Skip to content
  • 2.4.0
  • 78c17dc
  • Compare
    Choose a tag to compare
    Search for a tag
  • 2.4.0
  • 78c17dc
  • Compare
    Choose a tag to compare
    Search for a tag

@privateducky privateducky released this Dec 17, 2019 · 174 commits to master since this release

Breaking changes:

  • Plugins now accept a single ‘services’ parameter, instead of ‘app’ and ‘services’. The app parameter was removed because it is now accessible through the app_svc.application object, which is contained in the services list.
  • The required initialize function in a plugin’s hook file has been renamed to enable. This change was made to be more transparent of the underlying functionality.
  • We renamed the core conf/local.yml to conf/default.yml.

Restructuring changes:

  • The core code swallowed the GUI and Chain plugins. This introduced new templates/ and static/ directories containing the front-end elements of these plugins. New rest_api and rest_svc modules were created to handle the back-end logic.
  • The UI design was improved significantly to make it more intuitive for new users.
  • We introduced CI elements to build all repositories and check for PEP-8 compliance.
  • The entire backend was reworked so we could remove the SQL database entirely. All transient data is now represented in Python object form (c_ objects in the code base). All permanent data can be found in the data/results directory and data/object_store file.
  • We added support for Docker container deployments of the CALDERA server.

New features:

When mentioning a “modal” we mean the pop-up box on the website/GUI when you select different links, such as the agents modal, adversaries modal, etc.


  • When the agent is downloaded, now in addition to getting a different file hash each time, each agent gets a random file name as well. This is intended to make it more difficult to detect, as before defenses could trigger off of sandcat.go.
  • We now allow you to run multiple agents on the same machine. This required converting the agent “paw print” (unique identifier) to a 6-character integer, instead of a combination of hostname+username.
  • We now track the privilege level of the agent when it is started
  • We now track the PID and hostname of each agent and show them on the agent modal
  • The agents modal allows you to filter the viewable columns
  • We added in 2 new delivery-commands for Windows hosts, allowing you to start the agent in memory instead of on disk. This was coupled with a change to the agent code allowing it to run this way.


  • We added in the ability to update existing, built-in adversary profiles from the GUI.
  • We added in a new pop-up modal box for viewing, updating and creating TTPs from the GUI, including uploading new payloads. Newly created abilities and adversaries will be saved in the data/ directory.
  • A new concept called adversary “packs” was introduced, which allows you to chain adversaries together in an easy-to-use way.


  • We added in dozens of new TTP files (abilities) and several new adversary profiles.
  • TTP parsers were all rewritten from regex to python, to allow for more powerful parsing of output.
  • We added in “rules” which allows you to set boundaries around where CALDERA is allowed to move. You can create a rule to contain CALDERA to a specific IP network, not touch specific files or users, etc. A rule can be created around any fact.


  • Added an option to run an operation, ignoring phases for an adversary.
  • Added an option to run an operation, obfuscating all the commands. The obfuscation converts the commands to base64 and ensures they are executed that way, instead of plain-text. This feature was put in place as an extendable object, so we hope others will add obfuscation options in the future (beyond just base64). This allows a defense to test how they could detect an adversary who runs TTPs in abnormal ways.
  • We added in a new scheduling feature, allowing you to schedule an operation to run daily at the same time.
  • Added color-coding to the “links” on the timeline view when watching a running operation. This allows you to more easily understand how the operation is progressing.
  • Added a progress bar to view what % the operation is complete.


  • 3 new GUI pages were added to the advanced tab:
  1. C2: gives a description of all C2 mechanisms available
  2. Planners: gives a description of all available planners.
  3. Sources: shows all fact sources, and allows you to edit them. This includes the ability to view, edit and create rules for each source.
  • Added a new concept called special_payloads, which allows you to define a custom function to execute when specific payloads are downloaded. Good examples of this are sandcat.go and reverse.go, both of which use this functionality to dynamically compile upon request.

Plugin changes


  • We added in a new optional parameter called sleep, which allows you to delay the starting of the agent for n-number of seconds.
  • We added a new /ping endpoint to test connectivity of the agent to the server. This was added in combination with a new interface inside the agent code, which makes adding your own C2 communication channel more accessible.
  • Added new shell code executors to allow the execution of arbitrary shell code across multiple operating systems.

Mock plugin

  • This plugin was extended to allow running simulated scenarios using a more fine-grained approach. Now, instead of just simulating a response per agent, you can specific a response per agent per anticipated fact used. While this sounds confusing, you may want to just take this plugin for a spin!

Terminal plugin

  • This plugin was completely rewritten. Now, instead of having a terminal window pop up when using this plugin, there is a new GUI page which allows you to launch reverse-shells and manage sessions for each. This includes a basic terminal “emulator” so you can manually interact with any of your agents from the comfort of your browser.
  • Similar to the 54ndc47 agent, the reverse-shell payload (reverse.go) will now download with a different random name each time.
Assets 2
You can’t perform that action at this time.