Purple Team | Caldera & Wazuh

Enes Cayvarlı
14 min readAug 19


Hi there, I’m glad to see you here. First and foremost, we know that a purple team is a group of cybersecurity professionals who simulate malicious attacks and penetration testing in order to identify security vulnerabilities and recommend remediation strategies for an organization’s IT infrastructure. Embracing the mindset of “Purple Teaming”, which unites the perspectives of both attackers and defenders, let’s imagine ourselves as members of a purple team and investigate how to conduct attack simulations while also exploring how to detect these attacks. If you’re ready, let’s get started!


Introduction to Caldera

CALDERA™ is a cyber security framework designed to easily run autonomous breach-and-simulation exercises. It can also be used to run manual red-team engagements or automated incident response. Caldera is built on the MITRE ATT&CK™ framework and is an active research project at MITRE.

🚀Caldera empowers cyber teams in four main ways:

Caldera Installation

➜ Start by cloning the Caldera repository recursively, pulling all available plugins.

❗️Note: It is recommended to pass the desired version/release (should be in x.x.x format). To install version 4.0.0, one would execute:

git clone https://github.com/mitre/caldera.git --recursive --branch 4.0.0

➜ Once the clone completes, we can jump in to the new caldera directory:

cd caldera

➜ Next, install the pip requirements:

pip3 install -r requirements.txt

➜ Finally, start the server:

python3 server.py --insecure

--insecure: Uses the conf/default.yml file for configuration.

➜ Once started, log in to “http://localhost:8888” with the red using the password found in the “conf/default.yml” file.

Username: red
Password: admin

Caldera Agent Deployment

Agents are software programs that connect back to Caldera at certain intervals to get instructions. Agents communicate with the Caldera server via a contact method, initially defined at agent install.

Connect the Caldera agent to the Caldera server using the following steps:

➜ Navigate to the “agents” tab in Caldera.

➜ Click on the “Deploy an agent” button.

➜ Choose an agent (Sandcat is a good one to start with) and a platform (target operating system).

⭐️Sandcat: A GoLang agent which can communicate through various C2 channels, such as HTTP, Github GIST, or DNS tunneling.

➜ Choose the operating system to be connected. As an example, the Windows O.S was selected in the image below.

❗️Make sure the agent options are correct (e.g. ensure app.contact.http matches the expected host and port for the Caldera server).

⭐️app.contact.http represents the HTTP endpoint (including the IP/hostname and port) that the C2 server is listening on for agent requests and beacons.

→ http://localhost:8888
→ http://myc2domain.com:8080

⭐️agents.implant_name represents the base name of the agent binary. For Windows agents, “.exe” will be automatically appended to the base name (e.g. caldera will become caldera.exe).

➜ Choose a command to execute on the target machine.

➜ On the target machine, paste the command into PowerShell (Run as administrator) window and execute it.

➜ The recently added agent needs to be visible within the table located in the “Agents” tab.

Introduction to Wazuh

Wazuh is a security platform that provides unified XDR and SIEM protection for endpoints and cloud workloads. The solution is composed of a single universal agent and three central components: the Wazuh server, the Wazuh indexer and the Wazuh dashboard.

Wazuh Installation

The first thing you need to do is to set up a system with the requirements needed to run “Docker” and “Docker compose”.

➜ Install Docker and Docker compose if you don’t have them already:

sudo apt install docker.io docker-compose -y

➜ Clone the Wazuh repository to your system:

git clone https://github.com/wazuh/wazuh-docker.git -b v4.4.5

➜ Execute the following command to get the desired certificates:

sudo docker-compose -f generate-indexer-certs.yml run --rm generator

➜ Start the “Wazuh single-node” deployment using docker-compose:

sudo docker-compose up -d

❗️Note: By using the “docker stats” command, you can monitor the performance of different containers and keep an eye on resource consumption in real-time.

sudo docker stats

➜ To access the Wazuh app, open your web browser and enter the following URL in the address bar:


➜ This should take you to the Kibana interface.

❗️Note: You can find the default Wazuh indexer credentials in the “docker-compose.yml” file.

cat docker-compose.yml
Username: admin
Password: SecretPassword

Wazuh Agent Deployment

The agent runs on the endpoint you want to monitor and communicates with the Wazuh server, sending data in near real-time through an encrypted and authenticated channel. The agent helps to protect your system by providing threat prevention, detection and response capabilities.

You can deploy a new agent following the instructions in the Wazuh dashboard.

