ExtraHop Logo
Try ExtraHop
Menu iconX icon
  • Platformchevron right
  • Solutionschevron right
  • Modern NDRchevron right
  • Resourceschevron right
  • Companychevron right
User iconSign In
Contact Us

DETECTION OVERVIEW

Caldera C&C Sandcat Beaconing

Risk Factors

Caldera is a publicly available and well-known tool associated with pen testing and security assessments.

Kill Chain

Command-and-Control

Risk Score

33

Detection diagram
Next in Command-and-Control: Cobalt Strike C&C HTTP Connection

Attack Background

MITRE Caldera is an adversary emulation framework that is associated with security testing. The Caldera framework enables security teams to emulate C&C communications through three different Caldera agents: Sandcat, Manx, and Ragdoll. The agents enable beaconing activity from a device over protocols such as HTTP, which helps them obscure their activity within legitimate traffic. Beaconing refers to short messages periodically sent from a compromised device to a C&C server requesting additional instructions from an attacker. The presence of C&C beaconing on your network simulates an attacker conducting a persistent attack.

Mitigation Options

Quarantine the device while checking for the presence of malware

Monitor and investigate unusual network activity for lateral movement or data exfiltration

MITRE ATT&CK ID

What else can RevealX do for you?

View our Periodic Table of use casesArrow pointing right