Adversary Simulations Using Mitre Caldera and Wazuh EDR — Part I: Executing the Beacon Payload.

SOCFortress
3 min readMar 21, 2022

Introduction

Mitre CALDERA, as a cybersecurity framework, can be used in several ways. For most users, it will be used to run either offensive (red) or defensive (blue) operations.

Agents are software programs that connect back to CALDERA at certain intervals to get instructions. Agents communicate with the CALDERA server via a contact method, initially defined at agent install.

Installed agents appear in the UI in the Agents dialog. Agents are identified by their unique paw — or paw print.

CALDERA includes a number of agent programs, each adding unique functionality. A few examples are listed below:

  • Sandcat (54ndc47): A GoLang agent which communicates through HTTP, Git, or P2P over SMB contacts
  • Manx: A GoLang agent which communicates via the TCP contact and functions as a reverse-shell
  • Ragdoll: A Python agent which communicates via the HTML contact

CALDERA as a framework is extended by plugins. These plugins provide CALDERA with extra functionality in some way.

Multiple plugins are included by default in CALDERA. A few noteworthy examples are below, though a more complete and detailed list can be found on the Plugin Library page:

  • Sandcat: The Sandcat agent is the recommended agent for new users
  • Stockpile: This plugin holds the majority of open-source abilities, adversaries, planners, and obfuscators created by the CALDERA team.
  • Training: The training plugin walks users through most of CALDERA’s functionality — recommended for new users.

Adversary Simulations — Tools

  • Mitre CALDERA
  • Wazuh EDR + Sysmon (see here)
  • Threat Intel: OpenCTI

Beacon Payload: “sandcat.go-windows.exe”

Simulation Part I: Executing the Payload.

Events and Alerts:

  1. Unsigned DLL Loaded.
  2. DLL File Hash Found in Threat Intel.
  3. DNS Query to C2 Server.
  4. Queried Hostname Found in Threat Intel.
  5. C2 Beacons: Network Connections to Uncommon Port.
  6. Powershell Execution Policy Bypass.
Mitre Caldera — Sandcat Beacon Execution Events
  • Unsigned DLL Image Loaded:
DLL Image Loading — Map
Unsigned Images
  • Threat Intel (OpenCTI) File Hash, DLL Image loaded:
  • DNS Query Names and IoC (Hostname) Found in Threat Intel (openCTI):
DNS Query — C2 Server
Hostname Found in Threat Intel
  • Beacon C2 Network Connection to Uncommon Port:
C2 Beacon
  • PowerShell Execution Policy Bypass:
Execution Policy Bypass

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Platform Demo: https://www.socfortress.co/demo_access.html

--

--

SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).