Releases: mitre/caldera
v5.0.0 "Magma"
What's Changed
Backwards-Breaking Changes
- Completely refactored UI/UX VueJS front end. #2874
- Installation/run commands changed! The first time you run Caldera, you must add the
--build
flag in order to build the VueJS UI. If you restart the server afterwards, the--build
flag is not needed. - Dropped support for Python 3.7. #2795
UI
- Summary dashboard landing page with tiles for agents, operations, adversaries, abilities, and server address. #2874
- New network and table Operation view. #2874
- Agent hosts displayed on network view with OS platform icon. #2874
- Agents are denoted by colored rings around hosts they are beaconing from, with multiple agents marked by multiple rings, and the colors denoting the status of agent. #2874
- Agents with elevated user execution privileges on their host are denoted by red tinted host OS platform icon. #2874
- Agent side panel (in network view) that shows key agent/host information. Activated when Agent/host node clicked. #2874
- Agent actions shortcut on agent side panel. #2874
- Operation action table. #2874
- Ability commands now have code syntax highlighting. #2776
- Fact sources can now be downloaded from Fact Sources view. #2874
- Added option to rename facts #2811
Plugins
- (Bug Fix) Manx Plugin: Fixed JSON decoding error fixed with short sleep to avoid timing issues.
- (Bug Fix) Debrief Plugin: Fixed bugs generating empty PDFs. mitre/debrief#67
- (New) Emu Plugin: New Turla adversary emulation plan (Caldera Adversary profile) from MITRE ATT&CK Evals. https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/turla
- (New) Sandcat Plugin: Allow architecture headers to be supplied to Sandcat agent. This allows Darwin ARM64 platforms to be compiled. mitre/sandcat#435
- Builder Plugin: Moved
docker-py
dependency from core to the Builder plugin as it is optional.
Bug Fixes
- Fixed encryption key mismatch for backups when booting Caldera locally and then with Docker. #2780
- Removed operation visibility slider as had no effect on underlying operation. #2806
- HMAC digest comparison in authorization service is now more resistant to timing attacks. #2823
- Added manually skipped Abilities to Operation report. #2822
- Fixed bug selecting the wrong executor for potential links. #2843
- Moved
donut-shellcode
python package dependency to Stockpile plugin. Dependency was moved asdonut-shellcode
package cannot (at this time) be installed on MacOS ARM chip architectures and caused install issues for Caldera core. #2874 - Fixed Ragdoll agent's timestamp format (thanks to @LwsChlds). mitre/stockpile#571
Other
- Improved checking of reasons why abilities are skipped in operations. #2623
New Contributors
- @noperse made their first contribution in #2802
- @d3vco made their first contribution in #2843
- @Avlyssna made their first contribution in #2823
Full Changelog: 4.2.0...5.0.0
4.2.0
What's Changed
Backwards-Breaking Changes
- Link results now return stdout and stderr separately, as a dictionary. Any non-CALDERA users of APIs/reports or any custom plugins may be effected. #2662
- Moved Atomic planner into Caldera main repo from stockpile. #2768
Plugins
- The mock plugin will no longer be officially supported.
Bug Fixes
- Fixed bug with the /operations API endpoint. #2691
- Fixed bug where newline was missing at the end of operation logs. #2693
- Fixed bug causing LDAP integration to fail. #2718
- Fixed bug with fact sources not being removed correctly. #2732
- Fixed bug causing Metasploit integration to fail.
UI
- Fixed bug where plaintext command was not displayed correctly in the UI. #2668
- Fixed bug freezing UI when deleting an operation. #2671
- Adversary profile page now displays the Adversary ID for the selected adversary. #2672
- Tabs are now pinned to the top of the page. #2695
- Fixed bug preventing manually approving links in UI. #2729
- Updated moving abilities on adversary page to be more clear. #2770
Planners
- (New!) Naive Bayes planner: selects next action based on highest probability of success, as determined from historical operation report data.
