Table of Contents
Fetching ...

AttackMate: Realistic Emulation and Automation of Cyber Attack Scenarios Across the Kill Chain

Max Landauer, Wolfgang Hotwagner, Thorina Boenke, Florian Skopik, Markus Wurzenberger

TL;DR

AttackMate addresses the need for realistic adversary emulation by replacing agent-based execution with an agentless, interactive scripting approach that reproduces human attacker behavior. The system uses YAML playbooks, a modular Execution Engine, and connectors to Metasploit, Sliver, and Bettercap to realize attack chains across the entire kill chain, including interactive prompts and sessions. A case study shows AttackMate yields log artifacts that closely resemble those from real attackers, outperforming traditional tools like Caldera in realism, especially for complex steps such as privilege escalation and lateral movement. The work advances practical cyber defense by enabling repeatable, realistic exercise data and paves the way for future integration with planning algorithms and large language models for automated playbook generation.

Abstract

Adversary emulation tools facilitate scripting and automated execution of cyber attack chains, thereby reducing costs and manual expert effort required for security testing, cyber exercises, and intrusion detection research. However, due to the fact that existing tools typically rely on agents installed on target systems, they leave suspicious traces that make it easy to distinguish their activities from those of real human attackers. Moreover, these tools often lack relevant capabilities, such as handling of interactive prompts, and are unsuitable for emulating specific stages of the kill chain, such as initial access. This paper thus introduces AttackMate, an open-source attack scripting language and execution engine designed to mimic behavior patterns of actual attackers. We validate the tool in a case study covering common attack steps including privilege escalation, information gathering, and lateral movement. Our results indicate that log artifacts resulting from AttackMate's activities resemble those produced by human attackers more closely than those generated by standard adversary emulation tools.

AttackMate: Realistic Emulation and Automation of Cyber Attack Scenarios Across the Kill Chain

TL;DR

AttackMate addresses the need for realistic adversary emulation by replacing agent-based execution with an agentless, interactive scripting approach that reproduces human attacker behavior. The system uses YAML playbooks, a modular Execution Engine, and connectors to Metasploit, Sliver, and Bettercap to realize attack chains across the entire kill chain, including interactive prompts and sessions. A case study shows AttackMate yields log artifacts that closely resemble those from real attackers, outperforming traditional tools like Caldera in realism, especially for complex steps such as privilege escalation and lateral movement. The work advances practical cyber defense by enabling repeatable, realistic exercise data and paves the way for future integration with planning algorithms and large language models for automated playbook generation.

Abstract

Adversary emulation tools facilitate scripting and automated execution of cyber attack chains, thereby reducing costs and manual expert effort required for security testing, cyber exercises, and intrusion detection research. However, due to the fact that existing tools typically rely on agents installed on target systems, they leave suspicious traces that make it easy to distinguish their activities from those of real human attackers. Moreover, these tools often lack relevant capabilities, such as handling of interactive prompts, and are unsuitable for emulating specific stages of the kill chain, such as initial access. This paper thus introduces AttackMate, an open-source attack scripting language and execution engine designed to mimic behavior patterns of actual attackers. We validate the tool in a case study covering common attack steps including privilege escalation, information gathering, and lateral movement. Our results indicate that log artifacts resulting from AttackMate's activities resemble those produced by human attackers more closely than those generated by standard adversary emulation tools.
Paper Structure (34 sections, 17 figures)

This paper contains 34 sections, 17 figures.

Figures (17)

  • Figure 1: Typical ecosystem to run AttackMate, including playbooks and target infrastructure. The right side of the figure shows an overview of AttackMate's architecture and available executors.
  • Figure 2: Playbook for TCP traffic dumping.
  • Figure 3: Playbook for reverse-shell deployment.
  • Figure 4: Playbook for privilege escalation.
  • Figure 5: Playbook for lateral movement via SSH.
  • ...and 12 more figures