Skip to content

Releases: mitre/caldera

v5.0.0 "Magma"

14 Feb 14:55
9ceb72d
Compare
Choose a tag to compare

What's Changed

Backwards-Breaking Changes

  • Completely refactored UI/UX VueJS front end. #2874
  • Installation/run commands changed! The first time you run Caldera, you must add the --build flag in order to build the VueJS UI. If you restart the server afterwards, the --build flag is not needed.
  • Dropped support for Python 3.7. #2795

UI

  • Summary dashboard landing page with tiles for agents, operations, adversaries, abilities, and server address. #2874
  • New network and table Operation view. #2874
  • Agent hosts displayed on network view with OS platform icon. #2874
  • Agents are denoted by colored rings around hosts they are beaconing from, with multiple agents marked by multiple rings, and the colors denoting the status of agent. #2874
  • Agents with elevated user execution privileges on their host are denoted by red tinted host OS platform icon. #2874
  • Agent side panel (in network view) that shows key agent/host information. Activated when Agent/host node clicked. #2874
  • Agent actions shortcut on agent side panel. #2874
  • Operation action table. #2874
  • Ability commands now have code syntax highlighting. #2776
  • Fact sources can now be downloaded from Fact Sources view. #2874
  • Added option to rename facts #2811

Plugins

Bug Fixes

  • Fixed encryption key mismatch for backups when booting Caldera locally and then with Docker. #2780
  • Removed operation visibility slider as had no effect on underlying operation. #2806
  • HMAC digest comparison in authorization service is now more resistant to timing attacks. #2823
  • Added manually skipped Abilities to Operation report. #2822
  • Fixed bug selecting the wrong executor for potential links. #2843
  • Moved donut-shellcode python package dependency to Stockpile plugin. Dependency was moved as donut-shellcode package cannot (at this time) be installed on MacOS ARM chip architectures and caused install issues for Caldera core. #2874
  • Fixed Ragdoll agent's timestamp format (thanks to @LwsChlds). mitre/stockpile#571

Other

  • Improved checking of reasons why abilities are skipped in operations. #2623

New Contributors

Full Changelog: 4.2.0...5.0.0

4.2.0

19 Jun 21:28
bcaac29
Compare
Choose a tag to compare

What's Changed

Backwards-Breaking Changes

  • Link results now return stdout and stderr separately, as a dictionary. Any non-CALDERA users of APIs/reports or any custom plugins may be effected. #2662
  • Moved Atomic planner into Caldera main repo from stockpile. #2768

Plugins

  • The mock plugin will no longer be officially supported.

Bug Fixes

  • Fixed bug with the /operations API endpoint. #2691
  • Fixed bug where newline was missing at the end of operation logs. #2693
  • Fixed bug causing LDAP integration to fail. #2718
  • Fixed bug with fact sources not being removed correctly. #2732
  • Fixed bug causing Metasploit integration to fail.

UI

  • Fixed bug where plaintext command was not displayed correctly in the UI. #2668
  • Fixed bug freezing UI when deleting an operation. #2671
  • Adversary profile page now displays the Adversary ID for the selected adversary. #2672
  • Tabs are now pinned to the top of the page. #2695
  • Fixed bug preventing manually approving links in UI. #2729
  • Updated moving abilities on adversary page to be more clear. #2770

Planners

  • (New!) Naive Bayes planner: selects next action based on highest probability of success, as determined from historical operation report data.
  • (New!) Universal and Existential requirements: can check facts against the entire knowledge base instead of only using facts used by the command.

Other

  • Link commands are now unencoded by default, but are still sent encoded if any obfuscation is used for an operation. #2698
  • Added several event types to the eventing system: agent/added, fact/added, fact/updated, system/ready. #2692
  • Sandcat agents now include return the "exit_code" field in results. #2713
  • Sandcat agents now close out their sessions properly, preventing large sessions potentially showing up in logs.

New Contributors

Full Changelog: 4.1.0...4.2.0

4.1.0

19 Sep 20:20
a1f6a91
Compare
Choose a tag to compare

What's Changed

Bug Patches

  • Fixed "Save + Add" button on "Add Ability" modal in adversaries page so it doesn't result in an error. #2637
  • Fixed a first-time startup error in the Atomic plugin resulting from a loop when parsing atomic abilities. #2657
  • Fixed a bug in the Training plugin preventing the first manx flag from completing. #2638
  • Fixed "(unexpected keyword argument 'loop')" error from the start_server call. #2625

Security Fixes

  • Patched a XSS bug found in the Operations tab and Debrief plugin that took advantage of unsanitized input in an operation's name field. #2644
    • Disclosure reports coming soon, stay tuned
    • Credit to Jayson Grace from Meta's Purple Team for discovering this vulnerability

Operations Page

  • Added "Operations Detail" modal on operation page that shows how the operation was configured at its start. #2558
  • Tidied up row of buttons so they align better. #2615

Adversaries

(New!) "Everything Bagel" adversary: A collection of all CALDERA abilities ordered by ATT&CK tactic. Particularly useful when using the new advanced planners (see below) and want all abilities at the disposal of the planner.

