- Plugins now accept a single ‘services’ parameter, instead of ‘app’ and ‘services’. The app parameter was removed because it is now accessible through the app_svc.application object, which is contained in the services list.
- The required initialize function in a plugin’s hook file has been renamed to enable. This change was made to be more transparent of the underlying functionality.
- We renamed the core conf/local.yml to conf/default.yml.
- The core code swallowed the GUI and Chain plugins. This introduced new templates/ and static/ directories containing the front-end elements of these plugins. New rest_api and rest_svc modules were created to handle the back-end logic.
- The UI design was improved significantly to make it more intuitive for new users.
- We introduced CI elements to build all repositories and check for PEP-8 compliance.
- The entire backend was reworked so we could remove the SQL database entirely. All transient data is now represented in Python object form (c_ objects in the code base). All permanent data can be found in the data/results directory and data/object_store file.
- We added support for Docker container deployments of the CALDERA server.
When mentioning a “modal” we mean the pop-up box on the website/GUI when you select different links, such as the agents modal, adversaries modal, etc.
- When the agent is downloaded, now in addition to getting a different file hash each time, each agent gets a random file name as well. This is intended to make it more difficult to detect, as before defenses could trigger off of sandcat.go.
- We now allow you to run multiple agents on the same machine. This required converting the agent “paw print” (unique identifier) to a 6-character integer, instead of a combination of hostname+username.
- We now track the privilege level of the agent when it is started
- We now track the PID and hostname of each agent and show them on the agent modal
- The agents modal allows you to filter the viewable columns
- We added in 2 new delivery-commands for Windows hosts, allowing you to start the agent in memory instead of on disk. This was coupled with a change to the agent code allowing it to run this way.
- We added in the ability to update existing, built-in adversary profiles from the GUI.
- We added in a new pop-up modal box for viewing, updating and creating TTPs from the GUI, including uploading new payloads. Newly created abilities and adversaries will be saved in the data/ directory.
- A new concept called adversary “packs” was introduced, which allows you to chain adversaries together in an easy-to-use way.
- We added in dozens of new TTP files (abilities) and several new adversary profiles.
- TTP parsers were all rewritten from regex to python, to allow for more powerful parsing of output.
- We added in “rules” which allows you to set boundaries around where CALDERA is allowed to move. You can create a rule to contain CALDERA to a specific IP network, not touch specific files or users, etc. A rule can be created around any fact.
- Added an option to run an operation, ignoring phases for an adversary.
- Added an option to run an operation, obfuscating all the commands. The obfuscation converts the commands to base64 and ensures they are executed that way, instead of plain-text. This feature was put in place as an extendable object, so we hope others will add obfuscation options in the future (beyond just base64). This allows a defense to test how they could detect an adversary who runs TTPs in abnormal ways.
- We added in a new scheduling feature, allowing you to schedule an operation to run daily at the same time.
- Added color-coding to the “links” on the timeline view when watching a running operation. This allows you to more easily understand how the operation is progressing.
- Added a progress bar to view what % the operation is complete.
- 3 new GUI pages were added to the advanced tab:
- C2: gives a description of all C2 mechanisms available
- Planners: gives a description of all available planners.
- Sources: shows all fact sources, and allows you to edit them. This includes the ability to view, edit and create rules for each source.
- Added a new concept called special_payloads, which allows you to define a custom function to execute when specific payloads are downloaded. Good examples of this are sandcat.go and reverse.go, both of which use this functionality to dynamically compile upon request.
- We added in a new optional parameter called sleep, which allows you to delay the starting of the agent for n-number of seconds.
- We added a new /ping endpoint to test connectivity of the agent to the server. This was added in combination with a new interface inside the agent code, which makes adding your own C2 communication channel more accessible.
- Added new shell code executors to allow the execution of arbitrary shell code across multiple operating systems.
- This plugin was extended to allow running simulated scenarios using a more fine-grained approach. Now, instead of just simulating a response per agent, you can specific a response per agent per anticipated fact used. While this sounds confusing, you may want to just take this plugin for a spin!
- This plugin was completely rewritten. Now, instead of having a terminal window pop up when using this plugin, there is a new GUI page which allows you to launch reverse-shells and manage sessions for each. This includes a basic terminal “emulator” so you can manually interact with any of your agents from the comfort of your browser.
- Similar to the 54ndc47 agent, the reverse-shell payload (reverse.go) will now download with a different random name each time.