Merge pull request #1008 from splunk/ZachTheSplunker-mitre-caldera

Zach the splunker mitre caldera

Author: P4T12ICK

README.md

@@ -162,6 +162,10 @@ python attack_range.py replay --file_name attack_data/dump.log --source test --s
   * Preconfigured Kali Linux machine for penetration testing
   * ssh connection over configured ssh key
 
+- [Caldera](https://github.com/mitre/caldera)
+  * Attack Simulation with [Caldera](https://github.com/mitre/caldera)
+  * Can be enabled, disabled and configured over [attack_range.yml](https://github.com/splunk/attack_range/blob/develop/attack_range.yml)
+
 
 ## Support 📞
 Please use the [GitHub issue tracker](https://github.com/splunk/attack_range/issues) to submit bugs or request features.
@@ -199,4 +203,5 @@ We welcome feedback and contributions from the community! Please see our [contri
 * Eric McGinnis
 * [Micheal Haag](https://twitter.com/M_haggis)
 * Gowthamaraj Rajendran
-* [Christopher Caldwell](https://github.com/cudgel)
+* [Christopher Caldwell](https://github.com/cudgel)
+* [Zachary Christensen](https://github.com/ZachTheSplunker)

attack_range.yml

@@ -209,6 +209,9 @@ windows_servers_default:
   # Install Bad Blood by setting this to 1 or 0.
   # More information in chapter Bad Blood under Attack Range Features.
 
+  install_caldera_agent: "0"
+  # Install a MITRE Caldera agent that connects to the Caldera Server.
+
   install_crowdstrike: "0"
   # Install CrowdStrike Falcon by setting this to 1.
 
@@ -252,6 +255,9 @@ linux_servers_default:
   cisco_secure_endpoint_linux_agent: "amp_Server_ubuntu-20-04-amd64.deb"
   # Name of the Cisco Secure Endpoint Linux Agent stored in apps/ folder.
 
+  install_caldera_agent: "0"
+  # Install a MITRE Caldera agent that connects to the Caldera Server.
+
 kali_server:
   kali_server: "0"
 # Enable Kali Server by setting this to 1.
@@ -277,6 +283,34 @@ snort_server:
   snort_server: "0"
   # Enable Snort Server by setting this to 1.
 
+caldera_server:
+  caldera_server: "0"
+  # Enable MITRE Caldera Server by setting this to 1.
+
+  hostname: "caldera"
+  # Specify the image used for Caldera Server.
+
+  # ------ Changing below this line could break MITRE Caldera -------------- #
+
+  caldera_version: ""
+  # MITRE Caldera Version to install (https://github.com/mitre/caldera/releases). Default: (left blank to pull latest)
+  # caldera_version: "--branch 5.0.0"
+
+  go_version: "1.23.3"
+  # GO version to install (https://go.dev/dl/).
+
+  nvm_version: "0.40.1"
+  # NVM version to install (https://github.com/nvm-sh/nvm/releases).
+
+  node_version: "22"
+  # Node version to install (https://nodejs.org/en/download/package-manager).
+
+  upx_version: "4.2.4"
+  # UPX version to install (https://github.com/upx/upx/releases).
+
+  private_ip: "10.0.1.70"
+  # internal ip for the Caldera server (used for agent communication - no need to change).
+
 simulation:
   atomic_red_team_repo: redcanaryco
   # Specify the repository owner for Atomic Red Team.

configs/attack_range_default.yml

@@ -327,6 +327,20 @@ def show(self) -> None:
                         + "\n\tusername: ubuntu \n\tpassword: "
                         + self.config["general"]["attack_range_password"]
                     )
+                elif instance_name.startswith("ar-caldera"):
+                    messages.append(
+                        "\nAccess Caldera via:\n\tWeb > http://"
+                        + instance["NetworkInterfaces"][0]["Association"]["PublicIp"]
+                        + ":8888"
+                        + "\n\tusername: red \n\tpassword: "
+                        + self.config["general"]["attack_range_password"]
+                        + "\n\tSSH > ssh -i"
+                        + self.config["aws"]["private_key_path"]
+                        + " admin@"
+                        + instance["NetworkInterfaces"][0]["Association"][
+                                "PublicIp"
+                            ]
+                    )
             else:
                 response.append(
                     [instance["Tags"][0]["Value"], instance["State"]["Name"]]

modules/aws_controller.py

@@ -29,6 +29,7 @@ def read_config(self, config_path: str) -> dict:
             "simulation",
             "zeek_server",
             "snort_server",
+            "caldera_server",
         ]
 
         for parent_key in parent_keys:
@@ -149,3 +150,10 @@ def validate_config(self, config: dict) -> None:
                 "ERROR: You can not use a phantom server or bring your own phantom when you use a bring your own splunk."
             )
             sys.exit(1)
+
+        if (
+            config["caldera_server"]["caldera_server"] == "1"
+            and config["general"]["cloud_provider"] == "azure"
+        ):
+            print("ERROR: Caldera Server not supported in Azure.")
+            sys.exit(1)

