search

mitre / caldera

Automated Adversary Emulation Platform
https://caldera.mitre.org
Apache License 2.0
5.66k stars 1.08k forks source link

How does Stockpile work? No Agents #371

Closed dfirence closed 5 years ago

dfirence commented 5 years ago

Hi need some guidance. How does stockpile work?

I see my agents under ADVERSARY PLUGIN in the UI.

I DO NOT see my same agents under the CHAIN UI Section.

My CONF/LOCAL.YML has it enabled.

I really would like to use this and avoid using the Adversary Plugin to write tests.

Please help

ghost commented 5 years ago

Stockpile works by loading all TTPs (abilities) and adversary profiles into the database so they're available to use.

Once you have CALDERA running, you'll want to start a 54ndc47 agent (https://github.com/mitre/caldera/wiki/Plugin:-sandcat) which will show up under the "chain mode" groups.

hint: If you're using a fresh (recursive) clone of CALDERA, I would go through the "mission #1" operation on the README page to see if that helps connect the dots.

dfirence commented 5 years ago

@privateducky

This makes sense now, thanks for that. One last question. Does the CHAIN MODE now allow for multicast instructions on victim machines unlike in Adversary mode, you seem to have to only initiate procedures with an "initial foothold" enpoint and from there pivot within the network.

So I am asking, with SANDCAT Agent and CHAIN MODE, Can I send procedure instructions simultaneously to any victim machine that is running the SANDCAT.EXE Agent?

ghost commented 5 years ago

yep; you can send instructions to any hosts running sandcat.exe.

In Chain mode, you are only required to have a single agent on a single host to start the operation (you can direct it to laterally move). you can start an operation with as many sandcat.exe's running on remote hosts as you want.