- (New!) Universal and Existential requirements: can check facts against the entire knowledge base instead of only using facts used by the command.
Other
- Link commands are now unencoded by default, but are still sent encoded if any obfuscation is used for an operation. #2698
- Added several event types to the eventing system: agent/added, fact/added, fact/updated, system/ready. #2692
- Sandcat agents now include return the "exit_code" field in results. #2713
- Sandcat agents now close out their sessions properly, preventing large sessions potentially showing up in logs.
New Contributors
- @michael-the-jones made their first contribution in #2662
- @nikstuckenbrock made their first contribution in #2691
- @pirxthepilot made their first contribution in #2693
- @M15terHyde made their first contribution in #2692
- @JamieScottC made their first contribution in #2770
Full Changelog: 4.1.0...4.2.0
4.1.0
What's Changed
Bug Patches
- Fixed "Save + Add" button on "Add Ability" modal in adversaries page so it doesn't result in an error. #2637
- Fixed a first-time startup error in the Atomic plugin resulting from a loop when parsing atomic abilities. #2657
- Fixed a bug in the Training plugin preventing the first manx flag from completing. #2638
- Fixed "(unexpected keyword argument 'loop')" error from the start_server call. #2625
Security Fixes
- Patched a XSS bug found in the Operations tab and Debrief plugin that took advantage of unsanitized input in an operation's name field. #2644
- Disclosure reports coming soon, stay tuned
- Credit to Jayson Grace from Meta's Purple Team for discovering this vulnerability
Operations Page
- Added "Operations Detail" modal on operation page that shows how the operation was configured at its start. #2558
- Tidied up row of buttons so they align better. #2615
Adversaries
(New!) "Everything Bagel" adversary: A collection of all CALDERA abilities ordered by ATT&CK tactic. Particularly useful when using the new advanced planners (see below) and want all abilities at the disposal of the planner.
(In progress) Added a missing ability to the "Worm" Adversary in the Stockpile plugin.
Planners
(New!) Look-Ahead Planner: A CALDERA planner that decides which abilities to execute based on expected future reward.
(New!) Guided Planner: A CALDERA planner which makes use of "distance to goals" in a dependency graph to select the optimal next action.
New Contributors
- @jt0dd made their first contribution in #2590
- @sgianvecchio made their first contribution in #2563
- @pierregi made their first contribution in #2577
- @djmartin41041 made their first contribution in #2649
- @Morpheme777 made their first contribution in #2642
Full Changelog: 4.0.0...4.1.0
4.0.0
What's Changed
All New User Interface
- Brand new look and feel across the entire platform.
- AlpineJS has replaced JQuery as our front-end framework.
- Bulma is our CSS framework of choice, which makes styling our templates a breeze.
- Core pages like operations, adversaries, and agents have been completely revamped to make them more powerful, insightful, and robust.
Operations Page
- Made more use of screen real estate.
- Adding a potential link now gives you the ability to edit the command before it's added.
- You can select fact values for all fact templates in a potential link, either ones from a fact source or ones collected from the operation.
Training Plugin
- UI has been refreshed to match the new UI in core CALDERA.
- Gameboard badge has been removed.
- Solution guides have been updated to reflect the changes in the new interface.
Sandcat
- Can update executors mid-operation
- New "proc" executor that directly spawns desired processes
- New "native" executor that performs various TTPs through pure Golang.
- Now provides command output for timed-out links
- New C2 channels and capabilities: SSH tunneling, FTP, Slack
Other
- REST API v2 with associated API Swagger Docs
- New open-source abilities and adversary profiles, including new collection and exfiltration capabilities.