modules/config_handler.py

@@ -442,6 +442,13 @@ def new(config):
             "when": lambda answers: answers["windows_server_one"]
             and answers["windows_server_one_dc"],
         },
+        {
+            "type": "confirm",
+            "message": "should we install a MITRE Caldera agent on the windows server",
+            "name": "windows_server_one_caldera_agent",
+            "default": False,
+            "when": lambda answers: answers["windows_server_one"],
+        },
     ]
 
     answers = questionary.prompt(questions)
@@ -463,6 +470,8 @@ def new(config):
         if "windows_server_one_bad_blood" in answers:
             if answers["windows_server_one_bad_blood"]:
                 configuration["windows_servers"][0]["bad_blood"] = "1"
+        if answers["windows_server_one_caldera_agent"]:
+            configuration["windows_servers"][0]["install_caldera_agent"] = "1"
 
         questions = [
             {
@@ -493,6 +502,13 @@ def new(config):
                 "default": False,
                 "when": lambda answers: answers["windows_server_two"],
             },
+            {
+                "type": "confirm",
+                "message": "should we install a MITRE Caldera agent on the windows server",
+                "name": "windows_server_two_caldera_agent",
+                "default": False,
+                "when": lambda answers: answers["windows_server_two"],
+            },
         ]
 
         answers = questionary.prompt(questions)
@@ -510,6 +526,8 @@ def new(config):
                     configuration["windows_servers"][1]["join_domain"] = "1"
             if answers["windows_server_two_red_team_tools"]:
                 configuration["windows_servers"][1]["install_red_team_tools"] = "1"
+            if answers["windows_server_two_caldera_agent"]:
+                configuration["windows_servers"][1]["install_caldera_agent"] = "1"
 
     questions = [
         {
@@ -518,6 +536,13 @@ def new(config):
             "name": "linux_server",
             "default": False,
         },
+        {
+            "type": "confirm",
+            "message": "should we install a MITRE Caldera agent on the linux server",
+            "name": "linux_server_caldera_agent",
+            "default": False,
+            "when": lambda answers: answers["linux_server"],
+        },
         {
             "type": "confirm",
             "message": "shall we build a kali linux machine",
@@ -558,6 +583,13 @@ def new(config):
             "name": "phantom_installer",
             "when": lambda answers: answers["phantom"],
         },
+        {
+            "type": "confirm",
+            "message": "shall we build a MITRE Caldera server for attack simulation",
+            "name": "caldera_server",
+            "default": False,
+            "when": lambda answers: configuration["general"]["cloud_provider"] == "aws",
+        },
     ]
 
     answers = questionary.prompt(questions)
@@ -569,6 +601,9 @@ def new(config):
                 "hostname": "ar-linux",
             }
         )
+        if "linux_server_caldera_agent" in answers:
+            if answers["linux_server_caldera_agent"]:
+                configuration["linux_servers"][0]["install_caldera_agent"] = "1"
 
     if configuration["general"]["cloud_provider"] == "aws":
         if answers["kali_machine"]:
@@ -586,6 +621,10 @@ def new(config):
         if answers["snort_server"]:
             configuration["snort_server"] = dict()
             configuration["snort_server"]["snort_server"] = "1"
+        
+        if answers["caldera_server"]:
+            configuration["caldera_server"] = dict()
+            configuration["caldera_server"]["caldera_server"] = "1"
 
     if answers["phantom"]:
         configuration["phantom_server"] = dict()

modules/configuration.py

@@ -0,0 +1,8 @@
+- hosts: all
+  gather_facts: false
+  become: false
+  vars:
+    caldera_server_action: "install"
+  roles:
+    - caldera_server
+

terraform/ansible/caldera_server.yml

@@ -14,4 +14,8 @@
     - splunk_byo_linux
     - contentctl
     - crowdstrike_falcon_agent_linux
-    - cisco_secure_endpoint_linux
+    - cisco_secure_endpoint_linux
+    - role: caldera_agent
+      vars:
+        caldera_agent_server_type: "linux"
+      when: caldera_server.caldera_server == "1" and linux_servers.install_caldera_agent == "1"

terraform/ansible/linux_server.yml

@@ -0,0 +1,4 @@
+---
+- name: Install Linux Agent [Caldera Agent]
+  ansible.builtin.shell: >
+    server="http://{{ caldera_server.private_ip }}:8888";agent=$(curl -svkOJ -X POST -H "file:sandcat.go" -H "platform:linux" $server/file/download 2>&1 | grep -i "Content-Disposition" | grep -io "filename=.*" | cut -d'=' -f2 | tr -d '"\r') && chmod +x $agent 2>/dev/null;nohup ./$agent -server $server &

terraform/ansible/roles/caldera_agent/tasks/linux.yml

@@ -0,0 +1,8 @@
+---
+- name: Install on Windows [Caldera Agent]
+  ansible.builtin.import_tasks: windows.yml
+  when: caldera_agent_server_type == "windows"
+
+- name: Install on Linux [Caldera Agent]
+  ansible.builtin.import_tasks: linux.yml
+  when: caldera_agent_server_type == "linux"