I implemented a new CALDERA Plugin - the Bounty Hunter!

[L015H4CK]

Hello everyone,

in the past years I have been working with CALDERA a lot to create more realistic training experiences for blue teams in cyber ranges. The result of my work is a new CALDERA plugin that I want to publish soon - the Bounty Hunter. The biggest asset of the Bounty Hunter Plugin is the new Bounty Hunter Planner that allows the emulation of complete, realistic cyberattack chains - including autonomous initial access and privilege escalation methods.
The attack behavior of an emulated adversary using the Bounty Hunter Planner has two special properties:
First, it is goal-oriented and reward-driven, similar to the Look-Ahead Planner, and second, it is variable due to weighted-randomness in its decision process. Furthermore, configurable ability reward updates during a running operation allow more complex and realistic attack chains.

I plan to release the plugin on GitHub as I would like to give it back to the community. Is it possible to include the plugin in the "Plugins -> More" section of CALDERA's README? Furthermore, I would also like to write a Blog article that describes the new Plugin in detail. Is it possible that my article will be published on CALDERA's official blog?

The following sections describe the Bounty Hunter Plugin and its functionality in more detail. Thank you for reading my post. I am looking forward to everyone's thoughts and responses!

Best regards,

L015H4CK

Plugin Description

A short list of the plugin's main features summarizing its functionalities is given below, as a detailed description would be too extensive in this context. I will happily provide a detailed description and usage instructions in the plugin's README once it is published or answer any specific questions that come up now.

Main Features of the Bounty Hunter Planner

• Autonomous Initial Access: Allows the emulation of complete cyberattack chains.
• Autonomous Privilege Escalation: Allows the emulation of complete cyberattack chains.
• Goal-Oriented, Reward-Driven Attack Behavior (similar to the Look-Ahead Planner): Use ability reward values and fact-links between abilities to generate attack chains that try to achieve a certain goal.
• Variable Attack Behavior: Weighted-randomness in the planners decision process allows better training experience where the trained personnel can no longer recognize the running scenario from past trainings, which is a common problem when training using playbooks.
• Ability Reward Updates during running Operation: Allows more complex and realistic attack behavior.

Example Operation using the Bounty Hunter Planner

An example operation is depicted in the figure below.
The operation starts with a CALDERA agent running locally, i.e. on the same machine as the CALDERA server. First, the agent executes initial access methods, e.g. an ARP scan to find IP addresses it can reach, followed by a nmap scan of the found IP addresses. For example, the agent finds an IP address with open SSH port and decides to try to brute force the SSH credentials. After finding a valid username and password, it uses this information to copy a new agent on the target machine using scp and starts it via SSH. The planner then detects the newly registered agent and decides to run the actual attack on the target - concluding the initial access phase.

In the Post-Exploitation Phase, the planner checks which abilities are executable, i.e. abilities that have all fact-requirements satisfied. It then weighted-randomly picks the next executable ability depending on the abilities' future reward values.
When picking an ability that needs higher privileges, the planner tries to start a new elevated agent on the target that can execute this ability. After executing an ability, ability reward updates are performed according to the planners configuration to allow various more complex and realistic attack behaviors. This process it repeated until an ability that is defined as "final ability" is executed, i.e., a defined goal is reached.

Simulation of APT29 Day2 Scenario

The Bounty Hunter Planner was tested using the APT29 Day 2 data from the adversary emulation library of the Center for Threat Informed Defense. The resulting attack chain including fact-links between abilities is shown in the figure below.
The test showed that the Bounty Hunter is able to initially access a Windows Workstation using SSH Brute Force, elevate its privileges automatically using a Windows UAC Bypass and finally compromise the whole domain using a Kerberos Golden Ticket Attack. (Note: the attack steps are NOT part of the plugin but are included in the adversary emulation library!) To achieve its goal, the planner was only provided with an adversary profile that includes all CALDERA abilities in no certain order (including the APT29 Day 2 abilities), a high reward value of the final ability that executed a command using the Golden Ticket, and the name of the interface to scan initially. All other information needed for the successful execution, including the Domain Name, Domain Admin Credentials, SID values, and NTLM hashes, were collected autonomously.

[L015H4CK]

Hello again, although I did not receive an answer to the initial post, I am posting an update now.

The release of the Bounty Hunter plugin is in its final steps. At the moment, I am planning to release it in a separate repository here on github. As mentioned above, I will also publish a blog post featuring more details on the Bounty Hunter's functionality and how to use it.

I am looking forward to everyone's thoughts and feedback on this! 😄

[elegantmoose]

@L015H4CK AH! Evidently we dont get pinged when someone opens a discussion. Apologies!

I can put this on queue to look at now (will take me a minute). Again, apologies.

[elegantmoose]

TLDR - Generally speaking, we would be supportive with a Caldera Medium blog post and linking plugin on the README as long as plugin:

• is of high quality
• is useful to the community
• is inline with Caldera's security policies.

Based on a quick read, I think the only issue is the initial access capabilities. We would need to look deeper into that before promoting/associating with it. One of the Caldera project's rules is no significant initial access capabilities as we cant have Caldera used for actual malicious purposes. But again, we can work with you more on this and investigate further.

(*also, bravo on tackling a new planner, not an easy task)

[elegantmoose]

@L015H4CK Are you on the Caldera Slack? We can open a private channel to discuss your planner more there as well.

Im Michael Kouremetis on the Caldera Slack.

[L015H4CK]

Hello, thanks for the feedback and I am happy to hear that a blog post and link would be possible.

I totally agree that the initial access capabilities are problematic and already put some time into the ethical concerns regarding this.

I will reach out to you on the Caldera Slack soon.