Big features
- A new contact - HTML - was added to the existing set of agent contact points. This contact allows agents to communicate to the CALDERA C2 by scraping web content/DOM elements for instructions. If you navigate to the http://localhost:8888/weather webpage, you can view the HTML page configured for agents to scrape. This is a decoy web page with hidden instructions in the HTML.
- This new contact comes with a new agent, Ragdoll, which uses the contact point. Ragdoll is written in Python and it gets instructions by scraping the decoy web page, it then sends results through GET URL parameters (encoded).
- We introduced a new plugin, Training, which includes a full Red Team Operator certificate course. This is a capture-the-flag style certification to become a CALDERA subject matter expert (SME). It also teaches some basics around adversary emulation and red-teaming along the way. This is the first certificate among several coming in the future.
Small features
- The Terminal plugin has been rebranded as the Manx plugin, after the agent it contains.
- A new service was added, learning_svc, which is called whenever an agent posts results from running a command. Previously, we required all abilities to define a parser (on the ability YML) if we were going to parse the results into facts. Now, if the ability has no parser, it will go into the learning_svc and we will attempt to parse the arbitrary text blob into facts using a series of intelligent parsers. We even create inferred relationships by analyzing the existing trait combinations. We will be moving parsers off of ability YML files and into this much more dynamic form of parsing moving forward.
- Abilities can now outline variations of the command, inside its YML file. For instance, there are multiple ways to deploy an agent (in the foreground, background, in verbose mode, etc.). Instead of having separate ability YML files for each variation, you can include a variations block in the YML file and describe each command variation.
UI changes
- The agents modal on the UI now allows you to add bootstrap abilities and change the filename of any downloaded agent.
- The delivery commands for Manx and Sandcat have been moved to the agents modal under campaigns.
Rest API changes:
N/A
Contact changes
- All contacts accept a list of results instead of a single result. All built-in agents have been updated to reflect this change. This allows an agent to group results into a single call to the C2 instead of needing to send 1 beacon per result.
Plugin changes:
N/A
Breaking changes:
We expect plugin developers to only interact with the core system (and other plugins) through the list of services passed to their plugin and through importing the c_[object] modules in the core code. As such, each release we will highlight the changes in these two areas, as they could introduce breaking changes to a plugin.
Services
contact_svc
- All module-level properties have been removed and instead are being saved inside the "agents" configuration. We now persist this agents configuration file to survive each server reboot. In addition, the agents modal (on the UI) has been updated to allow you to update/change any agent config from the browser, eliminating the need to work with the conf/agents.yml manually.
Objects
c_ability
- a new concept of variations has been included. this is outlined above.
c_fact:
- an optional parameter “technique_id" can be used to associate a fact to a specific ATT&CK technique