The most comprehensive Chinese cyber attack simulation tool inventory in history // 史上最全面的中國網絡攻擊模擬工具庫存

The most comprehensive Chinese cyber attack simulation tool inventory in history //


Lead: Simulated attacks provide a way to test the network’s ability to recover from advanced attacks, but in a simulated attack environment, all tests are automatically run by the system. If this is a true “attack,” the system will not run these attacks with simulated features. Still, “attack simulation” can help you verify your security tools.

The most comprehensive attack simulation tool inventory in history

Every once in a while, the security industry will have a new buzzword and introduce terms that sound cool and appealing. For example, the recent “adversary emulation” vocabulary, I translated it in this article as “attack simulation.” Let us first understand what it really means. Simulated attacks provide a way to test the network’s ability to recover from advanced attacks, but in a simulated attack environment, all tests are automatically run by the system. If this is a true “attack,” the system will not run these attacks with simulated features. Still, “attack simulation” can help you verify that your security tools are running as required, whether closed source or open source, to help run these simulation tests. In fact, MITRE has also developed an ATT&CK , ATT&CK is a curated knowledge base and model of cyberattack behavior, reflecting changes in the various stages of the attacker’s life cycle. ATT&CK is useful for understanding security risks against known attacks, planning for security improvements, and verifying that defenses work as expected. Most security tools seem to use this framework. Let’s take a look at the list of attack simulation tools.

The most comprehensive attack simulation tool inventory in history

Open source attack simulation tool

1.CALDERA: CALDERA provides an intelligent automated attack simulation system that reduces the resources required by security teams for routine testing, enabling them to solve other critical issues.

The most comprehensive attack simulation tool inventory in history

It can be used to test endpoint security solutions and assess the security posture of the network based on common attack techniques in the ATT&CK model. CALDERA uses the ATT&CK model to identify and simulate attack behavior, click here to download CADERERA .

2.Metta: Uber recently opened up this hostile simulation tool, which was generated by several internal projects. Metta uses Redis/Celery, Python and VirtualBox for hostile simulation so users can test host-based security systems. In addition, users can test other network-based security detection and control, but it depends on how it is set up. Metta is compatible with Microsoft Windows, MacOS and Linux endpoints, click here to download Uber Metta .

3. ATP Simulator: ATP Simulator is actually a set of Windows Batch scripts. Its main function is to simulate the activity of an attacker, not to simulate the activity of malware. ATP Simulator uses a set of tools and output files to make the system appear to be attacked. It can help you simulate a real attack environment in a more realistic way. Obviously, this is a Windows-only solution, click here to download ATP Simulator .

4. Red Team Automation: Recently, network security company Endgame has released the source code of Red Team Automation, a set of executables with 38 scripts and support to generate reliable components corresponding to the technology in the ATT&CK framework. To date, Red Team Automation offers 50 components supported by ATT&CK technology, and the number will increase in the future. I believe this tool provides very good endpoint detection and response (EDR) coverage.

The most comprehensive attack simulation tool inventory in history

Red Team Automation supports Microsoft Windows and is coded in python. It can also perform anti-forensics operations, maliciously propagate, bypass UAC (User Account Control), etc. Click here to download Red Team Automation .

5. Invoke -Adversary: Invoke-Adversary is a PowerShell script that evaluates security products and monitoring solutions based on the extent of APT attacks. Let’s just say that this tool is a newcomer in the field of attack simulation. Microsoft’s call attack is a PowerShell script. Inspired by the APT simulator, Invoke-Adversary has tested for persistent attacks, credential access, evasion detection, information collection, commands, and controls. Click here to download Invoke-Adversary .

6. Atomic Red Team: It is a new automated testing framework for security design. The Atomic Red Team was launched in 2017 and is an open source testing framework that tests users’ attack detection capabilities. It is called “atomic” because it can be used as a small component for small or large security teams to simulate the activities of a specific attacker.

The Atomic Red Team maps small, portable inspection tests to the Mitre ATT&CK framework, which is not automatic, but supports Microsoft Windows, MacOS and Linux styles. Click here to download Atomic Red Team .

7. Infection Monkey: Infection Monkey is a data center security detection tool released by Israeli security company GuardiCore at the 2016 Black Hat Conference. It is mainly used for automated detection of data center boundaries and internal server security. The tool is divided into Monkey (scanning and exploiting side) and C&C server (equivalent to reporter, but only for collecting information about monkey detection). Simply put, it is another open source vulnerability and attack simulation tool.

The most comprehensive attack simulation tool inventory in history

It is also coded in Python for Microsoft Windows and Linux systems. Click here to download Infection Monkey .

8. Blue Team Training Toolkit (BT3): This tool is a defensive security training software that takes your network analysis training courses, incident response drills and teamwork to the next level. This toolkit allows you to create realistic computer attack scenarios while reducing infrastructure costs, implementation time and risk.

