Skip to content
  • 2.4.0
  • 78c17dc
  • Compare
    Choose a tag to compare
    Search for a tag
  • 2.4.0
  • 78c17dc
  • Compare
    Choose a tag to compare
    Search for a tag

@privateducky privateducky released this Dec 17, 2019 · 174 commits to master since this release

Breaking changes:

  • Plugins now accept a single ‘services’ parameter, instead of ‘app’ and ‘services’. The app parameter was removed because it is now accessible through the app_svc.application object, which is contained in the services list.
  • The required initialize function in a plugin’s hook file has been renamed to enable. This change was made to be more transparent of the underlying functionality.
  • We renamed the core conf/local.yml to conf/default.yml.

Restructuring changes:

  • The core code swallowed the GUI and Chain plugins. This introduced new templates/ and static/ directories containing the front-end elements of these plugins. New rest_api and rest_svc modules were created to handle the back-end logic.
  • The UI design was improved significantly to make it more intuitive for new users.
  • We introduced CI elements to build all repositories and check for PEP-8 compliance.
  • The entire backend was reworked so we could remove the SQL database entirely. All transient data is now represented in Python object form (c_ objects in the code base). All permanent data can be found in the data/results directory and data/object_store file.
  • We added support for Docker container deployments of the CALDERA server.

New features:

When mentioning a “modal” we mean the pop-up box on the website/GUI when you select different links, such as the agents modal, adversaries modal, etc.

Agents

  • When the agent is downloaded, now in addition to getting a different file hash each time, each agent gets a random file name as well. This is intended to make it more difficult to detect, as before defenses could trigger off of sandcat.go.
  • We now allow you to run multiple agents on the same machine. This required converting the agent “paw print” (unique identifier) to a 6-character integer, instead of a combination of hostname+username.
  • We now track the privilege level of the agent when it is started
  • We now track the PID and hostname of each agent and show them on the agent modal
  • The agents modal allows you to filter the viewable columns
  • We added in 2 new delivery-commands for Windows hosts, allowing you to start the agent in memory instead of on disk. This was coupled with a change to the agent code allowing it to run this way.

Adversaries

  • We added in the ability to update existing, built-in adversary profiles from the GUI.
  • We added in a new pop-up modal box for viewing, updating and creating TTPs from the GUI, including uploading new payloads. Newly created abilities and adversaries will be saved in the data/ directory.
  • A new concept called adversary “packs” was introduced, which allows you to chain adversaries together in an easy-to-use way.

Abilities

  • We added in dozens of new TTP files (abilities) and several new adversary profiles.
  • TTP parsers were all rewritten from regex to python, to allow for more powerful parsing of output.
  • We added in “rules” which allows you to set boundaries around where CALDERA is allowed to move. You can create a rule to contain CALDERA to a specific IP network, not touch specific files or users, etc. A rule can be created around any fact.

Operations

  • Added an option to run an operation, ignoring phases for an adversary.
  • Added an option to run an operation, obfuscating all the commands. The obfuscation converts the commands to base64 and ensures they are executed that way, instead of plain-text. This feature was put in place as an extendable object, so we hope others will add obfuscation options in the future (beyond just base64). This allows a defense to test how they could detect an adversary who runs TTPs in abnormal ways.
  • We added in a new scheduling feature, allowing you to schedule an operation to run daily at the same time.
  • Added color-coding to the “links” on the timeline view when watching a running operation. This allows you to more easily understand how the operation is progressing.
  • Added a progress bar to view what % the operation is complete.

General

  • 3 new GUI pages were added to the advanced tab:
  1. C2: gives a description of all C2 mechanisms available
  2. Planners: gives a description of all available planners.
  3. Sources: shows all fact sources, and allows you to edit them. This includes the ability to view, edit and create rules for each source.
  • Added a new concept called special_payloads, which allows you to define a custom function to execute when specific payloads are downloaded. Good examples of this are sandcat.go and reverse.go, both of which use this functionality to dynamically compile upon request.

Plugin changes

54ndc47

  • We added in a new optional parameter called sleep, which allows you to delay the starting of the agent for n-number of seconds.
  • We added a new /ping endpoint to test connectivity of the agent to the server. This was added in combination with a new interface inside the agent code, which makes adding your own C2 communication channel more accessible.
  • Added new shell code executors to allow the execution of arbitrary shell code across multiple operating systems.

Mock plugin

  • This plugin was extended to allow running simulated scenarios using a more fine-grained approach. Now, instead of just simulating a response per agent, you can specific a response per agent per anticipated fact used. While this sounds confusing, you may want to just take this plugin for a spin!

Terminal plugin

  • This plugin was completely rewritten. Now, instead of having a terminal window pop up when using this plugin, there is a new GUI page which allows you to launch reverse-shells and manage sessions for each. This includes a basic terminal “emulator” so you can manually interact with any of your agents from the comfort of your browser.
  • Similar to the 54ndc47 agent, the reverse-shell payload (reverse.go) will now download with a different random name each time.
Assets 2
You can’t perform that action at this time.