Emulating complete, realistic cyber attack chains with the new Caldera Bounty Hunter plugin
Authors: Louis Hackländer-Jansen
Disclaimer: This post comes from a contributor from the MITRE Caldera™ open-source community. The views, thoughts, and opinions expressed are those of the author and do not reflect the official view, policy or position of the MITRE Caldera™ team or the MITRE Corporation. The MITRE Caldera team has also reviewed the author’s content and code, and have found it to be of high quality and safe for open sourcing. The team expresses their appreciation to the author for their contribution of this high quality content.
This blog post introduces the Bounty Hunter — a novel MITRE Caldera™ plugin for intelligent cyber adversary emulation. Its main contribution is the emulation of complete, realistic cyber attack chains. The plugin is available on GitHub.
Recap: Caldera’s Decision Logic
Caldera uses planners to decide if, when, and how an ability of a given adversary profile should be executed during an operation. It comes with several planners out-of-the-box including new, more sophisticated planners that have been released in recent years, e.g., the Look Ahead Planner.
While these planners offer interesting use cases, they still have some limitations, e.g.:
- Repeating a scenario results in the same behavior since the planners make deterministic decisions
- Limited scope, e.g., no support for initial access or privilege escalation methods
- Simulated attack behavior can include unrelated attack steps or unrealistic attack chains
To overcome these limitations, a new Caldera plugin was developed and implemented — the Bounty Hunter plugin.
The Bounty Hunter Plugin
The Bounty Hunter is a novel plugin for Caldera. Its biggest asset is the Bounty Hunter planner that allows the emulation of complete, realistic cyberattack chains. The Bounty Hunter’s key features are:
- Weighted-Random Attack Behavior. The Bounty Hunter’s attack behavior is goal-oriented and reward-driven, similar to Caldera’s Look-Ahead Planner. But instead of picking the ability with the highest future reward value every time, it offers the possibility to pick the next ability weighted-randomly. This adds an uncertainty to the planner’s behavior which allows repeated runs of the same operation with different results. This is especially useful in training environments.
- Support for Initial Access and Privilege Escalation. At the moment, no Caldera planner offers support for initial access or privilege escalation methods. The Bounty Hunter extends Caldera’s capabilities by offering support for both in a fully autonomous manner. This enables it to emulate complete cyberattack chains.
- Further Configurations for More Sophisticated and Realistic Attack Behavior. The Bounty Hunter offers various configuration parameters, e.g., “locking” abilities, reward updates, and final abilities, to customize the emulated attack behavior.
The following two sections introduce two example scenarios to showcase the capabilities of the Bounty Hunter. The first example describes how it emulates complete cyberattack chains, including initial access and privilege escalation. In the second scenario, the Bounty Hunter is tasked to emulate a multi-step attack based on an APT29 campaign to demonstrate its capabilities in execution variability and goal attainment.
Scenario #1 — Initial Access and Privilege Escalation
This example scenario demonstrates how the Bounty Hunter is able to perform initial access and privilege escalation autonomously. The results of the demo operation using the Bounty Hunter and a demo adversary profile are shown in the picture below.
The operation is started with a Caldera agent (`yjjtqs`) running on the same machine as the Caldera server, i.e., a machine that is already controlled by the adversary.
As the first step, the Bounty Hunter executes a Nmap host scan to find potential targets, followed by a Nmap port scan of found systems to gather information about them. Depending on the gathered port as well as service and version information, an initial access agenda is chosen and executed.
In this scenario, the emulated adversary found an open SSH port and decides to try an SSH brute force attack. It successfully gathers valid SSH credentials and uses them to copy and start a new Caldera agent on the target machine (`ycchap`).
Next, the Bounty Hunter detects that it needs elevated privileges for its chosen final ability (`Credential Dumping`) and decides to start a privilege escalation by running a UAC Bypass. As a result of this step, a new elevated agent was started (`ebdwxy`) and the final ability can be executed, concluding the operation.
Scenario #2 — Emulating an APT29 Campaign
The level of complexity the Bounty Hunter plugin supports was tested using the APT29 Day2 data from the adversary emulation library, published by the Center for Threat Informed Defense.
The resulting attack chain including fact-links between steps is shown in the figure below.
The test showed that the Bounty Hunter is able to initially access a Windows Workstation using SSH brute force, elevate its privileges automatically using a Windows UAC Bypass, and finally compromise the whole domain using a Kerberos Golden Ticket Attack.
To achieve its goal, the Bounty Hunter was only provided with a high reward of the final ability that executes a command using the Golden Ticket and the name of the interface to scan initially. All other information needed for the successful execution, including the domain name, domain admin credentials, SID values, and NTLM hahses, were collected autonomously.
Configuration of the Bounty Hunter
The Bounty Hunter can be configured in various ways to further customize the emulated attack behavior. Possible configurations range from custom ability rewards, over final and locked abilities to custom ability reward updates.
For detailed information on the configuration possibilities, please refer to the description in the GitHub repository.
Conclusion
To overcome some limitations of Caldera’s planners, a new Caldera plugin — the Bounty Hunter — was developed and implemented. The capabilities of the Bounty Hunter were demonstrated in two different scenarios, showing that it is capable of emulating initial access and privilege escalation methods as well as handling complex, multi-step cyber attack chains, e.g., an attack based on an APT29 campaign. The Bounty Hunter has been released on GitHub with (deliberately unsophisticated) proof-of-concept attacks for Windows and Linux targets.
Resources