(In progress) Added a missing ability to the "Worm" Adversary in the Stockpile plugin.

Planners

(New!) Look-Ahead Planner: A CALDERA planner that decides which abilities to execute based on expected future reward.
(New!) Guided Planner: A CALDERA planner which makes use of "distance to goals" in a dependency graph to select the optimal next action.

New Contributors

Full Changelog: 4.0.0...4.1.0

4.0.0

14 Jun 15:14
4fe71ac
Compare
Choose a tag to compare

What's Changed

All New User Interface

  • Brand new look and feel across the entire platform.
  • AlpineJS has replaced JQuery as our front-end framework.
  • Bulma is our CSS framework of choice, which makes styling our templates a breeze.
  • Core pages like operations, adversaries, and agents have been completely revamped to make them more powerful, insightful, and robust.

Operations Page

  • Made more use of screen real estate.
  • Adding a potential link now gives you the ability to edit the command before it's added.
  • You can select fact values for all fact templates in a potential link, either ones from a fact source or ones collected from the operation.

Training Plugin

  • UI has been refreshed to match the new UI in core CALDERA.
  • Gameboard badge has been removed.
  • Solution guides have been updated to reflect the changes in the new interface.

Sandcat

  • Can update executors mid-operation
  • New "proc" executor that directly spawns desired processes
  • New "native" executor that performs various TTPs through pure Golang.
  • Now provides command output for timed-out links
  • New C2 channels and capabilities: SSH tunneling, FTP, Slack

Other

  • REST API v2 with associated API Swagger Docs
  • New open-source abilities and adversary profiles, including new collection and exfiltration capabilities.
  • Timestamps in sandcat are now UTC instead of local time
  • Automatic deletion of payloads is now optional
  • Better storage of exfiltrated files to prevent overwriting
  • More back end tests have been added
  • General bug squashing and improvements

v5.0

We've begun working on v5 and are excited to bring capabilities not currently seen by automated cyber operation platforms

New Contributors

Full Changelog: 3.1.0...4.0.0

4.0.0 Beta

31 Jan 23:17
261cb55
Compare
Choose a tag to compare

What's Changed

Operations Page

  • Made more use of screen space at top of page
  • Adding a potential link now gives you the ability to edit the command before it's added
  • You can select fact values for all fact templates in a potential link, either ones from a fact source or ones collected from the operation.

Training Plugin

  • UI has been refreshed to match the new UI in core CALDERA
  • Gameboard badge has been removed
  • New users should be able to complete User certificate in its entirety without issue

Other

  • API Docs are better documented
  • Timestamps in sandcat are now UTC instead of local time
  • More back end tests have been added
  • General bug squashing and improvements

Full Changelog: 3.1.0...4.0.0-beta

Contributors (since last release)

@ArtificialErmine, @clenk, @argaudreau, @iguannalin, @heatonk, @bleepbop, @mchan143, @christophert, @yee-jonathan, @blackwidow0616, @djlawren, @ddavila54, @CDJellen, @wbooth, @bernsteinj, @emmanvg, @cyber-arsenull, @uruwhy, @elegantmoose, @damionmounts, @zacharylc-mitre, @cmagone, @alexanderkent, ... and more!

New Contributors

Thank you to all of the MANY builders of CALDERA, both in and out of GitHub! 🚀

4.0.0 Alpha2

02 Dec 18:16
b8b033d
Compare
Choose a tag to compare
4.0.0 Alpha2 Pre-release
Pre-release

Bugfixes and enhancements to the 4.0.0-alpha release

What's Changed

New Contributors

Thank you to the MANY builders of CALDERA on and off Github!

Full Changelog: 3.1.0...4.0.0-alpha2

4.0.0 Alpha

06 Oct 17:21
d742b2b
Compare
Choose a tag to compare
4.0.0 Alpha Pre-release
Pre-release

** Plugin UIs are still being updated so this will remain a pre-release until then

New UI

We are re-imagining the way end users interact with CALDERA. This includes large updates to the UI.
Included is a new abilities screen to easily manage your extensive library.

API v2

Calling all builders! For all those who build on the CALDERA platform we have a whole new API with full documentation. Currently docs are available once you start up the server. Look for a link at the bottom of the navigation menu "api docs"

C2 Channels

We've introduced some new C2 channels, including:

  • Slack
  • SSH tunneling
  • FTP

Agent Updates

  • Sandcat agent support for new C2 channels (Slack, FTP, SSH tunneling)
  • New “proc” executor for Sandcat that will directly spawn processes using a provided executable path and arguments, rather than calling via PowerShell, sh, or cmd.
  • Sandcat agents can remove executors or update executor binary paths
  • Manx agents can properly run commands of longer durations.

