Adversary-Simulation-Toolkit

🚀 Overview

Adversary Simulation Toolkit is a comprehensive collection of utilities and resources designed for red teaming, adversary emulation, and security research. This repository serves as a centralized hub for tools, use cases, and documentation to facilitate realistic threat simulation.

🧠 Concepts

What is Adversary Emulation? Adversary emulation leverages adversary tactics, techniques, and procedures (TTPs), enhanced by cyber threat intelligence, to create a security test based on real-world intrusion campaigns. It helps organizations prioritize threats and verify defenses against specific actors.

Adversary Emulation Plan To showcase the practical use of ATT&CK, MITRE created Adversary Emulation Plans. These documents outline how to model adversary behavior based on open threat reports, allowing defenders to test their networks against specific APT TTPs rather than just generic vulnerabilities.

🗺️ Attack Navigator

Visualize and plan your adversary emulation scenarios using the MITRE ATT&CK Navigator.

MITRE ATT&CK Navigator: A web-based tool for annotating and exploring ATT&CK matrices. Use this to map out the TTPs for your specific simulation plans (e.g., Crypto24).

🛠️ Tools by Phase

This toolkit organizes tools according to the standard Red Team phases, enriched with resources from the community.

0. Adversary Simulation Platforms

Automated and manual platforms for mimicking adversary behavior.

Atomic Red Team: Library of simple tests mapped to the MITRE ATT&CK framework.
Caldera: Automated adversary emulation system by MITRE.
Infection Monkey: Open-source breach and attack simulation tool.
OpenBAS: Open Breach and Attack Simulation platform.
Metta: Adversarial simulation tool by Uber (historical reference).
Stratus Red Team: “Atomic Red Team” for Cloud (AWS, Azure, GCP).
Prelude Operator: Platform for developer-first advanced security mimicking real attacks.
APTSimulator: Windows Batch script to make a system look compromised.
Network Flight Simulator: Utility to generate malicious network traffic.
Red Team Automation (RTA): Framework of scripts modeled after MITRE ATT&CK.

1. Reconnaissance

Gathering intelligence on the target.

Active Intelligence Gathering

EyeWitness: Take screenshots of websites, provide server header info, and identify default credentials.
AWSBucketDump: Quickly enumerate AWS S3 buckets to look for loot.
AQUATONE: Tools for performing reconnaissance on domain names.
spoofcheck: Checks if a domain can be spoofed from (SPF/DMARC).
Nmap: Network discovery and security auditing.
dnsrecon: DNS Enumeration Script.

Passive Intelligence Gathering

Social Mapper: OSINT Social Media Mapping Tool.
skiptracer: OSINT scraping framework.
ScrapedIn: Scrape LinkedIn without API restrictions.
FOCA: Find metadata and hidden information in documents.
theHarvester: Gather emails, subdomains, hosts, employee names, open ports, and banners.
Metagoofil: Extract metadata of public documents.
SimplyEmail: Email recon made fast and easy.
truffleHog: Searches through git repositories for secrets.
Just-Metadata: Gathers and analyzes metadata about IP addresses.
pwnedOrNot: Checks if email account has been compromised in a data breach.
pwndb: Search leaked credentials using the Onion service.

Frameworks

Maltego: Interactive data mining tool that renders directed graphs for link analysis.
SpiderFoot: Open source footprinting and intelligence-gathering tool.
datasploit: OSINT Framework to perform various recon techniques.
Recon-ng: Full-featured Web Reconnaissance framework.

2. Weaponization

Coupling a remote access trojan with an exploit.

Composite Moniker: PoC exploit for CVE-2017-8570.
CACTUSTORCH: Payload Generation for Adversary Simulations.
SharpShooter: Payload creation framework for C#.
Don’t kill my cat (DKMC): Generates obfuscated shellcode stored inside polyglot images.
Malicious Macro Generator: Generate obfuscated macros.
Invoke-Obfuscation: PowerShell Obfuscator.
Invoke-CradleCrafter: PowerShell remote download cradle generator.
Unicorn: PowerShell downgrade attack and shellcode injection.
Shellter: Dynamic shellcode injection tool.
Veil: Generate metasploit payloads that bypass common AV.
LuckyStrike: Malicious Office macro creation.
ClickOnceGenerator: Quick Malicious ClickOnceGenerator.
macro_pack: Automatize obfuscation and generation of MS Office documents.
SocialEngineeringPayloads: Collection of social engineering tricks and payloads.
The Social-Engineer Toolkit: Framework for social engineering.

3. Delivery

Transmitting the weapon to the target environment.

Phishing

King Phisher: Phishing campaign toolkit.
FiercePhish: Full-fledged phishing framework.
Gophish: Open-source phishing toolkit.
CredSniper: Phishing framework supporting 2FA tokens.
PwnAuth: OAuth abuse campaigns.
Modlishka: Reverse proxy for ethical phishing.
Evilginx: Man-in-the-middle attack framework.

