Releases: mitre/caldera
2.8.1
Overview
This release features a new plugin Debrief and numerous stability fixes.
NEW Plugin: Debrief
Get operation analytics and insights with Debrief. Export JSON and PDF operation reports straight from the UI.
Features
CALDERA Core Features
- Global event execution: trigger actions off any event in the system
- Planner Objectives configuration pane. Set objectives for operations and stop when they're achieved
- Stream notifications when no abilities execute in an operation
- Configurable C2 address in agent command windows makes it easier to launch agents with the right address
Plugin Features
- ACCESS: import Metasploit exploits into abilities
- COMPASS: support latest version of navigator
- RESPONSE: ingest elasticsearch output into CALDERA as facts or steps
- STOCKPILE: new cleanup commands
- TRAINING: new question types (multiple-choice, fill in the blank, and navigator layer)
Fixes
CALDERA Core Fixes
- Bucket Planner functionality is restored (with tests)
- Align white and gold stars in operation output
- Sources table is fixed width, all values wrap
- Prevent adding duplicate agent groups
- Rule removal was not functioning under certain circumstances
- Fix bug that had operation hang when abilities were skipped during manual mode
- update ldap3 to 2.8.1 which pins pyasn1 greater than 0.4.6
- removed status variable and updated logic to only stream one msg if the chain is empty
- Tux is used instead of ubuntu icon for *nix commands (maybe the most important fix?)
Plugin Fixes
- ATOMIC: ignore use of reserved ability variables
- SANDCAT: fix donut hanging issue
- STOCKPILE: technique name fixes
...and many more
2.8.0
2.7.0
2.6.65
2.6.64
2.6.6
2.6.5
Big features
- A new plugin, Training, has been added. This plugin allows a user to gain a "User Certificate" which proves their ability to use CALDERA. This is the first of several certificates planned in the future. The plugin takes you through a capture-the-flag style certification course, covering all parts CALDERA.
Small features
- You can now delete adversaries from the GUI, through a new 'delete adversary' button
- You can now create mini-ability YML files called "extensions". An extension is simply the ID + platforms sections of a given ability and can be stored as a separate file from the full ability file (which contain names, descriptions, ATT&CK info, etc). Extensions are helpful because they allow you to store custom platforms/executors in a separate plugin then the normal ones.
UI changes
N/A
Rest API changes:
N/A
Contact changes
N/A
Plugin changes:
Stockpile
- We added two new obfuscators, base64_no_padding.py and caeser cipher. The former obfuscates commands by base64 encoding them and removing any padding. The latter obfuscates commands by applying a cipher which uses a shift key to change the ordinal char of each byte.
Breaking changes:
We expect plugin developers to only interact with the core system (and other plugins) through the list of services passed to their plugin and through importing the c_[object] modules in the core code. As such, each release we will highlight the changes in these two areas, as they could introduce breaking changes to a plugin.
Services
auth_svc
- A bug was fixed where we were using a convenience "bypass" of authentication for localhost.
Objects
c_agent
- a new function (privileged_to_run) was added, which accepts a given ability and returns whether the agent is privileged to run it or not.
2.6.4
Big features
- A new contact - HTML - was added to the existing set of agent contact points. This contact allows agents to communicate to the CALDERA C2 by scraping web content/DOM elements for instructions. If you navigate to the http://localhost:8888/weather webpage, you can view the HTML page configured for agents to scrape. This is a decoy web page with hidden instructions in the HTML.
- This new contact comes with a new agent, Ragdoll, which uses the contact point. Ragdoll is written in Python and it gets instructions by scraping the decoy web page, it then sends results through GET URL parameters (encoded).
- We introduced a new plugin, Training, which includes a full Red Team Operator certificate course. This is a capture-the-flag style certification to become a CALDERA subject matter expert (SME). It also teaches some basics around adversary emulation and red-teaming along the way. This is the first certificate among several coming in the future.
Small features
- The Terminal plugin has been rebranded as the Manx plugin, after the agent it contains.
- A new service was added, learning_svc, which is called whenever an agent posts results from running a command. Previously, we required all abilities to define a parser (on the ability YML) if we were going to parse the results into facts. Now, if the ability has no parser, it will go into the learning_svc and we will attempt to parse the arbitrary text blob into facts using a series of intelligent parsers. We even create inferred relationships by analyzing the existing trait combinations. We will be moving parsers off of ability YML files and into this much more dynamic form of parsing moving forward.
- Abilities can now outline variations of the command, inside its YML file. For instance, there are multiple ways to deploy an agent (in the foreground, background, in verbose mode, etc.). Instead of having separate ability YML files for each variation, you can include a variations block in the YML file and describe each command variation.
UI changes
- The agents modal on the UI now allows you to add bootstrap abilities and change the filename of any downloaded agent.
- The delivery commands for Manx and Sandcat have been moved to the agents modal under campaigns.
Rest API changes:
N/A
Contact changes
- All contacts accept a list of results instead of a single result. All built-in agents have been updated to reflect this change. This allows an agent to group results into a single call to the C2 instead of needing to send 1 beacon per result.
Plugin changes:
N/A
Breaking changes:
We expect plugin developers to only interact with the core system (and other plugins) through the list of services passed to their plugin and through importing the c_[object] modules in the core code. As such, each release we will highlight the changes in these two areas, as they could introduce breaking changes to a plugin.
Services
contact_svc
- All module-level properties have been removed and instead are being saved inside the "agents" configuration. We now persist this agents configuration file to survive each server reboot. In addition, the agents modal (on the UI) has been updated to allow you to update/change any agent config from the browser, eliminating the need to work with the conf/agents.yml manually.
Objects
c_ability
- a new concept of variations has been included. this is outlined above.
c_fact:
- an optional parameter “technique_id" can be used to associate a fact to a specific ATT&CK technique