MITRE ATT&CK Caldera | Attack-macOS Plugin

A Caldera plugin to execute scripts from the attack-macOS library.

Agent Compatibility

Agent	Platform	Compatibility	Notes
Sandcat	macOS	✅ Supported	Primary agent for macOS operations
Manx	macOS	❌ Not tested	May work but untested
Ragdoll	macOS	❌ Not tested	May work but untested

Dependencies

Plugin Dependencies: None

Target System Requirements:

Component	Requirement	Notes
Operating System	macOS 13+ (Ventura)	Tested on Darwin 22.6.0
Native Tools	LOLBins only	Uses built-in macOS commands
Additional Software	None	Living Off The Land approach

Plugin Repository

🔗 caldera-plugin-attack-macos

Installation

cd /path/to/caldera
curl -sSL https://raw.githubusercontent.com/armadoinc/caldera-plugin-attack-macos/main/install.sh | bash

Installation Options

# Standard installation
curl -sSL https://raw.githubusercontent.com/armadoinc/caldera-plugin-attack-macos/main/install.sh | bash

# Use local attack-macOS directory  
curl -sSL https://raw.githubusercontent.com/armadoinc/caldera-plugin-attack-macos/main/install.sh | bash -s -- --local-path /path/to/attack-macOS

# Use custom repository
curl -sSL https://raw.githubusercontent.com/armadoinc/caldera-plugin-attack-macos/main/install.sh | bash -s -- --remote-repo user/fork-attack-macOS

# Use private repository
curl -sSL https://raw.githubusercontent.com/armadoinc/caldera-plugin-attack-macos/main/install.sh | bash -s -- --auth-token ghp_xxxxx

Syncing the Plugin

The sync script automatically manages dependencies and performs a two-phase sync process: updating plugin infrastructure files and transforming attack-macOS scripts into Caldera abilities with MITRE ATT&CK metadata.

Automatic Setup

• Virtual Environment: Creates isolated Python environment with required dependencies (PyGithub, PyYAML)
• Path Detection: Auto-detects Caldera installation from script location
• Dependency Management: Installs/updates requirements automatically

Manual Sync

cd /path/to/caldera/plugins/attackmacos
python sync_plugin.py

Sync Options

# Default: Updates plugin files from plugin repo AND syncs abilities from attack-macOS repo
python sync_plugin.py

# Specify custom Caldera path (otherwise auto-detected)
python sync_plugin.py --caldera-path /path/to/caldera

# Use local attack-macOS directory instead of downloading from GitHub
python sync_plugin.py --local-path /path/to/attack-macOS

# Use different GitHub repository (default: armadoinc/attack-macOS)
python sync_plugin.py --remote-repo user/fork-attack-macOS

# Use authentication token for private repositories
python sync_plugin.py --auth-token ghp_xxxxx

# Sync abilities only (skip plugin infrastructure updates)
python sync_plugin.py --abilities

# Update plugin files only (skip abilities sync)
python sync_plugin.py --plugin

# Show help
python sync_plugin.py --help

What Gets Synced

Plugin Files (from caldera-plugin-attack-macos repository):

• hook.py - Plugin initialization and registration
• plugin-init.py - Plugin configuration
• sync_plugin.py - This sync script
• requirements.txt - Python dependencies

Abilities (from attack-macOS repository):

• Shell Scripts: Copied from built script directories to data/payloads/
• YAML Abilities: Auto-generated from YAML configurations in attackmacos/core/config/
• MITRE ATT&CK Mapping: Technique IDs, tactics, and descriptions extracted from YAML configs
• Full Commands: Complete command examples with realistic options

Processing Details

1. YAML-First Discovery: Starts with YAML configurations in attackmacos/core/config/
2. Script Mapping: Finds corresponding built scripts in attackmacos/ttp/[tactic]/shell/
3. Command Generation: Extracts options from YAML to build full command examples
4. Ability Creation: Creates Caldera abilities with proper MITRE ATT&CK metadata
5. Payload Deployment: Scripts become deployable payloads via Caldera's payload system

Sync Schedule

• Installation: Initial sync during plugin setup
• Manual: Run sync_plugin.py to update after attack-macOS changes
• Development: Sync after modifying attack-macOS scripts or YAML configs

Plugin Architecture

Full Command Approach

All abilities use complete, ready-to-execute commands:

command: ./browser_history.sh --safari --chrome --firefox --brave --format json
payloads:
  - browser_history.sh
cleanup:
  - rm -f #{location}/browser_history.sh
timeout: 300
delete_payload: true

Ability Structure

Each attack-macOS script becomes a Caldera ability with:

• Complete commands: Full option examples ready for execution
• No fact dependencies: Self-contained commands
• Direct editing: Operators modify commands in Caldera UI
• MITRE ATT&CK mapping: Proper technique IDs and names from YAML configs

Operator Workflow

1. Select ability from attack-macOS abilities in adversary profile
2. Review command with pre-built realistic options
3. Edit command directly in Caldera UI operation panel
4. Execute customized command on target

Usage

Web Interface

1. Create operation in Caldera
2. Add attack-macOS ability to adversary profile
3. Review and modify command in operation panel as needed
4. Execute on target

Example Command Modification:

# Original generated command
./screen_capture.sh --screenshot --hidden --format json

# Modified by operator
./screen_capture.sh --all-methods --format csv --verbose

API Usage

import requests

# Execute ability with custom command
ability_data = {
    "paw": "target-agent-paw",
    "ability_id": "3b366584-63de-4b56-87fa-46eb2dd0f1e5",
    "command": "./modify_preferences.sh --login-hook --extend-sophos --format json"
}

response = requests.post(
    "https://caldera-server:8888/api/v2/operations/operation-id/potential-links",
    headers={"KEY": "your-api-key"},
    json=ability_data
)

Available Options

Each script supports comprehensive options accessible via:

./script_name.sh --help

Common patterns:

• --format json|csv - Output format
• --verbose - Detailed execution information
• --log - Enable logging
• Technique-specific options (documented per script)

License

Apache 2.0