Close your ransomware case with Open NDR
Find hidden attackers with Open NDR
Corelight announces cloud enrichment for AWS, GCP, and Azure
Corelight's partner program
10 Considerations for Implementing an XDR Strategy
Don't trust. Verify with evidence
The Power of Open-Source Tools for Network Detection and Response
The Evolving Role of NDR
Detecting 5 Current APTs without heavy lifting
Network Detection and Response
What is MITRE Caldera?
MITRE’s Caldera is a cybersecurity platform developed to simulate adversarial tactics, techniques, and procedures (TTPs). Built upon the MITRE ATT&CK framework, Caldera is an open-source tool designed to help cybersecurity professionals and organizations assess their defenses, uncover vulnerabilities, and enhance their overall security posture. By emulating real-world cyber threats, Caldera enables blue teams to test detection and response mechanisms under realistic conditions.
Caldera includes a suite of plug-ins that support various adversarial activities, such as lateral movement, privilege escalation, and data exfiltration. It also features built-in agents that mimic command-and-control (C2) communications. Understanding these agents' activities is crucial for detecting and mitigating simulated attacks.
Detecting MITRE Caldera with Zeek
Zeek® is a powerful open-source network security monitoring tool that analyzes network traffic and detects suspicious activity. The Zeek script in this detector’s GitHub repo demonstrates a robust detection mechanism for identifying C2 activities and file download events associated with MITRE Caldera’s agents, such as Sandcat, Manx, and Ragdoll.
Detection logic explained
The Zeek code in this repository implements a multi-layered approach to detect Caldera activities by leveraging signatures, event handlers, and custom notices. Below is a breakdown of how this detection logic works:
Agent downloads
One common step is a user downloading a Caldera agent onto one of the hosts involved in the blue teaming effort. The agent is often downloaded using a Curl command line provided to the user inside Caldera. Caldera agent downloads typically look like the TCP trace pictured below; you must replace the file name with the appropriate agent name, like manx.go, sandcat.go, and ragdoll.py:
Event-driven detection of HTTP file downloads
The Zeek code monitors HTTP headers and file download requests to detect suspicious activity involving Caldera agents:
How it works:
- Header Analysis: Zeek inspects HTTP headers for file download requests (e.g., POST /file/download) and matches specific filenames (e.g., sandcat.go, manx.go, ragdoll.py).
- Suspicious File Identification: Flags downloads of files commonly associated with Caldera agents.
- Custom Notices: Generates a Caldera::SuspiciousFileDownload notice with contextual information such as the filename, platform, and User-Agent string.
Manx network evidence
Loading the testing PCAPs from the detector’s GitHub repo in Wireshark shows the communications we will try to detect. The TCP version of Manx uses C2, which looks like this:
Manx UDP traffic contains a JSON dictionary:
Manx UDP also uses a simple “reply” message from the server to acknowledge messages:
Note that this “roger” reply happens on a different set of UDP ports, so it belongs to a different UDP connection in Zeek terms. In the next section, we will use Zeek signatures to detect this C2 activity.
Signature-based detection for Manx C2 communications
The Caldera detector includes several Zeek signatures to identify network traffic patterns indicative of Manx C2 communications over TCP and UDP protocols:
Key components:
- TCP/UDP Protocol Identification: The signatures explicitly match TCP and UDP traffic to focus on relevant C2 channels.
- Payload Inspection: Regular expressions detect JSON fields such as architecture, exe_name (e.g., manx.go), and platform in the payload.
- Reply Matching: A simple signature identifies “roger”, a common acknowledgment keyword in Manx UDP C2 communications.
Sandcat and Ragdoll network evidence
Sandcat C2 uses a Go user agent with the “/beacon” URI. It typically transmits base64 encoded data in the payload, but it could use a different encoding method if the Caldera user changes it:
Ragdoll uses the URI “/weather” with a Python user agent:
We will use this network evidence to craft some Zeek code to detect Sandcat and Ragdoll usage below.
Beacon and C2 activity detection
The detector identifies beaconing activity and Ragdoll/Sandcat C2 communications through URI and User-Agent string inspection:
Key highlights:
- Sandcat Beaconing: Matches/beacon URIs with User-Agent strings like Go-http-client.
- Ragdoll C2 Activity: Detects/weather URIs and User-Agent strings containing “python-requests/”.
- Detailed Notifications: Generates notices with URI and User-Agent details to facilitate investigation.
Strengths of this detection logic:
- Comprehensive Coverage: The script addresses multiple Caldera agents (Manx, Sandcat, and Ragdoll) and communication patterns.
- Customizable Detection: Users can add or modify suspicious filenames and header values as needed.
- Detailed Alerts: Provides rich contextual information to assist analysts in understanding and responding to threats.
Detection examples
Here are example detections in “notice.log” for the Sandcat PCAP:
Conclusion
Detecting MITRE Caldera requires an in-depth understanding of its agents and their behaviors. The Zeek Caldera detector demonstrates a practical approach to identifying suspicious activities associated with Caldera’s simulated adversarial tactics. By leveraging signature-based detection, HTTP traffic analysis, and event-driven logic, this package helps security teams to monitor their networks for indicators of compromise and improve their overall readiness against real-world threats.
You can install this detector from Corelight’s GitHub repo located at:
https://github.com/corelight/zeek-caldera-detector/tree/master
For more about Zeek and the data it provides, visit our website.