| caldera | EDRs | |
|---|---|---|
| 16 | 7 | |
| 5,191 | 1,889 | |
| 1.6% | - | |
| 9.1 | 0.0 | |
| 7 days ago | about 1 year ago | |
| Python | C | |
| Apache License 2.0 | - |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
caldera
-
SOC Malware/Detection lab
Also, for the attack emulation part you might be interested in CALDERA.
- Automated penetration testing software?
-
Endpoint Attack Simulation
Mitre made Caldera to drive this. https://github.com/mitre/caldera
- Testing an XDR solution
-
Do you know the Mitre tool "Caldera"? How can I build a plugin for it?
Did you join the Slack and ask your question there, or on the discussion forum? The CALDERA team will answer... (both links are at https://caldera.mitre.org/)
- New blue team
- Attack simulation tool based on CVE
-
Attack Chain/Exploitation Path Diagram Generation Tools?
There's also a plugin for Caldera (https://github.com/mitre/caldera) called Pathfinder (https://github.com/center-for-threat-informed-defense/caldera_pathfinder and https://www.youtube.com/watch?v=gQRWkHFRG-s) that can help.
- Malware testing service/site for our EDR Testing of SentinelOne
- Worm/ Replicating virus for demonstrating spread/lateral movement through a network.
EDRs
-
Red team engagement help!
As for the shellcode. Just encrypt the shellcode and use some form of injection like QueueUserAPC injection. If the EDR does usermode hooking, remap NTDLL and Kernel32 first, if it’s kernel mode only (MDE for example) just patch either the Win32 API ETWEventWrite or NT api NTEventTrace with a ret (0x3c on 64 bit x86) an example is here https://github.com/Mr-Un1k0d3r/EDRs/blob/main/unhook_bof.c
-
Testing an XDR solution
Hi, RedCanary from Atomic Red Team is great, but you have to adapt it. Also here are some great infos regarding EDR and how to bypass them : https://github.com/Mr-Un1k0d3r/EDRs
- This repo contains information about EDRs that can be useful during red team exercise.
- Information on EDRs intended to support Red Teamers. The gaps and techniques documents are of huge value to Blue.
- Interesting stuff
-
What EDRs Hook on Microsoft Windows i.e. where the gaps exist in terms of telemetry / detection coverage
Source: https://github.com/Mr-Un1k0d3r/EDRs/pull/5
- EDRs - Hooked Functions from various EDR's
What are some alternatives?
Covenant - Covenant is a collaborative .NET C2 framework for red teamers.
atomic-red-team - Small and highly portable detection tests based on MITRE's ATT&CK.
Empire - Empire is a post-exploitation and adversary emulation framework that is used to aid Red Teams and Penetration Testers.
Limelighter - A tool for generating fake code signing certificates or signing real ones
CTF-Difficulty - This cheasheet is aimed at the CTF Players and Beginners to help them sort the CTF Challenges on the basis of Difficulties.
Freeze - Freeze is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls, and alternative execution methods
Incident-Playbook - GOAL: Incident Response Playbooks Mapped to MITRE Attack Tactics and Techniques. [Contributors Friendly]
NSGenCS - Extendable payload obfuscation and delivery framework
Ghostwriter - The SpecterOps project management and reporting engine
CarbonCopy - A tool which creates a spoofed certificate of any online website and signs an Executable for AV Evasion. Works for both Windows and Linux
WSLab - Azure Stack HCI, Windows 10 and Windows Server rapid lab deployment scripts
SigThief - Stealing Signatures and Making One Invalid Signature at a Time