Setting Up MITRE CALDERA with Atomic, EMU & SSL

May 28, 2025


In this tutorial, you’ll learn how to build and run a customized MITRE CALDERA Docker image with the Atomic and EMU plugins enabled, secured by a self-signed SSL certificate via HAProxy.

Setting Up MITRE CALDERA

Prerequisites

  • Docker & Docker Compose installed on your host. (sudo apt install docker.io docker-compose -y)
  • git command-line tools.
  • Basic familiarity with editing files in a terminal (e.g., nano, sed).


1. Clone the CALDERA Repository

# Recursively clone the Caldera repository if you have not done so
git clone https://github.com/mitre/caldera.git --recursive
cd caldera


2. Enable the Atomic Plugin

Edit the Dockerfile to re-enable the Atomic plugin:

nano Dockerfile

# Inside the Dockerfile, remove the line that disables atomic:
sed -i '/- atomic/d' conf/local.yml;


3. Install HAProxy & Generate SSL Certificate

Add the following to your Dockerfile by running `nano Dockerfile` to install HAProxy and create a self-signed cert:

# Install HAProxy
RUN apt-get update && 
DEBIAN\_FRONTEND=noninteractive apt-get install -y --no-install-recommends 
haproxy && 
apt-get clean && 
rm -rf /var/lib/apt/lists/\*

# Generate self-signed cert (key + cert → PEM)
RUN openssl req -x509 -newkey rsa:4096 
-keyout plugins/ssl/conf/private.key 
-out plugins/ssl/conf/public.crt 
-days 365 -nodes 
-subj "/C=US/ST=VA/L=McLean/O=Mitre/OU=IT/CN=mycaldera.caldera" && 
cat plugins/ssl/conf/private.key plugins/ssl/conf/public.crt > plugins/ssl/conf/certificate.pem

# Configure HAProxy to use the new cert
RUN cp plugins/ssl/templates/haproxy.conf conf/ && 
sed -i 's#bind\ \*:8443\ ssl\ crt\ plugins/ssl/conf/insecure\_certificate.pem#bind\ \*:8443\ ssl\ crt\ plugins/ssl/conf/certificate.pem#g' conf/haproxy.conf


4. Enable EMU & SSL Plugins

Edit conf/default.yml to include both emu and ssl under the plugins: section:

nano conf/default.yml

# Add under `plugins:`:

- atomic
- emu
- ssl


5. Build & Run the Docker Image

Build the image with the full variant (includes Atomic support) and then run it:

# Build (change tag as desired)
docker build --build-arg VARIANT=full -t caldera .

# Run in detached mode, exposing ports 8888 (UI/API) & 8443 (SSL)
docker run -d -p 8888:8888 -p 8443:8443 caldera\:latest

#Run Docker Container with Persistent Data 
docker volume create caldera-data
docker run -d -p 8888:8888 -p 8443:8443 -v caldera-data:/usr/src/app/data caldera\:latest


6. Access the Container & Retrieve Credentials

If you need a shell inside the container or want to grab the default red user password:

# Get an interactive shell
sudo docker exec -it $(docker ps -qf "ancestor=caldera:latest") /bin/bash

# View the `red` user password
cat /usr/src/app/conf/local.yml | grep red


7. Connect to CALDERA

  • Open your browser to https://your-host:8443 for the SSL-secured UI.
  • Or use http://<your-host>:8888 if you prefer the non-SSL port.
  • Default creds are red/admin


That’s it! You now have a fully functional CALDERA instance with Atomic, EMU, and SSL support. Experiment with adversary emulation, test your detections, and iterate on your Purple Team workflows. Leave a comment below if you run into any issues or have questions!

By:
Bhanu Namikaze

Bhanu Namikaze is an Ethical Hacker, Security Analyst, Blogger, Web Developer and a Mechanical Engineer. He Enjoys writing articles, Blogging, Debugging Errors and Capture the Flags. Enjoy Learning; There is Nothing Like Absolute Defeat - Try and try until you Succeed.

No comments:

Post a Comment