During a red-team exercise, a security analyst is using the open-source MITRE Caldera platform to run automated adversary emulations. The analyst has enabled the default Stockpile and Mock plugins but needs to simulate several host-discovery techniques that are not present in the current library. According to Caldera's plugin architecture, which action will most effectively expand the platform's repertoire of adversary techniques without modifying core code?
Author new ability YAML files and package them in a custom plugin so they load at server start-up
Create a hidden administrative SMB share on each endpoint for Caldera agents to access
Import historical Sysmon and Windows Event logs into the Caldera file browser for later correlation
Forward Zeek or Suricata alerts into Caldera's UI without touching the plugin directory
Caldera loads functionality through plugins that can contain new YAML-based ability files or Python modules. Creating a custom plugin that packages additional abilities (tasks/scripts) allows the engine to execute new TTPs during operations. Importing logs, exposing SMB shares, or forwarding external IDS alerts does not add executable abilities to the framework and therefore does not broaden the simulation coverage.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the MITRE-designed platform mentioned in the context?
Open an interactive chat with Bash
What are the advantages of using a plugin-based architecture in security testing?
Open an interactive chat with Bash
Why is developing additional tasks or scripts more effective than gathering logs for simulations?