Caldera

The variety of posts within my blog can be viewed as a portfolio as such detailing my work with a variety of tools and a reference point for myself, to delve back into to keep tabs on the technology I have used throughout my Career.

Caldera is a Cyber Security tool that mimics the behaviour of a command-and-control centre (C2), post-exploitation. This simulates that a connection is already outbound within your network connecting back to Caldera over common ports http or https. Throughout this post I will provide an overview of all the steps needed to setup and configure Caldera using the same deployment plan I have, with the Operating System and hosting provider, once this has been detailed, I will then include the HA-Proxy configuration setting to allow Caldera to be served using HTTPS over 443. Then using the local Windows Sandbox within my laptop, I will install this Caldera agent and show the usage of the Atomic Red Team plugin to generate attack activity, the attack activity will be shown using basic detection methods such as Sysmon and Windows Event Logs. From the detections using Sysmon and Windows Event Logs I will detail some methods to detect this activity in different SIEM platforms I have become accustomed to using. I might even return to this post once I have set up the Open Source SIEM platform Wazuh to detail how to ingest these logs and create rule levels to detect the generated activity.

For this project I used the European hosting platform Hetzner, this hosting platform allows you to view the live desktop once installed. This is needed when configuring Caldera due to the interface only being served to localhost, once configured this login interface can then be served to the Internet. Hetzner is also quite cheap to install and set up small instance servers with the ability to create Private and Public IP address space and Firewalls are very easy to configure.

Caldera can be installed from site https://caldera.readthedocs.io/en/stable/Installing-CALDERA.html, The only issue I found with this install was that Hetzner seems to deploy all hosts with default installs of applications available. Due to this issue, I had to completely remove Python versions prior to python 3 as even when for example 2.7 was installed Caldera seemed to pull towards these installs when attempting to activate the interface. Once installed Caldera has a variety of running options and parameters, Caldera configuration file is located conf/local.yaml and default is conf/default.yaml. The difference here is default configurations has the generic default login username and password, this default configuration and be ran by using parameters python3 server.py –-insecure whereas local configuration allows you to run Caldera with more customisation with usernames and unique passwords this configuration is ran by using python3 server.py.

Due to Caldera being broadcast using Python server capabilities this is not a genuine webserver meaning that we need to install some plugins, so Caldera then has this functionality. SSL setup link https://caldera.readthedocs.io/en/latest/Plugin-library.html#ssl once HAproxy has been installed you will need to configure the haproxy.conf to point at your Caldera server and deliver the interface over HTTPs, this configuration also requires pointing to an SSL PEM. When I setup and installed Caldera, myself I purchased a Lab testing domain with a legitimate SSL certificate from a trusted authority. Todo this myself I used openssl to create the CSR once you have the full certificate chain you may need to convert one certificate to a .pem format with openssl once this has been completed, I will advise when editing conf/certificate.pem the install article details change the certificate name to certificate.pem rather than insecure_certificate.pem. I would recommend avoiding this change and rename your new certificate insecure_certificate.pem, my rational for keeping this configuration is when you attempt to run Caldera with “insecure_cert.pem” missing this throws a very large error and does not launch the console.

From image 3 it is evident that the Caldera HAproxy.conf requires defining the front and backend configuration, my Caldera instance has HA-proxy configuration defined in directory /plugins/ssl/templates within file HAproxy.conf my front end is binded to my SSL on port 8443 and this points to my SSL certificate named insecure_certificate.pem and points to hostname Caldera.

Referring to image 4, this shows Caldera is now being used over HTTPs and this is also evident from when selecting when an agent is to be deployed. Downloading Sandcat agent downloads script from binded DNS name of the Caldera Server.

Deploying the agent allows the selection of the Operating System for the Sandcat agent, this Caldera menu details the app contact https call back to higher port number. This setting also allows the ability to change the implanted agents process name. The default for this setting seems to be Splunkd.exe, this setting for my setup was left as default. The agent is put into the Powershell script that is then downloaded to the remote machine and the agent starts once an outbound call is made to Caldera server to download the agent. To successfully do this all endpoint protection has been removed from the Sandbox and Windows defender has been disabled.

Screenshot 12 provides evidence that the agent is alive and trusted on the Sandbox, from this point I navigated over to operations and created a new operation named BlogPost. From the adversary menu you can select a variety of operations such as agent enumeration and other Atomic RedTeam operations. I selected an enumeration operation what runs automatically to examine Caldera’s outputs, these outputs can be viewed from screenshots 20 to 21. To test the agent, I selected the manual command and sent the Sandbox the cmd “whoami” command to examine results, output has returned.

To enable advanced logging on the Sandbox server I downloaded Sysmon and installed the application using an experimental verbose created by Olaf Hartong, this can be downloaded from GitHub. Once Symon is installed, I navigated to event logs to examine the Sysmon logs and they indeed exist, to demonstrate Atomic RedTeam operations I selected methods to download malware via drive-by downloads and even just a generic event to attempt to stop malware spread.

The operation selected is Curl Download this in my opinion is quite a prolific application to be used maliciously, Sysmon event log details that when this operation is fired, we immediately see Sysmon rules for Network connection detected. The log details shows the Sysmon process that fired against so in this case splunkd.exe with Caldera server public ip address visible, other Sysmon events detail rule set for DNS query firing for application curl.exe and the query is to github.com to download files.

To summarise the above Caldera activity this documentation has proved Caldera to be a vital tool for pursuing RedTeaming activities, to do this within your organisation is very important. This allows the malicious activity to be simulated and rules can be created within the primary SIEM platform to detect the malicious activities when they occur, this will also give an opportunity to tune the alarms when they fire for legitimate activity.