The most comprehensive attack simulation tool inventory in history

It is written in Python and includes the latest versions of Encripto’s Maligno, Pcapteller and Mocksum. It also contains multiple malware indicator profiles, click here to download Blue Team Training Toolkit v2.6.

9. DumpsterFire : DumpsterFire is a modular, menu-driven, cross-platform Python tool for building custom, delayed distributed security events. Security personnel can use it to easily create custom event chains such as sensors or alert mappings, click here to download DumpsterFire v1.0.0 .

10. AutoTTP: Abbreviation for Automated Tactics Techniques & Procedures, AutoTTP based on the attack life cycle model . It uses a purely PowerShell and Python late exploit agent tool – Empire, click here to download AutoTTP .

The following open source tools are worth mentioning, but they are not technically an analog attack tool.

1. RedHunt operating system: The goal of the RedHunt operating system is to actively identify the attacks in the environment by integrating the attacker’s arsenal and the defender’s toolkit, thus becoming a one-stop security detection store that meets all your attack simulation and attack requirements. . The basic device is Lubuntu-17.10.1 x64. It contains the following tools for different purposes:

Attack Simulation: Caldera, Atomic Red Team, DumpsterFire, Metta, RTA, Nmap, CrackMapExec, Responder, Zap.

Recording and monitoring: Kolide Fleet, ELK (Elasticsearch, Logstash and Kibana) stack

Open Source Intelligence (OSINT): Maltego, Recon-ng, Datasploit, Thearvestor

Attack Information Analysis: Yeti, Harpoon

Click here to download RedHunt OS Beta v1

2. Invoke-ATTACKAPI : This is an open source PowerShell script that interacts with the MITRE ATT&CK framework through its own API to gather information about attack techniques, policies, etc. Click here to get this script.

Enterprise-class simulation attack tool

1. Cobalt Strike : Cobalt Strike is the commercial version of Armitage. Armitage is a Java-written Metasploit graphical interface attack software that can be used in conjunction with attacks known by Metasploit to automate attacks against existing vulnerabilities.

2. Israel’s network security company Cymulate : Cymulate is mainly for attack simulation of the following scenarios, such as simulated attack WAF, simulated attack mailbox, DLP attack test, SOC simulation test, mailbox test, ransomware test, Trojan, Payload penetration test, etc. . The main purpose of these tests is to improve the product, rich security awareness of employees, and the corresponding ability to detect and attack techniques to enhance. For example, the use of email and phishing attacks can count the number of users in the move.

3. Immunity Adversary Simulation : This platform allows you to build advanced permanent attack models from within the infrastructure and assess how the security team responds to live real attacks on the network.

4. SafeBreach: This software platform simulates attack violations throughout the kill chain without affecting users or infrastructure. Look here.

5. Network Security Startup SafeBreach : Founded in 2014, SafeBreach is headquartered in Delaware, USA, and is committed to revolutionizing the way the network security industry performs risk verification. The company provides users with a continuous security verification platform, using a centralized management system, combined with a complete hacking network method “script”, from the central location to manage the intrusion simulator of the distributed network, the simulator can play virtual hackers in the real world. The role, from the “hacker’s point of view” to actively demonstrate the cyber security risks of the enterprise. Users can verify their security control performance through this platform, analyze the impact of this attack on the company’s system and the effectiveness of the attack defense, so as to obtain sufficient time advantage to repair network risk vulnerabilities and improve the enterprise security operation and maintenance center. (SOC) Analyst responsiveness. In essence, this platform is to allow any enterprise to intuitively see how it will cope when it encounters a network attack in real life.

6. SimSpace ; SimSpace seems to be using Wormhole.

7. AttackIQ FireDrill : AttackIQ’s simulated attack platform, FireDrill, can launch simulated attacks against customers’ networks and test for flaws and vulnerabilities in defense systems.

8. Verodin Instrumented Security Platform : This platform proactively identifies configuration issues in the security stack and reveals the real difference between the attacker, the attack process, and the attack technology.

The above list does not include services such as MDSec’s ActiveBreach, Nk33, FusionX, Red Siege, Spectre Ops and TrustedSec, as they are implemented by real people.

Original Mandarin Chinese:


每隔一段時間,安全行業就會出現一個新的熱門詞彙,並引入聽起來很酷以及吸引人們興趣的術語。比如最近出現的“adversary emulation”詞彙,我在本文將其翻譯為“攻擊模擬” 。首先讓我們先來了解它的真正含義,模擬攻擊提供了一種用來測試網絡在應對高級攻擊時的恢復能力,不過在模擬攻擊環境下,所有測試均由系統自動運行。如果這是一個真正的“攻擊”,系統將不會運行這些具有模擬特點的攻擊。儘管如此,“攻擊模擬”還是可以幫助你驗證你的安全工具是否按要求運行,無論是閉源還是開源,它都有助在運行這些模擬測試。事實上,MITER還開發了一種ATT&CK,ATT&CK是網絡攻擊行為的策劃知識庫和模型,反映了攻擊者生命週期的各個階段變化.ATT&CK對於理解針對已知攻擊行為的安全風險,規劃安全改進以及驗證防禦措施是否按預期工作很有用。大多數安全工具似乎都使用了這個框架。下面,就讓我們來看看攻擊模擬工具的列表。




