Adversary Simulations Using Mitre Caldera and Wazuh EDR — Part I: Executing the Beacon Payload.

Introduction

Mitre CALDERA, as a cybersecurity framework, can be used in several ways. For most users, it will be used to run either offensive (red) or defensive (blue) operations.

  • Manx: A GoLang agent which communicates via the TCP contact and functions as a reverse-shell
  • Ragdoll: A Python agent which communicates via the HTML contact
  • Stockpile: This plugin holds the majority of open-source abilities, adversaries, planners, and obfuscators created by the CALDERA team.
  • Training: The training plugin walks users through most of CALDERA’s functionality — recommended for new users.

Adversary Simulations — Tools

  • Mitre CALDERA
  • Wazuh EDR + Sysmon (see here)
  • Threat Intel: OpenCTI

Simulation Part I: Executing the Payload.

Events and Alerts:

  1. DLL File Hash Found in Threat Intel.
  2. DNS Query to C2 Server.
  3. Queried Hostname Found in Threat Intel.
  4. C2 Beacons: Network Connections to Uncommon Port.
  5. Powershell Execution Policy Bypass.
Mitre Caldera — Sandcat Beacon Execution Events
DLL Image Loading — Map
Unsigned Images
DNS Query — C2 Server
Hostname Found in Threat Intel
C2 Beacon
Execution Policy Bypass

--

--

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).