Testing Screenshot code Text Extraction with AI

What is MITRE Caldera?

MITRE’s Caldera is a cybersecurity platform developed to simulate adversarial tactics, techniques, and procedures (TTPs). Built upon the MITRE ATT&CK framework, Caldera is an open-source tool designed to help cybersecurity professionals and organizations assess their defenses, uncover vulnerabilities, and enhance their overall security posture. By emulating real-world cyber threats, Caldera enables blue teams to test detection and response mechanisms under realistic conditions.

Caldera includes a suite of plug-ins that support various adversarial activities, such as lateral movement, privilege escalation, and data exfiltration. It also features built-in agents that mimic command-and-control (C2) communications. Understanding these agents' activities is crucial for detecting and mitigating simulated attacks.

Detecting MITRE Caldera with Zeek

Zeek® is a powerful open-source network security monitoring tool that analyzes network traffic and detects suspicious activity. The Zeek script in this detector’s GitHub repo demonstrates a robust detection mechanism for identifying C2 activities and file download events associated with MITRE Caldera’s agents, such as Sandcat, Manx, and Ragdoll.

Detection logic explained

The Zeek code in this repository implements a multi-layered approach to detect Caldera activities by leveraging signatures, event handlers, and custom notices. Below is a breakdown of how this detection logic works:

Agent downloads

One common step is a user downloading a Caldera agent onto one of the hosts involved in the blue teaming effort. The agent is often downloaded using a Curl command line provided to the user inside Caldera. Caldera agent downloads typically look like the TCP trace pictured below; you must replace the file name with the appropriate agent name, like manx.go, sandcat.go, and ragdoll.py:

Event-driven detection of HTTP file downloads

The Zeek code monitors HTTP headers and file download requests to detect suspicious activity involving Caldera agents:

How it works:

• Header Analysis: Zeek inspects HTTP headers for file download requests (e.g., POST /file/download) and matches specific filenames (e.g., sandcat.go, manx.go, ragdoll.py).
• Suspicious File Identification: Flags downloads of files commonly associated with Caldera agents.
• Custom Notices: Generates a Caldera::SuspiciousFileDownload notice with contextual information such as the filename, platform, and User-Agent string.

Manx network evidence

Loading the testing PCAPs from the detector’s GitHub repo in Wireshark shows the communications we will try to detect. The TCP version of Manx uses C2, which looks like this:

Manx UDP traffic contains a JSON dictionary:

Manx UDP also uses a simple “reply” message from the server to acknowledge messages:

Note that this “roger” reply happens on a different set of UDP ports, so it belongs to a different UDP connection in Zeek terms. In the next section, we will use Zeek signatures to detect this C2 activity.

Signature-based detection for Manx C2 communications

The Caldera detector includes several Zeek signatures to identify network traffic patterns indicative of Manx C2 communications over TCP and UDP protocols:

Key components:

• TCP/UDP Protocol Identification: The signatures explicitly match TCP and UDP traffic to focus on relevant C2 channels.
• Payload Inspection: Regular expressions detect JSON fields such as architecture, exe_name (e.g., manx.go), and platform in the payload.
• Reply Matching: A simple signature identifies “roger”, a common acknowledgment keyword in Manx UDP C2 communications.
  
  

Sandcat and Ragdoll network evidence

Sandcat C2 uses a Go user agent with the “/beacon” URI. It typically transmits base64 encoded data in the payload, but it could use a different encoding method if the Caldera user changes it:

Ragdoll uses the URI “/weather” with a Python user agent:

We will use this network evidence to craft some Zeek code to detect Sandcat and Ragdoll usage below.

Beacon and C2 activity detection

The detector identifies beaconing activity and Ragdoll/Sandcat C2 communications through URI and User-Agent string inspection:

Key highlights:

• Sandcat Beaconing: Matches/beacon URIs with User-Agent strings like Go-http-client.
• Ragdoll C2 Activity: Detects/weather URIs and User-Agent strings containing “python-requests/”.
• Detailed Notifications: Generates notices with URI and User-Agent details to facilitate investigation.
  
  

Strengths of this detection logic:

• Comprehensive Coverage: The script addresses multiple Caldera agents (Manx, Sandcat, and Ragdoll) and communication patterns.
• Customizable Detection: Users can add or modify suspicious filenames and header values as needed.
• Detailed Alerts: Provides rich contextual information to assist analysts in understanding and responding to threats.
  
  

Detection examples

Here are example detections in “notice.log” for the Sandcat PCAP:

    
     "

 #separator \\x09 
 #set_separator , 
 #empty_field (empty) 
 #unset_field - 
 #path notice 
 #open 2025-01-22-21-21-11 
 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid 
 file_mime_type file_desc proto note msg sub src dst p n 
 peer_descr actions email_dest suppress_for remote_location.country_code 
 remote_location.region remote_location.city remote_location.latitude 
 remote_location.longitude 
 #types time string addr port addr port string string string enum enum string string 
 addr addr port count string set[enum] set[string] interval string string string 
 double double 
 1734546921.034784 CHhAvVGS1DHFjwGM9 172.18.0.3 58326 172.18.0.2 8888 - - - 
  tcp Caldera::SuspiciousFileDownload Caldera file download detected: file 
 'sandcat.go', platform 'linux', User-Agent 'curl/7.68.0' - 172.18.0.3 172.18.0.2 
 8888 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - - - 
 1734546938.807708 C4J4Th3PJpwUYZZ6gc 172.18.0.3 35540 172.18.0.2 8888 - - - 
  tcp Caldera::C2Detected Potential Sandcat beacon detected to /beacon with User-Agent 
 'Go-http-client/1.1' - 172.18.0.3 172.18.0.2 8888 - - 
 Notice::ACTION_LOG (empty) 3600.000000 - - - - - 
 #close 2025-01-22-21-21-11
"
    
  

Conclusion

Detecting MITRE Caldera requires an in-depth understanding of its agents and their behaviors. The Zeek Caldera detector demonstrates a practical approach to identifying suspicious activities associated with Caldera’s simulated adversarial tactics. By leveraging signature-based detection, HTTP traffic analysis, and event-driven logic, this package helps security teams to monitor their networks for indicators of compromise and improve their overall readiness against real-world threats.

You can install this detector from Corelight’s GitHub repo located at:
https://github.com/corelight/zeek-caldera-detector/tree/master

For more about Zeek and the data it provides, visit our website.