Important: Don't just ZIP download or clone the repo if you don't plan to develop some test. Use the package in the release which contains a packaged version with encrypted archives that don't contain cleartext samples and tools.
APT Simulator is a Windows Batch script that uses a set of tools and output files to make a system look as if it was compromised. In contrast to other adversary simulation tools, APT Simulator is designed to make the application as simple as possible. You don't need to run a web server, database or any agents on set of virtual machines. Just download the prepared archive, extract and run the contained Batch file as Administrator. Running APT Simulator takes less than a minute of your time.
Customers tested our scanners in a POC and sent us a complaint that our scanners didn't report on programs that they had installed on their test systems. They had installed an Nmap, dropped a PsExec.exe in the Downloads folder and placed on EICAR test virus on the user's Desktop. That was the moment when I decided to build a tool that simulates a real threat in a more appropriate way.
The focus of this tool is to simulate adversary activity, not malware. See the Advanced Solutions section for advanced tools to simulate adversary and malware activity.
The batch script extracts the tools and shells from an encrypted 7z archive at runtime. Do not download the master repo using the "download as ZIP" button. Instead use the official release from the release section.
APT Simulator contains a module named "AVExcluder" that tries to register the used
%APTDIR%
as AV exclusion in typical AV solutions. As I do not have access to all of the AV software products in the market, please report errors or add new exclusions as pull requests.
Since version 0.4 it is pretty easy to extend the test sets by adding a single
.bat
file to one of the test-set category folders.
E.g. If you want to write a simple test case for "privilege escalation", that uses a tool named "privesc.exe", clone the repo and do the following:
toolset
folder
privesc-1.bat
and add it to the
./test-sets/privilege-escalation
folder
build_pack.bat
If your script includes a tool, web shell, auxiliary or output file, place them in the folders
./toolset
or
./workfiles
. Running the build script
build_pack.bat
will include them in the encrypted archives
enc-toolset.7z
and
enc-files.7z
.
"%ZIP%" e -p%PASS% %TOOLARCH% -aoa -o%APTDIR% toolset\tool.exe > NUL
"%ZIP%" e -p%PASS% %FILEARCH% -aoa -o%APTDIR% workfile\tool-output.txt > NUL
The following table shows the different test cases and the expected detection results.
You should now be able to find events in your security monitoring solution (SIEM, EDR etc.) for the following keywords:
MSSE-1337-server
msagent_fedac123
postex_ssh_fedac123
334485
(used in Get System activity)
Note: No Named Pipe Monitoring? You can use Sysmon + this config and this Sigma rule to get you started.
b6a1458f396
(multiple events: new service registration and process creation)
Note: No events? you can use this Sigma rule to get you started.
http://10.0.2.15/pixel.gif
https://operaa.net:443/jquery-3.2.2.min.js
https://23.108.57.148:443/jquery-3.2.2.full.js
No test cases yet
Since version 0.8.0 APTSimulator features a batch mode provided by @juju4 that allows to run it in in a scripted way e.g. via Ansible
APTSimulator.bat -b
This repo contains tools and executables that can harm your system's integrity and stability. Do only use them on non-productive test or demo systems. Create a snapshot before you start. Otherwise you have to remove all the modifications manually, which is a tedious task.
The CALDERA automated adversary emulation system https://github.com/mitre/caldera
Infection Monkey - An automated pentest tool https://github.com/guardicore/monkey
Flightsim - A utility to generate malicious network traffic and evaluate controls https://github.com/alphasoc/flightsim
Follow and contact me on Twitter @cyb3rops