➜ Go to “Wazuh > Agents” and click on the “Deploy new agent”.

Deploy New Agent

➜ Then the Wazuh dashboard will show you the steps to deploy a new agent.

Operating System & Version
Architecture & Wazuh Server Address
Optional Settings
PowerShell Command
Start the Agent

Lab: Attack Simulation and Detection

In this setup, a machine running “Ubuntu 22.04.2 LTS” hosts the “Caldera” platform for conducting attack simulations and also includes the “Wazuh” system to detect these attacks. On the other hand, a second machine with “Windows Server 2019” operating system is designated as the target machine for the attack simulations carried out through Caldera. This configuration enables the effective management of both the simulation and detection of attacks.

💻 Ubuntu 22.04.2 LTS


💻 Windows Server 2019


Before starting the simulation, we have to apply some configurations on the victim machine to examine the attacks.

📍Windows: Enable Audit Process Creation

Audit logs capture details about system configuration changes and access events, with details to identify who was responsible for the activity, when and where the activity took place, and what the outcome of the activity was.

➜ Press “Windows + R” to open the “Run” dialog box with a keyboard shortcut.

➜ Type “secpol.msc” and press Enter to open the “Local Security Policy” management console.

➜ Expand the “Advanced Audit Policy Configuration” section under “Security Settings” in the tree view on the left.

➜ Locate “Audit Process Creation” under “Detailed Tracking”.

➜ Right-click and open “Properties”.

➜ Go to the “Policy” tab.

➜ Check the option “Configure the following audit events”.

➜ Enable the “Success” and/or “Failure” options to audit for events. “Success” logs successful process creations, while “Failure” logs unsuccessful attempts.

➜ Click “Apply”, then click “OK” to confirm the changes.

As an alternative method, we can perform the same process using the “auditpol” command by following the steps below:

➜ Type “cmd” in the Start menu, then right-click and choose “Run as administrator”.

➜ Enter the following command to enable auditing for the “Process Creation” subcategory:

auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable

➜ Enter the following command to check the status of the audit for the “Process Creation” subcategory:

auditpol /get /subcategory:"Process Creation"

📍Windows: Enable Command Line Auditing

The following command will enable the logging of command line information for process creation events in the Event Viewer. After running this command, the system will start recording the command lines associated with process creation events with “Event ID 4688”.


➜ Open command prompt as “Administrator”.

➜ Run the “reg.exe” command:

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit /t REG_DWORD /v ProcessCreationIncludeCmdLine_Enabled /d 1 /f

📍Wazuh: Creating Custom Rule

We need to create some rules in Wazuh to detect the attack vectors listed in the table below. Additionally, you can view the default rules of Wazuh in detail using the link provided below:


Go to the Management Section: The “Management” section is located in the left-hand menu. Click on this section.

Select the Rules Tab: From the Management section, select the “Rules” tab. This tab allows you to view existing rules and create new ones.

Create a New Rule: You can start the process of creating a new rule with a button “Add new rules file”.

Define Rule Logic: When adding a new rule, you’ll need to define the logic for what events will trigger it. For example, you might create a rule by searching for a specific keyword within a particular log entry or by filtering log entries that meet certain criteria.

❗️Note: You can access the XML labels used to configure the rules from the link below.


Save the Rule: After creating a new rule, use the “Save” button on the right to save the rule.

Enable the Rule: Don’t forget to enable the new rule. Typically, the rule doesn’t get enabled automatically after saving.

Rule File Name: DetectCurrentUser

<!-- Detecting current user using whoami -->
<group name="windows">
<rule id="150001" level="10">
<match type="pcre2">(?i)whoami</match>
<description>Suspicious Activity: Used whoami to Detect Current User</description>

Rule File Name: CreateWindowsUserAccount

<!-- Creating a new user via command line -->
<group name="windows">
<rule id="150002" level="10">
<match type="pcre2">(?i)net\s+user\s+\/add</match>
<description>Suspicious Activity: Windows User Account Created</description>

Rule File Name: ChangeRDPPort

<!-- Changing RDP port to non standard port -->
<group name="windows">
<rule id="150003" level="10">
<match type="pcre2">(?i)reg\s+add.*?RDP-Tcp.*?PortNumber</match>
<description>Suspicious Activity: RDP Port Changed</description>

Rule File Name: DeleteVolumeShadowCopies

<!-- Attempting to delete shadow copies using vssadmin -->
<group name="windows">
<rule id="150004" level="10">
<match type="pcre2">(?i)vssadmin\s+delete\s+shadows</match>
<description>Suspicious Activity: Volume Shadow Copies Deleted</description>

Rule File Name: ClearEventLogs

<!-- Attempting to clear event logs using wevtutil -->
<group name="windows">
<rule id="150005" level="10">
<match type="pcre2">(?i)wevtutil\s+cl</match>
<description>Suspicious Activity: Event Logs Cleared with Wevtutil</description>

📍Caldera: Creating Adversary and Operation

Now that we have created the necessary rules, we can define an operation in Caldera that includes the attack vectors.

