Skip to content

wietze/bsides-ldn-2019

master
Switch branches/tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
app
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

The Imitation Game: Attacker Emulation

BSides London 2019

This repo contains changes made to the Adversary Plugin repo for CALDERA 2.0.

Presentation

Slides: HTML HTML and PDF PDF

Video: Available here

Code changes

Files that were changed include:

  • The following steps:
    • dump_creds, a fileless Mimikatz in PowerShell action using CustomCommandLine (see below);
    • certutil_download, which can download files using the Certutil LOLbin;
    • rundll32_execution, which can execute commands using the RunDLL32/MSHTA LOLbin;
    • webserver_install, which prepares a webserver installation (creates OPSoftware object, see below); and,
    • webshell_execution, which uses the above three actions to set up a reverse webshell.
  • operation.py, which introduces OPSoftware, which is used by some of the above actions (to implement LOLbins); and,
  • command.py, which introduces CustomCommandLine, which can obfuscate commands and apply masquerading.
    Note that this still a proof of concept, as it requires you to supply drop_file and file_g functions in order to make CALDERA aware of renamed binaries in case of masquerading. See e.g. dump_creds. This should be further optimised.

Installation

Make sure you have the most recent version of CALDERA (for instructions check the CALDERA repo).

You can either copy in the files manually to your caldera/plugins/adversary folder, or:

  1. In the main caldera/ folder, run the following command:
    git config --file=.gitmodules -e
  2. Update the plugins/adversary entry, pointing it to https://github.com/wietze/bsides-ldn-2019.git
    (or git@github.com:wietze/bsides-ldn-2019.git if you're using SSH)
  3. Run the following command to update to the latest version of this repo:
     git submodule sync && git submodule update --remote --merge

If you want to return to the original MITRE repository, follow steps 1-3 again, but use https://github.com/mitre/adversary.git in step 2.
(or git@github.com:mitre/adversary.git if you're using SSH)

About

Code and Slides of my BSides London 2019 presentation about Attacker Emulation using CALDERA

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published