Releases: mitre/caldera
3.1.0
Overview
Improvements to the training plugin, C2 Channels, and some core feature improvements
Core Features
- #2101 Server
--freshargument now backs up data todata/backupsbefore deleting data files. - #2037 Ip rule matching fix
- #2032 new DNS contact
- #2045 new operation log reporting style (events)
- #2055 fixed issue with deletion of sessions during refresh
- #2056 Sandcat agents now display all IP addresses associated with the host they are running on
- #2060 Files exfiltrated by abilities can now be downloaded through the UI
- #2088 new capability to automatically generate event logs on operation completion
New C2 Channel
- #2032 new DNS contact
Plugin Updates
Training
- A solution guide has been provided to ensure that learning caldera is even easier.
Sandcat
- Fixed bug with agents not sleeping after receiving commands, leading to extraneous c2 traffic
Stockpile
- Fixed base64 jumble and b64 no padding obfuscators
Debrief
- Fixed various bugs with the display (missing links, text overflowing)
3.0.0
Overview
Big improvements to usability, a new plugin called Emu that imports adversary emulation plans from CTID, P2P agent
communication, lateral movement tracking, and more!
Plugin Updates
NEW PLUGIN: Emu
This plugin imports adversary emulation plans from the Center for Threat Informed Defense
Learn more about the support emulation plans here:
https://github.com/center-for-threat-informed-defense/adversary_emulation_library
Debrief
Debrief is now tracking lateral movement through the new attack path graph in addition to some changes made to sandcat and core!
Learn more about the feature here:
https://caldera.readthedocs.io/en/latest/Lateral-Movement-Guide.html#displaying-lateral-movement-in-debrief
Builder
Allow for dynamic compilation of C#, C, C++, and Go binaries. Code will be built in Docker containers, requiring additional setup when CALDERA starts, but reducing dependencies on the server. Both C# and Go binaries can be built with libraries/modules.
New Features
Peer-to-Peer Communication
Peer to Peer functionality allows agents within internal networks to chain together to enable beaconing and communications where a direct connection is not possible. The implementation in sandcat allows for varied channels of communication as well, so that an agent can be configured for the environment is is being deployed in. Also present in caldera is functionality for discovery of peers, so that an agent can be deployed from a generic binary and discover if there are any available peers to connect out through if direct connection to the C2 server is not possible. The CALDERA server will display the proxy chain and protocols used to facilitate the communications in the agents page.
Lateral Movement Tracking
adds in the capability for caldera to track lateral movement via the originLinkID. This is passed in as an optional command line argument when executing an agent.
Learn more about the feature here:
https://caldera.readthedocs.io/en/latest/Lateral-Movement-Guide.html#displaying-lateral-movement-in-debrief
Manual Links
Allow users to run arbitrary commands on agents. Previously, only commands in abilities could be run. Add manual links from the operation screen.
Uploads
Similar to payload downloads in abilities, you can now specify file uploads in an ability YAML file. Supporting agents will upload the specified file(s) after completing an ability. File paths can be local or absolute.
Before, file uploads and exfiltration were performed using hardcoded commands (curl, powershell webclient, etc) that required HTTP(s) connection to the C2. In cases where the agent is using peer-to-peer and cannot directly access the server, old file upload commands wouldn’t work as intended. By adding in the upload capability as a separate ability and instruction component, supporting agents will use their contact method’s built-in upload functionality to send file bytes upstream, whether it is directly to the C2 server or to another agent proxy peer who will forward the bytes on their behalf.
Deadman Abilities
Users can now specify deadman abilities in the agents.yml config or via the agent GUI modal to have supporting agents run them prior to termination. Whereas all agents will receive bootstrap abilities for immediate execution upon their first successful beacon, the CALDERA server will only send deadman abilities to agents who have indicated through their beacons that they support deadman abilities. An example use case for this functionality is to specify an ability that will remove the agent executable once the agent terminates, or other defense evasion abilities like clearing logs.
Other Updates
- Many various bugfixes and usability improvements
2.9.0
2.8.1
Overview
This release features a new plugin Debrief and numerous stability fixes.
NEW Plugin: Debrief
Get operation analytics and insights with Debrief. Export JSON and PDF operation reports straight from the UI.
Features
CALDERA Core Features
- Global event execution: trigger actions off any event in the system
- Planner Objectives configuration pane. Set objectives for operations and stop when they're achieved
- Stream notifications when no abilities execute in an operation
- Configurable C2 address in agent command windows makes it easier to launch agents with the right address
Plugin Features
- ACCESS: import Metasploit exploits into abilities
- COMPASS: support latest version of navigator
- RESPONSE: ingest elasticsearch output into CALDERA as facts or steps
- STOCKPILE: new cleanup commands
- TRAINING: new question types (multiple-choice, fill in the blank, and navigator layer)
Fixes
CALDERA Core Fixes
- Bucket Planner functionality is restored (with tests)
- Align white and gold stars in operation output
- Sources table is fixed width, all values wrap
- Prevent adding duplicate agent groups
- Rule removal was not functioning under certain circumstances
- Fix bug that had operation hang when abilities were skipped during manual mode
- update ldap3 to 2.8.1 which pins pyasn1 greater than 0.4.6
- removed status variable and updated logic to only stream one msg if the chain is empty
- Tux is used instead of ubuntu icon for *nix commands (maybe the most important fix?)
Plugin Fixes
- ATOMIC: ignore use of reserved ability variables
- SANDCAT: fix donut hanging issue
- STOCKPILE: technique name fixes
...and many more
2.8.0
2.7.0
2.6.65
2.6.64
2.6.6
2.6.5
Big features
- A new plugin, Training, has been added. This plugin allows a user to gain a "User Certificate" which proves their ability to use CALDERA. This is the first of several certificates planned in the future. The plugin takes you through a capture-the-flag style certification course, covering all parts CALDERA.
Small features
- You can now delete adversaries from the GUI, through a new 'delete adversary' button
- You can now create mini-ability YML files called "extensions". An extension is simply the ID + platforms sections of a given ability and can be stored as a separate file from the full ability file (which contain names, descriptions, ATT&CK info, etc). Extensions are helpful because they allow you to store custom platforms/executors in a separate plugin then the normal ones.
UI changes
N/A
Rest API changes:
N/A
Contact changes
N/A
Plugin changes:
Stockpile
- We added two new obfuscators, base64_no_padding.py and caeser cipher. The former obfuscates commands by base64 encoding them and removing any padding. The latter obfuscates commands by applying a cipher which uses a shift key to change the ordinal char of each byte.
Breaking changes:
We expect plugin developers to only interact with the core system (and other plugins) through the list of services passed to their plugin and through importing the c_[object] modules in the core code. As such, each release we will highlight the changes in these two areas, as they could introduce breaking changes to a plugin.
Services
auth_svc
- A bug was fixed where we were using a convenience "bypass" of authentication for localhost.
Objects
c_agent
- a new function (privileged_to_run) was added, which accepts a given ability and returns whether the agent is privileged to run it or not.