List of Adversary Emulation Tools

Type pentestit
Reporter Black
Modified 2018-04-15T01:32:10


PenTestIT RSS Feed

Every once in a while, the security industry brings forth a new buzz word and introduces terminologies that sound über cool and generate lot's of interest. One such word going around now-a-days is automated "adversary emulation". Let's first understand what this really means. Adversary emulation/simulation offers a method to test a network’s resilience against an advanced attacker, albeit in this case all tests are run by a system. If this was a real 'adversary', a system would not have run these simulations. Nevertheless, there is a huge market of tools which help you verify if your security tools are running as required; both commercial and open source, that help run these simulations. Infact, MITRE also has developed an Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™), which is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s life-cycle and the platforms they are known to target. Most tools seem to follow this framework. Without much ado, let's get on to the list of adversary emulation tools.

Adversary Emulation

Open Source Adversary Emulation Tools:

  1. CALDERA: CALDERA offers an intelligent, automated adversary emulation system that can reduce resources needed by security teams for routine testing, freeing them to address other critical problems.
    CALDERA - Automating Adversary EmulationIt can be used to test endpoint security solutions and assess a network's security posture against the common post-compromise adversarial techniques contained in the ATT&CK model. CALDERA leverages the ATT&CK model to identify and replicate adversary behaviors as if a real intrusion is occurring. Download CALDERA from here.
  2. Metta: Uber recently open sourced this adversarial simulation tool, which was born out of multiple internal projects. Metta uses Redis/Celery, python, and vagrant with VirtualBox to perform adversarial simulation, which allows you to test your host based security systems. This also may allow you to test other network based security detection and controls depending on how you set up your vagrants. Metta is compatible with Microsoft Windows, MacOS and Linux endpoints. Get Uber Metta here.
  3. APT Simulator: APT Simulator is a Windows batch script that uses a set of tools and output files to make a system look as if it was compromised. It helps you simulate a real threat in a more veritable way. Obviously, this is a Windows only solution that can be downloaded here.
  4. Red Team Automation: Again, open sourced recently by Endgame, Red Team Automation (RTA) is a set of 38 scripts and supporting executable's that generate reliable artifacts which correspond to techniques in the ATT&CK™ framework. As of now, RTA provides coverage of 50 ATT&CK™ techniques which is set to increase over time. I believe, this tool offers a very good Endpoint Detection and Response (EDR) coverage.
    Red Team AutomationRTA supports Microsoft Windows and is coded in python and can perform anti-forensics operations, spread via lateral movement, bypass UAC (User Account Control) among others. Download Endgame RTA here.
  5. Invoke-Adversary: A really new entrant in the adversary emulation field - Microsoft's Invoke-Adversary is a PowerShell script that helps you to evaluate security products and monitoring solutions based on how well they detect advanced persistent threats. This infact was inspired by APT Simulator! As of now, it test for persistence, discovery, credential access,defense evasion, information collection, command & control, execution & AppLocker bypass. Get it here.
  6. Atomic Red Team: Red Canary's Atomic Red Team is yet another adversary emulation framework that is open source and provides you with capabilities to test your detection. This was introduced last year and surely has been improving since. The ART maps small and highly portable detection tests to the Mitre ATT&CK Framework. This framework is not automated, yet supports Microsoft Windows, MacOS & Linux flavours. Download ART here.
  7. Infection Monkey: Guardicore Infection Monkey is yet another open source breach & attack simulation tool to evaluate the security posture of your network. It helps you test your network's resiliency to perimeter breaches and internal server infection.Infection Monkey
    The Monkey uses various methods to self propagate across a data center and reports success to a centralized Monkey Island server. It is also coded in Python and works on Microsoft Windows & Linux systems. Get Infection Monkey here.
  8. Blue Team Training Toolkit (BT3): Encripto Blue Team Training Toolkit (BT3) is software for defensive security training, which will bring your network analysis training sessions, incident response drills and red team engagements to a new level. The toolkit allows you to create realistic computer attack scenarios, while reducing infrastructure costs, implementation time and risk.Blue Team Training Toolkit
    It is written in Python and includes the latest version of Encripto’s Maligno, Pcapteller and Mocksum. It also includes multiple malware indicator profiles that ensure a “plug & play” experience, when planning and preparing a training session, incident response drill or red team engagement. Download Blue Team Training Toolkit v2.6 here.
  9. DumpsterFire: DumpsterFire is a modular, menu-driven & cross-platform tool in Python for building customized, time-delayed, distributed security events. It allows you to easily create custom event chains for Blue Team drills and sensor/alert mapping. Red Teams can also create decoy incidents, distractions, and lures to support and scale their operations. Download DumpsterFire v1.0.0 here.
  10. AutoTTP: Short for Automated Tactics Techniques & Procedures, AutoTTP is based on the authors attack life cycle model. It uses a well established PowerShell and Python post-exploitation project - Empire. This is still a work in progress. Download AutoTTP here.

Honourable mention for the following open source tools as they technically are not adversary emulation tools:

  • RedHunt OS: The RedHunt OS aims to be a one stop shop for all your threat emulation and threat hunting needs by integrating attacker's arsenal as well as defender's toolkit to actively identify the threats in your environment. The base machine is Lubuntu-17.10.1 x64. It includes the following tools for different purposes:
    Attack Emulation: Caldera, Atomic Red Team, DumpsterFire, Metta, RTA, Nmap, CrackMapExec, Responder, Zap
    Logging and Monitoring: Kolide Fleet, ELK (Elasticsearch, Logstash, and Kibana) Stack
    Open Source Intelligence (OSINT): Maltego, Recon-ng, Datasploit, theHarvestor
    Threat Intelligence: Yeti, Harpoon
    Download RedHunt OS Beta v1 here.
  • Invoke-ATTACKAPI: This is an open source PowerShell script to interact with the MITRE ATT&CK Framework via its own API in order to gather information about techniques, tactics, groups, software and references. Get this script here.

Commercial Adversary Emulation Tools:

  • Cobalt Strike:‍ Software for Adversary Simulations and Red Team Operations. Needs no introduction. Check it out here.
  • Cymulate: This platform provides an Advanced Persistent Threat (APT) simulation of your security posture. Check it out here.
  • Immunity Adversary Simulation: This platform allows you to model an advanced persistent threat from inside your infrastructure and evaluate how your security team will react to a real world offensive team that is active on your network and attempting to ex-filtrate large amounts of data. Check it out here.
  • SafeBreach: This software platform simulates adversary breach methods across the entire kill chain, without impacting users or your infrastructure. Check it out here.
  • SimSpace: They seem to use Wormhole, a 0-day simulator for training on Windows and Linux. Check them out here.
    Updated 4/15/2018:
  • AttackIQ FireDrill: Automated scenarios to run continuously, and launch targeted scenarios such as mimic real-world malware and attack vectors on demand. More information here.
  • Verodin Instrumented Security Platform: This platform proactively identifies configuration issues in your security stack and exposes true gaps across your people, process and technology. Check them out here.
    Updated 4/26/2018:
  • Picus Security: A relatively new entrant in this market, Picus reveals security gaps in your network by simulating real-world attacks. It also performs security control assessments. Check them out here.

The above list does not include services such as MDSec's ActiveBreach, Nk33, FusionX, Red Siege, Spectre Ops & TrustedSec as it is claimed that they are carried out by real humans. Let me know if I missed any adversary emulation tools or commercial services.

The post List of Adversary Emulation Tools appeared first on PenTestIT.