Knowledge Service

New service created to better manage facts and information during an operation or when performing analysis

File upload/download encoding

Supports basic file encoding (plaintext and base64) for payload downloads and file uploads. To encode a downloaded payload or uploaded file, set the “x-file-encoding" HTTP header accordingly when making the download/upload request. Available data encoders are defined as Python modules in app/data_encoders. Currently supported encoders are “plain-text” and “base64”

Auth service

Add support for custom login handlers, as well as a new SAML authentication plugin.

Other Changes

  • Dropped python 3.6 support and now testing for 3.7, 3.8, and 3.9
  • We now support all browsers, Google Chrome is no longer the only supported browser

New CALDERA Contributors

Thank you to the MANY builders of CALDERA on and off Github!

Full Changelog: 3.1.0...4.0.0-alpha

3.1.0

13 Apr 12:21
1c8abd3
Compare
Choose a tag to compare

Overview

Improvements to the training plugin, C2 Channels, and some core feature improvements

Core Features

  • #2101 Server --fresh argument now backs up data to data/backups before deleting data files.
  • #2037 Ip rule matching fix
  • #2032 new DNS contact
  • #2045 new operation log reporting style (events)
  • #2055 fixed issue with deletion of sessions during refresh
  • #2056 Sandcat agents now display all IP addresses associated with the host they are running on
  • #2060 Files exfiltrated by abilities can now be downloaded through the UI
  • #2088 new capability to automatically generate event logs on operation completion

New C2 Channel

Plugin Updates

Training

  • A solution guide has been provided to ensure that learning caldera is even easier.

Sandcat

  • Fixed bug with agents not sleeping after receiving commands, leading to extraneous c2 traffic

Stockpile

  • Fixed base64 jumble and b64 no padding obfuscators

Debrief

  • Fixed various bugs with the display (missing links, text overflowing)

3.0.0

17 Feb 15:37
0cbac0c
Compare
Choose a tag to compare

Overview

Big improvements to usability, a new plugin called Emu that imports adversary emulation plans from CTID, P2P agent
communication, lateral movement tracking, and more!

Plugin Updates

NEW PLUGIN: Emu

This plugin imports adversary emulation plans from the Center for Threat Informed Defense

Learn more about the support emulation plans here:
https://github.com/center-for-threat-informed-defense/adversary_emulation_library

Debrief

Debrief is now tracking lateral movement through the new attack path graph in addition to some changes made to sandcat and core!

Learn more about the feature here:
https://caldera.readthedocs.io/en/latest/Lateral-Movement-Guide.html#displaying-lateral-movement-in-debrief

Builder

Allow for dynamic compilation of C#, C, C++, and Go binaries. Code will be built in Docker containers, requiring additional setup when CALDERA starts, but reducing dependencies on the server. Both C# and Go binaries can be built with libraries/modules.

New Features

Peer-to-Peer Communication

Peer to Peer functionality allows agents within internal networks to chain together to enable beaconing and communications where a direct connection is not possible. The implementation in sandcat allows for varied channels of communication as well, so that an agent can be configured for the environment is is being deployed in. Also present in caldera is functionality for discovery of peers, so that an agent can be deployed from a generic binary and discover if there are any available peers to connect out through if direct connection to the C2 server is not possible. The CALDERA server will display the proxy chain and protocols used to facilitate the communications in the agents page.

Lateral Movement Tracking

adds in the capability for caldera to track lateral movement via the originLinkID. This is passed in as an optional command line argument when executing an agent.

Learn more about the feature here:
https://caldera.readthedocs.io/en/latest/Lateral-Movement-Guide.html#displaying-lateral-movement-in-debrief

Manual Links

Allow users to run arbitrary commands on agents. Previously, only commands in abilities could be run. Add manual links from the operation screen.

Uploads

Similar to payload downloads in abilities, you can now specify file uploads in an ability YAML file. Supporting agents will upload the specified file(s) after completing an ability. File paths can be local or absolute.
Before, file uploads and exfiltration were performed using hardcoded commands (curl, powershell webclient, etc) that required HTTP(s) connection to the C2. In cases where the agent is using peer-to-peer and cannot directly access the server, old file upload commands wouldn’t work as intended. By adding in the upload capability as a separate ability and instruction component, supporting agents will use their contact method’s built-in upload functionality to send file bytes upstream, whether it is directly to the C2 server or to another agent proxy peer who will forward the bytes on their behalf.

Deadman Abilities

Users can now specify deadman abilities in the agents.yml config or via the agent GUI modal to have supporting agents run them prior to termination. Whereas all agents will receive bootstrap abilities for immediate execution upon their first successful beacon, the CALDERA server will only send deadman abilities to agents who have indicated through their beacons that they support deadman abilities. An example use case for this functionality is to specify an ability that will remove the agent executable once the agent terminates, or other defense evasion abilities like clearing logs.

Other Updates

  • Many various bugfixes and usability improvements

2.9.0

21 Aug 16:54
b874da9
Compare
Choose a tag to compare

Overview

Greatly improved documentation
bug fixes and user experience enhancements
Improve the use of SSL certs
Update to Debrief to allow for customized reporting