Watering Hole Attack

BeEF: Browser Exploitation Framework.

4. Command and Control (C2)

Establishing a command channel.

Remote Access Tools

Cobalt Strike: Adversary Simulations and Red Team Operations software.
Empire: Post-exploitation framework (PowerShell/Python).
Metasploit Framework: Penetration testing framework.
SILENTTRINITY: Post-exploitation agent (Python/C#/.NET).
Pupy: Cross-platform remote administration tool.
Koadic: Windows post-exploitation rootkit (COM C2).
PoshC2: Proxy aware C2 framework.
Merlin: HTTP/2 C2 server and agent (Go).
Quasar: Remote administration tool (C#).
Covenant: .NET command and control framework.
FactionC2: C2 framework using websockets based API.

Staging & Infrastructure

Red Baron: Automate creating resilient infrastructure with Terraform.
EvilURL: Generate unicode evil domains.
Domain Hunter: Checks expired domains and categorization.
Chameleon: Evading Proxy categorisation.
Malleable C2: Redefine indicators in Beacon’s communication.
ExternalC2: Library for Cobalt Strike External C2.
mkhtaccess_red: Auto-generate HTaccess for payload delivery.
RedFile: Flask app serving files with intelligence.
pwndrop: Self-deployable file hosting service for red teamers.
C2concealer: Generates randomized C2 malleable profiles for Cobalt Strike.
FindFrontableDomains: Search for potential frontable domains.
RedWarden: Flexible CobaltStrike Malleable Redirector.
AzureC2Relay: Azure Function to validate and relay Cobalt Strike beacon traffic.
C3: Custom Command and Control (C3) for esoteric C2 channels.
redirect.rules: Dynamic redirect.rules generator.
CobaltBus: Cobalt Strike External C2 Integration via Azure Servicebus.
SourcePoint: C2 profile generator for Cobalt Strike evasion.
RedGuard: C2 front flow control tool to avoid Blue Teams/AVs/EDRs.

Simulation C2 Frameworks C2s specifically designed or well-suited for adversary simulation and research.

BEAR: C2 framework designed for mimicking Russian APT TTPs.
Sliver: Open source cross-platform adversary emulation/red team framework (Go).
Mythic: Collaborative, multi-platform, red teaming framework.
Havoc: Modern and malleable post-exploitation command and control framework.
shad0w: Post exploitation framework designed to operate covertly.
Covenant: .NET command and control framework (also listed above).

5. Lateral Movement

Moving through the environment.

CrackMapExec: Swiss army knife for pentesting networks.
PowerLessShell: Execute PowerShell without spawning powershell.exe.
GoFetch: Automatically exercise BloodHound attack plans.
DeathStar: Automate gaining Domain Admin rights using Empire.
Responder: LLMNR/NBT-NS/MDNS poisoner.
SessionGopher: Extract saved session information.
PowerSploit: Collection of PowerShell modules.
Nishang: Framework and collection of scripts/payloads.
Inveigh: PowerShell LLMNR/mDNS/NBNS spoofer.
Mimikatz: Extract credentials from memory.
LaZagne: Retrieve passwords stored on a local computer.
PsExec: Execute processes on other systems.
KeeThief: Extraction of KeePass key material.
Impacket: Python classes for network protocols.
RedSnarf: Pen-testing / red-teaming tool for Windows.

6. Establish Foothold

Maintaining access.

Tunna: Tunnel TCP communication over HTTP.
reGeorg: Create SOCKS proxies through the DMZ.
Blade: Webshell connection tool.
TinyShell: Web Shell Framework.
PowerLurk: Malicious WMI Event Subscriptions.
DAMP: Persistence through Host-based Security Descriptor Modification.

7. Escalate Privileges

Gaining higher-level permissions.

Domain Escalation

PowerView: Network situational awareness on Windows domains.
Get-GPPPassword: Retrieve plaintext password from Group Policy.
Invoke-ACLpwn: Automate discovery and pwnage of ACLs.
BloodHound: Reveal hidden relationships in AD.
PyKEK: Python Kerberos Exploitation Kit.
Grouper: Find vulnerable settings in AD Group Policy.
ADRecon: Extract artifacts from AD.
ACLight: Discovery of Domain Privileged Accounts.
LAPSToolkit: Audit and attack LAPS environments.
PingCastle: Audit risk level of AD infrastructure.
RiskySPNs: Detect and abuse accounts associated with SPNs.
Rubeus: C# toolset for raw Kerberos interaction.
kekeo: Manipulate Microsoft Kerberos in C.

Local Escalation

UACMe: Bypass Windows User Account Control.
windows-kernel-exploits: Collection of Windows kernel exploits.
PowerUp: Common Windows privilege escalation vectors.
The Elevate Kit: Privilege escalation with Cobalt Strike.
Sherlock: Find missing software patches.
Tokenvator: Elevate privilege with Windows Tokens.

8. Data Exfiltration

Stealing data.

