.yml'):
            with open(os.path.join(root, file), 'r') as f:
                new_abilities_dict.extend(yaml.safe_load(f))

print(f"Found {len(new_abilities_dict)} abilities in the abilities directory")

Found 5 abilities in the abilities directory


Then, we'll upload each one to Caldera

In [7]:
for ability in new_abilities_dict:
    output = caldera.add_ability(ability)
    print(f"✅ {output['name']} ({output['ability_id']})")

URL: http://3.141.7.127:8888/api/v2/abilities/dd9aa249-f4a4-4903-b50e-3ede12525891
✅ Find Kerberoastable Users with PowerView (dd9aa249-f4a4-4903-b50e-3ede12525891)
URL: http://3.141.7.127:8888/api/v2/abilities/3b6fa618-b650-4691-8d58-b3239752565b
✅ Enumerate Domain Controllers with Nltest (3b6fa618-b650-4691-8d58-b3239752565b)
URL: http://3.141.7.127:8888/api/v2/abilities/2a2867c0-062e-4ab8-8096-0d5072b06fff
✅ Enumerate Servers with PowerView (2a2867c0-062e-4ab8-8096-0d5072b06fff)
URL: http://3.141.7.127:8888/api/v2/abilities/c730bb97-d247-459a-8564-24dccd640bba
✅ Enumerate Domain Trusts with Nltest (c730bb97-d247-459a-8564-24dccd640bba)
URL: http://3.141.7.127:8888/api/v2/abilities/e1eb3c85-af93-4cac-888c-235957f9944c
✅ Enumerate Domain Admins with Net (e1eb3c85-af93-4cac-888c-235957f9944c)


In [10]:
ability = caldera.get_abilities(id='dd9aa249-f4a4-4903-b50e-3ede12525891')

URL: http://3.141.7.127:8888/api/v2/abilities/dd9aa249-f4a4-4903-b50e-3ede12525891?
+--------------------------------------+------------------------------------------+-----------+-----------+-----------+-----------+------------------------------------------+
|                  ID                  |                   Name                   |   Tactic  | Technique | Executors | Platforms | Description                              |
+--------------------------------------+------------------------------------------+-----------+-----------+-----------+-----------+------------------------------------------+
| dd9aa249-f4a4-4903-b50e-3ede12525891 | Find Kerberoastable Users with PowerView | discovery | T1087.002 |    psh    |  windows  | Use powerview's Get-DomainUser cmdlet to |
|                                      |                                          |           |           |           |           | enumerate users in the Active Directory  |
|                                      | 

## Create Adversary Profile

Let's create a new profile containing our new abilities

In [11]:
ordered_atomic_ids = [a['id'] for a in new_abilities_dict]
new_profile = caldera.add_adversary_profile(
    name="AGPT Active Directory Enumeration",
    description="Active Directory Reconnaissance Leveraging Native Commands and PowerView",
    atomic_ordering=ordered_atomic_ids,
    tags=['AGPT', 'Active Directory', 'Enumeration']
)

In [12]:
_ = caldera.get_adversary_profiles(new_profile['adversary_id'], print_table=True)

+--------------------------------------+-----------------------------------+------------------------------------------+--------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------+
|                  ID                  |                Name               | Description                              |              Objective               |                                                                                                Abilities                                                                                                 |                     Tags                    |
+--------------------------------------+-----------------------------------+------------------------------------------+--------------------------------------+--------------------------

## Get Agents

We can confirm we have an agent live to schedule an operation with

In [13]:
agents = caldera.get_agents()

URL: http://3.141.7.127:8888/api/v2/agents?
+--------+----------+----------+----------+----------------+-------+----------------------+
|  Paw   |   Name   | Platform | Protocol |   Executors    | Group |      Last Seen       |
+--------+----------+----------+----------+----------------+-------+----------------------+
| djqtzk | ar-win-2 | windows  |   HTTP   | psh, proc, cmd |  red  | 2024-05-26T14:50:35Z |
+--------+----------+----------+----------+----------------+-------+----------------------+


## Start Operation

We can now create a new operation with our adversary profile to execute on red group hosts

In [15]:
operation = caldera.add_operation(
    name="AGPT Operation",
    adversary_id=new_profile['adversary_id'],
    group='red',
    state='running'
)
print(f"{operation['name']} has status: {operation['state']}")

URL: http://3.141.7.127:8888/api/v2/operations
AGPT Operation has status: running
