A plugin supplying Caldera with TTPs from the Center for Threat Informed Defense (CTID) Adversary Emulation Plans.
Using the Emu plugin with Caldera will enable users to access the adversary profiles contained in the CTID Adversary Emulation Library.
To run Caldera along with the Emu plugin:
- Download Caldera as detailed in the Installation Guide
- Enable the Emu plugin by adding - emuto the list of enabled plugins inconf/local.ymlorconf/default.yml(if running Caldera in insecure mode)
- Start Caldera to automatically download the Adversary Emulation Library to the datafolder of the Emu plugin.
- Stop Caldera.
- Some adversaries may require additional payloads and executables to be downloaded. Run the download_payloads.shscript to download these binaries to thepayloadsdirectory.
- Start Caldera again. You will see the Emu plugin shown on the left sidebar of the Caldera server, and you will be able to access the Adversary Emulation Library adversary profiles from the Adversary tab of the Caldera server.
Each emulation plan will have an adversary and a set of facts. Please ensure to select the related facts to the adversary when starting an operation.
Because some payloads within the Adversary Emulation Library are encrypted, a Python script is used to automate
the decryption which requires installation of some dependencies. Depending on the host OS, pyminizip
can be installed using the following:
- Ubuntu: apt-get install zlib1g
- MacOS: brew install zlib
- All OS's: pip3 install -r requirements.txt
See URL for more information regarding pyminizip: https://github.com/smihica/pyminizip