2.Metta:烏伯最近開源了這個敵對模擬工具,它是由多個內部項目產生的.Metta使用的Redis /芹菜,蟒和VirtualBox的進行敵對模擬,這樣用戶就可以測試基於主機的安全系統另外用戶還能測試其他基於網絡的安全檢測和控制,不過這具體取決於設置的方式.Metta與Microsoft Windows,MacOS和Linux端點兼容,點擊這裡下載Uber Metta。

3.ATP模擬器:ATP模擬器其實就是一套Windows Batch腳本集合,它的主要功能就是模擬攻擊者的活動,而並非模擬惡意軟件的活動.ATP Simulator會使用一組工具和輸出文件使系統看起來好像是被攻擊了。它可以幫助你以更真實的方式模擬真實的攻擊環境。顯然,這是一個僅限Windows的解決方案,點擊這裡下載ATP模擬器。

4.Red Team Automation:最近網絡安全公司Endgame公開了Red Team Automation的源代碼,它是一組有著38個腳本和支持的可執行文件,可生成與ATT&CK框架中的技術相對應的可靠組件。截至目前,紅隊自動化提供50種由ATT&CK技術支持的組件,將來數量還會增加。我相信,這個工具提供了非常好的端點檢測和響應(EDR)覆蓋。

Red Team Automation支持Microsoft Windows,並且使用python進行編碼,另外它還可以執行反取證操作,進行惡意傳播,繞過UAC(用戶帳戶控制)等等,點擊這裡下載Red Team Automation。


6.Atomic Red Team:它是針對安防設計的新型自動化測試框架,Atomic Red Team是在2017年推出的,是一個開源測試框架,可以測試用戶的攻擊檢測能力。之所以稱之為為“atomic(原子) )“,是因為它可以作為小型組件,方便小型或大型安全團隊使用,用來模擬特定攻擊者的活動。

Atomic Red Team會員小巧便攜的檢測測試映射到Mitre ATT&CK框架,該框架不是自動的,但支持Microsoft Windows,MacOS和Linux風格,點擊這裡下載Atomic Red Team。


它也用Python編碼,適用於Microsoft Windows和Linux系統,點擊這裡下載Infection Monkey。


它是用Python編寫的,包括Encripto的Maligno,Pcapteller和Mocksum的最新版本。它還包含多個惡意軟件指示符配置文件,點擊這裡下載Blue Team Training Toolkit v2.6。

9.DumpsterFire:DumpsterFire是一個模塊化的,菜單驅動的跨平台Python工具,用於構建自定義的,延遲的分佈式安全事件。安全人員可以利用它輕鬆創建比如傳感器或警報映射(alert mapping)的自定義事件鏈,點擊這裡下載DumpsterFire v1.0.0。

10.AutoTTP:Automated Tactics Techniques&Procedures的縮寫,AutoTTP基於攻擊生命週期模型(攻擊生命週期模型)。它使用了一個純碎的PowerShell和Python後期漏洞利用代理工具–Empire,點擊這裡下載AutoTTP。


1.RedHunt操作系統:RedHunt操作系統的目標是通過集成攻擊者的武庫以及防御者的工具包來積極識別環境中的攻擊,從而成為一站式安全檢測商店,滿足你的所有攻擊仿真和攻擊要求。基本設備是Lubuntu-17.10.1 x64。它包含以下用於不同目的的工具:

攻擊仿真:Caldera,Atomic Red Team,DumpsterFire,Metta,RTA,Nmap,CrackMapExec,Responder,Zap。

記錄和監測:Kolide Fleet,ELK(Elasticsearch,Logstash和Kibana)堆棧



點此下載RedHunt OS Beta v1

2.Invoke-ATTACKAPI:這是一個開源的PowerShell腳本,通過自己的API與MITER ATT&CK框架進行交互,以收集有關攻擊技術,策略等信息,點擊這裡獲取這個腳本。


1.Cobalt Strike:Cobalt Strike是Armitage商業版,Armitage是一款Java寫的Metasploit圖形界面的攻擊軟件,可以用它結合Metasploit已知的攻擊來針對存在的漏洞自動化攻擊。


3.Immunity Adversary Simulation:該平台允許你從基礎架構內建立高級永久性攻擊模型,並評估安全團隊如何應對網絡上活躍的真實攻擊。



6.SimSpace; SimSpace似乎在使用蟲洞。

7.AttackIQ FireDrill:AttackIQ的模擬攻擊平台FireDrill可以針對客戶的網絡展開模擬攻擊,測試防禦系統的缺陷和漏洞。


以上列表不包括諸如MDSec的ActiveBreach,Nk33,FusionX,Red Siege,Spectre Ops和TrustedSec等服務,因為它們是由真人實施的。

Original Referring url:

Leave a Reply

Your email address will not be published. Required fields are marked *