- Timestamps in sandcat are now UTC instead of local time
- Automatic deletion of payloads is now optional
- Better storage of exfiltrated files to prevent overwriting
- More back end tests have been added
- General bug squashing and improvements
v5.0
We've begun working on v5 and are excited to bring capabilities not currently seen by automated cyber operation platforms
New Contributors
- @emmanvg made their first contribution in #2157
- @dependabot made their first contribution in #2179
- @bleepbop made their first contribution in #2188
- @neptunia made their first contribution in #2224
- @Sloane4 made their first contribution in #2211
- @CDJellen made their first contribution in #2321
- @cyber-arsenull made their first contribution in #2346
- @heatonk made their first contribution in #2373
- @bernsteinj made their first contribution in #2411
- @aapplebaum made their first contribution in #2412
- @BCHarrell made their first contribution in #2415
- @yee-jonathan made their first contribution in #2398
- @djlawren made their first contribution in #2404
- @damionmounts made their first contribution in #2424
- @zacharylc-mitre made their first contribution in #2418
- @cmagone made their first contribution in #2440
- @mshkolnik22 made their first contribution in #2536
- @ZacharyLPalmer made their first contribution in #2574
Full Changelog: 3.1.0...4.0.0
4.0.0 Beta
What's Changed
Operations Page
- Made more use of screen space at top of page
- Adding a potential link now gives you the ability to edit the command before it's added
- You can select fact values for all fact templates in a potential link, either ones from a fact source or ones collected from the operation.
Training Plugin
- UI has been refreshed to match the new UI in core CALDERA
- Gameboard badge has been removed
- New users should be able to complete User certificate in its entirety without issue
Other
- API Docs are better documented
- Timestamps in sandcat are now UTC instead of local time
- More back end tests have been added
- General bug squashing and improvements
Full Changelog: 3.1.0...4.0.0-beta
Contributors (since last release)
@ArtificialErmine, @clenk, @argaudreau, @iguannalin, @heatonk, @bleepbop, @mchan143, @christophert, @yee-jonathan, @blackwidow0616, @djlawren, @ddavila54, @CDJellen, @wbooth, @bernsteinj, @emmanvg, @cyber-arsenull, @uruwhy, @elegantmoose, @damionmounts, @zacharylc-mitre, @cmagone, @alexanderkent, ... and more!
New Contributors
- @emmanvg made their first contribution in #2157
- @bleepbop made their first contribution in #2188
- @neptunia made their first contribution in #2224
- @Sloane4 made their first contribution in #2211
- @CDJellen made their first contribution in #2321
- @cyber-arsenull made their first contribution in #2346
- @heatonk made their first contribution in #2373
- @bernsteinj made their first contribution in #2411
- @BCHarrell made their first contribution in #2415
- @yee-jonathan made their first contribution in #2398
- @djlawren made their first contribution in #2404
- @damionmounts made their first contribution in #2424
- @zacharylc-mitre made their first contribution in #2418
- @cmagone made their first contribution in #2440
Thank you to all of the MANY builders of CALDERA, both in and out of GitHub! 🚀
4.0.0 Alpha2
Bugfixes and enhancements to the 4.0.0-alpha release
What's Changed
- [VIRTS-2881] Health API v2 Pytests by @bleepbop in #2305
- virts-2891 - Planner parsing error checking by @ArtificialErmine in #2275
- [VIRTS-2877] Objectives api v2 Pytests by @bleepbop in #2283
- [VIRTS-2878] Planners v2 API Pytests by @bleepbop in #2299
- [VIRTS-2880] Sources v2 API Pytests by @bleepbop in #2307
- [VIRTS-2879] Plugins v2 API Pytests by @bleepbop in #2300
- Origin link ID storage fix by @uruwhy in #2187
- added pyminizip dependency from emu plugin by @mchan143 in #2322
- [VIRTS-3040] Fix Timestamp Error in Sources API Tests by @bleepbop in #2328
- [VIRTS-2887] Update Swagger Docs by @bleepbop in #2324
- Ops source fix by @iguannalin in #2323
- Bug fix for source-originated facts in relationships by @ArtificialErmine in #2338
