MITRE’s Caldera is a cybersecurity platform developed to simulate adversarial tactics, techniques, and procedures (TTPs). Built upon the MITRE ATT&CK framework, Caldera is an open-source tool designed to help cybersecurity professionals and organizations assess their defenses, uncover vulnerabilities, and enhance their overall security posture. By emulating real-world cyber threats, Caldera enables blue teams to test detection and response mechanisms under realistic conditions.
Caldera includes a suite of plug-ins that support various adversarial activities, such as lateral movement, privilege escalation, and data exfiltration. It also features built-in agents that mimic command-and-control (C2) communications. Understanding these agents' activities is crucial for detecting and mitigating simulated attacks.
Zeek® is a powerful open-source network security monitoring tool that analyzes network traffic and detects suspicious activity. The Zeek script in this detector’s GitHub repo demonstrates a robust detection mechanism for identifying C2 activities and file download events associated with MITRE Caldera’s agents, such as Sandcat, Manx, and Ragdoll.
The Zeek code in this repository implements a multi-layered approach to detect Caldera activities by leveraging signatures, event handlers, and custom notices. Below is a breakdown of how this detection logic works:
One common step is a user downloading a Caldera agent onto one of the hosts involved in the blue teaming effort. The agent is often downloaded using a Curl command line provided to the user inside Caldera. Caldera agent downloads typically look like the TCP trace pictured below; you must replace the file name with the appropriate agent name, like manx.go, sandcat.go, and ragdoll.py:
The Zeek code monitors HTTP headers and file download requests to detect suspicious activity involving Caldera agents:
Loading the testing PCAPs from the detector’s GitHub repo in Wireshark shows the communications we will try to detect. The TCP version of Manx uses C2, which looks like this:
Manx UDP traffic contains a JSON dictionary:
Manx UDP also uses a simple “reply” message from the server to acknowledge messages:
Note that this “roger” reply happens on a different set of UDP ports, so it belongs to a different UDP connection in Zeek terms. In the next section, we will use Zeek signatures to detect this C2 activity.
The Caldera detector includes several Zeek signatures to identify network traffic patterns indicative of Manx C2 communications over TCP and UDP protocols:
Sandcat C2 uses a Go user agent with the “/beacon” URI. It typically transmits base64 encoded data in the payload, but it could use a different encoding method if the Caldera user changes it:
Ragdoll uses the URI “/weather” with a Python user agent:
We will use this network evidence to craft some Zeek code to detect Sandcat and Ragdoll usage below.
The detector identifies beaconing activity and Ragdoll/Sandcat C2 communications through URI and User-Agent string inspection:
Here are example detections in “notice.log” for the Sandcat PCAP:
Detecting MITRE Caldera requires an in-depth understanding of its agents and their behaviors. The Zeek Caldera detector demonstrates a practical approach to identifying suspicious activities associated with Caldera’s simulated adversarial tactics. By leveraging signature-based detection, HTTP traffic analysis, and event-driven logic, this package helps security teams to monitor their networks for indicators of compromise and improve their overall readiness against real-world threats.
You can install this detector from Corelight’s GitHub repo located at:
https://github.com/corelight/zeek-caldera-detector/tree/master
For more about Zeek and the data it provides, visit our website.
