Requirements¶
Requirements are a mechanism used by CALDERA to determine whether an ability should be run in the course of an operation. By default, CALDERA supplies several requirements within the Stockpile plugin that can be used by an ability to ensure the ability only runs when the facts being used by the ability command meet certain criteria.
Requirements are defined in a Python module and are then referenced inside an ability. All requirements must be provided
at least a source fact to enforce the defined requirement on. Depending on the requirement module, a requirement
module may also need an edge value and a target fact to be provided as arguments to enforce the defined requirement.
See Relationships for more information on relationship source, edge, and target values.
Example¶
Let’s look at the Impersonate User ability from Stockpile as an example.
- id: 3796a00b-b11d-4731-b4ca-275a07d83299
name: Impersonate user
description: Run an application as a different user
tactic: execution
technique:
attack_id: T1059.001
name: "Command and Scripting Interpreter: PowerShell"
platforms:
windows:
psh:
command: |
$job = Start-Job -ScriptBlock {
$username = '#{host.user.name}';
$password = '#{host.user.password}';
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;
Start-Process Notepad.exe -NoNewWindow -PassThru -Credential $credential;
};
Receive-Job -Job $job -Wait;
requirements:
- plugins.stockpile.app.requirements.paw_provenance:
- source: host.user.name
- plugins.stockpile.app.requirements.basic:
- source: host.user.name
edge: has_password
target: host.user.password
Notice in the ability command, two facts host.user.name and host.user.password will be used. The paw_provenance
requirement enforces that only host.user.name facts that were discovered by the agent running the ability can be used
(i.e. fact originated from the same paw). In the scenario this ability is run against two agents on two different
hosts where multiple host.user.name and host.user.password facts were discovered, the paw_provenance prevents
facts discovered by the first agent on the first host from being used by the second agent on the second host. This
ensures facts discovered locally on one host are only used on the host where those facts would apply, such as in the
scenario the host.user.name is a local account that only exists on the host it was discovered on. Other possible
usages could apply the paw_provenance requirement to files discovered, file paths, and running processes, all of
which would be discovered information that should only be used by the host they were discovered on and not globally by
other agents running on other hosts in an operation.
Additionally, the basic requirement enforces that only host.user.name facts with an existing has_password
relationship to an existing host.user.password fact may be used. Brute forcing all available combinations of
host.user.name facts and host.user.password facts could result in high numbers of failed login attempts or locking
out an account entirely. The basic requirement ensures that the user and password combination used has a high chance
of success since the combination’s relationship has already been established by a previous ability.
The combined effect these requirements have ensures that the CALDERA operation will only attempt reliable combinations
of host.user.name and host.user.password facts specific to the agent running the ability, instead of arbitrarily
attempting all possible combinations of host.user.name and host.user.password facts available to the agent.