CloakifyFactory: Data Exfiltration & Infiltration In Plain Sight.
DET: Data Exfiltration Toolkit.
DNSExfiltrator: Exfiltrate data over DNS.
PyExfil: Python Package for Data Exfiltration.
Egress-Assess: Test egress data detection capabilities.
Powershell RAT: Exfiltrate data as email attachment.

9. Misc

Other useful tools.

Wireless Networks

Wifiphisher: Automated phishing attacks against Wi-Fi networks.
Evilginx: Man-in-the-middle attack framework.
mana: Toolkit for wifi rogue AP attacks.

Embedded & Peripheral Devices

magspoof: Spoof/emulate magnetic stripes.
P4wnP1: Highly customizable USB attack platform.
poisontap: Exploits locked computers over USB.
WHID: WiFi HID Injector.

Team Communication

RocketChat: Open source team chat.
Etherpad: Collaborative real-time editor.

Log Aggregation

RedELK: Red Team’s SIEM.
CobaltSplunk: Splunk Dashboard for CobaltStrike logs.

C# Offensive Framework

SharpSploit: .NET post-exploitation library.
GhostPack: Collection of C# implementations (Seatbelt, SharpUp, etc.).
SharpWeb: Retrieve saved browser credentials.

Labs

Detection Lab: Quickly build a Windows domain with security tooling.
Invoke-ADLabDeployer: Automated deployment of Windows and AD test labs.

Scripts

Aggressor Scripts: Scripts for Cobalt Strike.
PowerShell-Suite: Collection of PowerShell scripts.

📂 Local Tools Directory

The Tools directory in this repository contains essential binaries, scripts, and archives organized by phase:

🛠️ Root Tools

Remote Access & Administration: AnyDesk, Advanced IP Scanner
Network Discovery: IP Scan

🕵️ Reconnaissance

EyeWitness: Tool to take screenshots of websites, provide server header info, and identify default credentials.

⚔️ Weaponization & Privilege Escalation

Contains various post-exploitation and privilege escalation tools, including:

Mimikatz & Mimikatz.Kit: Credential extraction.
PEASS-ng: Privilege Escalation Awesome Scripts Suite (including winPEAS).
Rubeus: Kerberos interaction and abuse.
Seatbelt: Safety checks and host survey.
SharpUp: C# port of PowerUp.
SharpView: C# implementation of PowerView.
PowerUpSQL: SQL Server discovery and exploitation.
365-Stealer: Phishing tool for Office 365.
SweetPotato: Local Service to SYSTEM privilege escalation.

📡 Command and Control (C2)

ArtifactKit Cobalt Strike: Artifact kit for Cobalt Strike visualization and modification.

🗂️ Resources

Templates and guides for planning and executing adversary emulations.

Adversary Emulation Plan Template: Excel template for planning scenarios.
APT3 Adversary Emulation Field Manual: Detailed field manual for APT3 emulation.
Cobalt Strike Cheat Sheet: Quick reference for Cobalt Strike commands.
Ransomware Overview: Comprehensive overview of ransomware families.

📚 Use Cases

Explore the Use Case directory for detailed simulation plans and scenarios.

Ransomware & Cybercrime

Crypto24 Adversary Simulation Plan: A deep dive into mimicking the TTPs of the Crypto24 ransomware group.
SLSH (Scattered LAPSUS$ Hunters) Plan: Simulation of the federated cybercriminal alliance merging Scattered Spider, LAPSUS$, and ShinyHunters.

State-Sponsored APTs Comprehensive simulation plans for major nation-state actors.

Russian APTs: Includes APT29 (Cozy Bear), APT28 (Fancy Bear), and others.
Chinese APTs: Includes Mustang Panda, Wicked Panda, and others.
North Korean APTs: Includes Labyrinth Chollima, Velvet Chollima, and others.
Iranian APTs: Includes Helix Kitten, Pioneer Kitten, and others.
Data Exfiltration: Simulation of data exfiltration techniques using tools like VeilTF.

📚 References & Learning Resources

Curated list of blogs, videos, and guides for advanced techniques.

Privilege Escalation

Lateral Movement

Command and Control (Tutorials)

Covenant: Installation & Usage, Intro to Covenant
Cobalt Strike: Cheatsheet, In-Memory Evasion
Sliver: Sliver C2, Custom Shellcode Stager

Defense Evasion (AV/EDR)

📦 Installation & Usage

Clone the repository:

git clone https://github.com/hrtywhy/Adversary-Simulation-Toolkit.git

Navigate to the directory:
```
cd Adversary-Simulation-Toolkit
```
Explore the Tools and Use Case directories for specific resources.

🤝 Contribution

Contributions are welcome! Please submit a pull request or open an issue to suggest new tools or simulation scenarios.

⚠️ Disclaimer

This toolkit is intended for educational and authorized security testing purposes only. The authors are not responsible for any misuse of these tools. Always obtain proper authorization before conducting any security assessments.