➜ From the Caldera server URL, navigate to the “adversaries” section.

❗️Note: Adversary profiles are collections of abilities which represent the tactics, techniques and procedures (TTPs) that can be leveraged by threat actors.

➜ Click on the “New Profile” to create an adversary profile.

➜ Provide a name and description for the adversary profile, then click on the “Create” button.

➜ After creating the profile, add the MITRE techniques using the “Add Ability” feature of Caldera.

➜ We add the five techniques to be emulated and these can be seen in the image below. Click on the “Save Profile” to save the abilities to the profile.

1.Current User



2.Create A New User in A Command Prompt


net user /add "testuser" "!T1e2S3t4."

3.Changing RDP Port to Non Standard Port via Command_Prompt


reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 4489 /f && netsh advfirewall firewall add rule name="RDPPORTLatest-TCP-In" dir=in action=allow protocol=TCP localport=4489

4.Windows - Delete Volume Shadow Copies


vssadmin.exe delete shadows /all /quiet

5.Clear Logs with Wevtutil


wevtutil cl Security

To run the attack against the endpoint:

➜ Navigate to the “operations” section.

❗️Note: Caldera operations combine agents, abilities and adversaries to execute attacks against specific targets.

➜ Click on the “Create Operation” to create a new operation.

➜ Select the adversary profile you created for the Windows endpoint and click on the “Start” to run the attack.

➜ The image below shows the attacks was carried out against the Windows agent:

Output: Current User

By clicking the “View Output” button, we can view the output of the “whoami” command executed by Caldera to detect the current user on the target Windows machine.

Output: Create a new user in a command prompt

We can observe that the user “testuser” has been successfully created when we run the “net user” command from the command line on the target Windows machine to view the user accounts.

Output: Changing RDP Port to Non Standard Port via Command_Prompt

To check whether a new rule has been created on Windows Defender Firewall:

➜ Open a command prompt window.

➜ At the command prompt, type: “wf.msc”

➜ Select “Inbound Rules” on the left column. This tab contains rules for managing incoming connections.

➜ In this section, you’ll see all the inbound rules created for the firewall.

To check the changes made in the Registry:

➜ The easiest way to open “Registry Editor” is via Run. You can press “Windows + R” at the same time to open Windows Run dialog.

➜ Type “regedit” in Run box, and press Enter to open Windows Registry Editor.

➜ In the Registry Editor, expand the “HKEY_LOCAL_MACHINE” folder on the left.

➜ Then navigate through “System -> CurrentControlSet -> Control -> Terminal Server -> WinStations” and find the “RDP-Tcp” key.

➜ Once you select the “RDP-Tcp” key, you will see a value named “PortNumber” on the right side.

➜ To check the value, double-click on it.

➜ The value data should reflect the port number you changed it to (for example, 4489).

Output: Windows - Delete Volume Shadow Copies

When we click on the “View Output” button, the process is in the “Failed” status as a result of the command run to delete the shadow copies.

❗️Note: The reason for this error is that there are no shadow copies that satisfy the query when attempting to use the command “vssadmin.exe delete shadows /all /quiet”. The message “No items found that satisfy the query.” indicates that there are no items that meet the criteria of the query.

Output: Clear Logs with Wevtutil

We can notice that the logs have been successfully deleted by the “wevtutil” command line program when we examine the logs via “Event Viewer” on the target Windows machine.


📍Wazuh: Attack Detection

And finally, we will check whether the rules we created to detect these attack vectors are triggered or not.

Select the “Security Events” Tab from the Menu: Click on the “Security Events” tab from the left-hand menu. This tab is located under the “Modules” section in the main menu.

View the Security Events: When you click on the “Events” tab, you’ll typically see a page displaying security events in a list or table format. This list contains security events detected and recorded by Wazuh.

We used some attack vectors against the target Windows machine and succeeded to detect these attack vectors. 👊🏻

At the end of the road, we have come to the end of another adventure…