- virts-2979 - Learning Service Fact Creation bugfix by @ArtificialErmine in #2340
- Fix Copy button for agent commands by @clenk in #2336
- Possible fix to Issue #2315 (affects
templates/abilities.html
) by @CDJellen in #2321 - Change addPotentialLink to have ability: link in response. by @cyber-arsenull in #2346
- [VIRTS-3047] Update Config api docs by @bleepbop in #2353
- Revert profiles.html and rename showAbilityModal. by @cyber-arsenull in #2351
- Operations select dead agent bug in add potential link menu by @iguannalin in #2344
- Moved confetti.min.js to core library, updated training plugin with completed certificate message by @iguannalin in #2342
- Utc time by @uruwhy in #2355
- Change global styles to accomodate changes in debrief by @argaudreau in #2341
- Update README.md by @wbooth in #2375
- Resolve flake8 errors by @argaudreau in #2376
- Add plugin field to adversaries, abilities, and planners by @argaudreau in #2345
- [VIRTS-3255] Fix timestamp bug in v2 API Pytests by @bleepbop in #2356
- Ops UI fix by @iguannalin in #2368
- Add plugin apidocs details by @argaudreau in #2371
- Update aiohttp to 3.8.1 by @wbooth in #2382
- Bug fixes to agents page, add deadman abilities by @argaudreau in #2354
- Repin sandcat by @uruwhy in #2366
- Fix event_logs download functionality by @heatonk in #2373
New Contributors
- @iguannalin made their first contribution in #2150
- @emmanvg made their first contribution in #2157
- @dependabot made their first contribution in #2179
- @bleepbop made their first contribution in #2188
- @neptunia made their first contribution in #2224
- @Sloane4 made their first contribution in #2211
- @argaudreau made their first contribution in #2260
- @CDJellen made their first contribution in #2321
- @cyber-arsenull made their first contribution in #2346
- @heatonk made their first contribution in #2373
Thank you to the MANY builders of CALDERA on and off Github!
Full Changelog: 3.1.0...4.0.0-alpha2
4.0.0 Alpha
** Plugin UIs are still being updated so this will remain a pre-release until then
New UI
We are re-imagining the way end users interact with CALDERA. This includes large updates to the UI.
Included is a new abilities screen to easily manage your extensive library.
API v2
Calling all builders! For all those who build on the CALDERA platform we have a whole new API with full documentation. Currently docs are available once you start up the server. Look for a link at the bottom of the navigation menu "api docs"
C2 Channels
We've introduced some new C2 channels, including:
- Slack
- SSH tunneling
- FTP
Agent Updates
- Sandcat agent support for new C2 channels (Slack, FTP, SSH tunneling)
- New “proc” executor for Sandcat that will directly spawn processes using a provided executable path and arguments, rather than calling via PowerShell, sh, or cmd.
- Sandcat agents can remove executors or update executor binary paths
- Manx agents can properly run commands of longer durations.
Knowledge Service
New service created to better manage facts and information during an operation or when performing analysis
File upload/download encoding
Supports basic file encoding (plaintext and base64) for payload downloads and file uploads. To encode a downloaded payload or uploaded file, set the “x-file-encoding" HTTP header accordingly when making the download/upload request. Available data encoders are defined as Python modules in app/data_encoders. Currently supported encoders are “plain-text” and “base64”
Auth service
Add support for custom login handlers, as well as a new SAML authentication plugin.
Other Changes
- Dropped python 3.6 support and now testing for 3.7, 3.8, and 3.9
- We now support all browsers, Google Chrome is no longer the only supported browser
New CALDERA Contributors
- @iguannalin made their first contribution in #2150
- @emmanvg made their first contribution in #2157
- @bleepbop made their first contribution in #2188
- @neptunia made their first contribution in #2224
- @Sloane4 made their first contribution in #2211
- @argaudreau made their first contribution in #2260
Thank you to the MANY builders of CALDERA on and off Github!
