BruCON 0x0B

MITRE ATT&CK is quickly gaining traction and is becoming an important standard to use to assess the overall cyber security posture of an organization. Tools like ATT&CK Navigator and Caldera facilitate corporate adoption and allow for a holistic overview on attack techniques and how organizations are preventing and detecting them. Furthermore, many vendors, technologies and open-source initiatives are aligning with ATT&CK. Some more information on Caldera from the official documentation (https://github.com/mitre/caldera):

"CALDERA is an automated adversary emulation system that performs post-compromise adversarial behaviour within Windows Enterprise networks. It generates plans during operation using a planning system and a pre-configured adversary model based on the Adversarial Tactics, Techniques & Common Knowledge (ATT&CK™) project. These features allow CALDERA to dynamically operate over a set of systems using variable behaviour, which better represents how human adversaries perform operations than systems that follow prescribed sequences of actions."

MITRE recently released Caldera 2.0 (end of April 2019), which includes a larger focus on "extendibility". During this talk, we will leverage these features for maximum effect. We will highlight some interesting improvement opportunities in Caldera and we will focus on how we developed additional plugins & features. To make this a bit more concrete:

-How can we improve Caldera's reporting engine? (It's currently not possible to get an easy ATT&CK coverage report / deliverable out of the tool). This is of great use if we want to increase usability of the tool and ATT&CK overall!
-How can we build additional plugins for MITRE Caldera to increase the ATT&CK coverage of the tool?
-How can we adapt Caldera to work around common security controls in place at organizations (e.g. Windows 10 security features such as ExploitGuard and AMSI, which hinder Caldera's PowerShell scripting).

This talk will arm infosec professionals with the required skills to further extend their adversary emulation options without breaking the bank for a commercial tool! As our main focus is to increase Caldera adoption and help the community, we will also publicly release developed plugins!

We will go into the nitty-gritty details of our development efforts and will also include several technical demo's that will help transfer knowledge to the audience and encourage their own development efforts!

Note that this is currently work-in-progress, thus the paper that was added to this submission covers what we set out to do, but not the full result. It is in fact the internal NVISO R&D charter that was approved to start our development activities.

It is worth mentioning that the task set out is feasible and we have already successfully adapted our own internal Caldera with additional functionality (e.g. the AMSI bypass was implemented). We are now working on further optimising, stabilising and documenting our work!

We will be able to provide additional details on our results and status around summer time.