AttackMate: Realistic Emulation and Automation of Cyber Attack Scenarios Across the Kill Chain

TL;DR

AttackMate is an open-source tool that realistically emulates cyber attack behaviors across the kill chain, reducing detection and improving security testing accuracy.

Contribution

It introduces a novel scripting language and engine that better mimics real attacker behavior, addressing limitations of existing emulation tools.

Findings

Log artifacts from AttackMate resemble those of real attackers

AttackMate effectively emulates attack stages like privilege escalation and lateral movement

Outperforms standard tools in realism of attack simulation

Abstract

Adversary emulation tools facilitate scripting and automated execution of cyber attack chains, thereby reducing costs and manual expert effort required for security testing, cyber exercises, and intrusion detection research. However, due to the fact that existing tools typically rely on agents installed on target systems, they leave suspicious traces that make it easy to distinguish their activities from those of real human attackers. Moreover, these tools often lack relevant capabilities, such as handling of interactive prompts, and are unsuitable for emulating specific stages of the kill chain, such as initial access. This paper thus introduces AttackMate, an open-source attack scripting language and execution engine designed to mimic behavior patterns of actual attackers. We validate the tool in a case study covering common attack steps including privilege escalation, information gathering, and lateral movement. Our results indicate that log artifacts resulting from AttackMate's activities resemble those produced by human attackers more closely than those generated by standard adversary emulation tools.