Full Changelog: 3.1.0...4.0.0-alpha
3.1.0
Overview
Improvements to the training plugin, C2 Channels, and some core feature improvements
Core Features
- #2101 Server
--fresh
argument now backs up data todata/backups
before deleting data files. - #2037 Ip rule matching fix
- #2032 new DNS contact
- #2045 new operation log reporting style (events)
- #2055 fixed issue with deletion of sessions during refresh
- #2056 Sandcat agents now display all IP addresses associated with the host they are running on
- #2060 Files exfiltrated by abilities can now be downloaded through the UI
- #2088 new capability to automatically generate event logs on operation completion
New C2 Channel
- #2032 new DNS contact
Plugin Updates
Training
- A solution guide has been provided to ensure that learning caldera is even easier.
Sandcat
- Fixed bug with agents not sleeping after receiving commands, leading to extraneous c2 traffic
Stockpile
- Fixed base64 jumble and b64 no padding obfuscators
Debrief
- Fixed various bugs with the display (missing links, text overflowing)
3.0.0
Overview
Big improvements to usability, a new plugin called Emu that imports adversary emulation plans from CTID, P2P agent
communication, lateral movement tracking, and more!
Plugin Updates
NEW PLUGIN: Emu
This plugin imports adversary emulation plans from the Center for Threat Informed Defense
Learn more about the support emulation plans here:
https://github.com/center-for-threat-informed-defense/adversary_emulation_library
Debrief
Debrief is now tracking lateral movement through the new attack path graph in addition to some changes made to sandcat and core!
Learn more about the feature here:
https://caldera.readthedocs.io/en/latest/Lateral-Movement-Guide.html#displaying-lateral-movement-in-debrief
Builder
Allow for dynamic compilation of C#, C, C++, and Go binaries. Code will be built in Docker containers, requiring additional setup when CALDERA starts, but reducing dependencies on the server. Both C# and Go binaries can be built with libraries/modules.
New Features
Peer-to-Peer Communication
Peer to Peer functionality allows agents within internal networks to chain together to enable beaconing and communications where a direct connection is not possible. The implementation in sandcat allows for varied channels of communication as well, so that an agent can be configured for the environment is is being deployed in. Also present in caldera is functionality for discovery of peers, so that an agent can be deployed from a generic binary and discover if there are any available peers to connect out through if direct connection to the C2 server is not possible. The CALDERA server will display the proxy chain and protocols used to facilitate the communications in the agents page.
Lateral Movement Tracking
adds in the capability for caldera to track lateral movement via the originLinkID. This is passed in as an optional command line argument when executing an agent.
Learn more about the feature here:
https://caldera.readthedocs.io/en/latest/Lateral-Movement-Guide.html#displaying-lateral-movement-in-debrief
Manual Links
Allow users to run arbitrary commands on agents. Previously, only commands in abilities could be run. Add manual links from the operation screen.
Uploads
Similar to payload downloads in abilities, you can now specify file uploads in an ability YAML file. Supporting agents will upload the specified file(s) after completing an ability. File paths can be local or absolute.
Before, file uploads and exfiltration were performed using hardcoded commands (curl, powershell webclient, etc) that required HTTP(s) connection to the C2. In cases where the agent is using peer-to-peer and cannot directly access the server, old file upload commands wouldn’t work as intended. By adding in the upload capability as a separate ability and instruction component, supporting agents will use their contact method’s built-in upload functionality to send file bytes upstream, whether it is directly to the C2 server or to another agent proxy peer who will forward the bytes on their behalf.
Deadman Abilities
Users can now specify deadman abilities in the agents.yml config or via the agent GUI modal to have supporting agents run them prior to termination. Whereas all agents will receive bootstrap abilities for immediate execution upon their first successful beacon, the CALDERA server will only send deadman abilities to agents who have indicated through their beacons that they support deadman abilities. An example use case for this functionality is to specify an ability that will remove the agent executable once the agent terminates, or other defense evasion abilities like clearing logs.
Other Updates
- Many various bugfixes and usability improvements