Skip to main content

Attack Simulation

Attack Simulation is the AdversaryGraph v5 detection-validation workspace. It lets analysts choose an ATT&CK technique, run approved lab scenarios, inspect target-side telemetry, forward events to a SIEM, and use an AI assistant to generate coherent multi-phase detection drills.

The module is designed for defensive validation. It does not execute malware, run arbitrary commands, exploit user-supplied targets, or attack real users.

What It Solves

Detection engineering often fails when the validation event is too small or too synthetic. Attack Simulation separates two workflows:

  • Lab target execution: run safe predefined behavior against approved lab fixtures and inspect target-owned logs.
  • AI-assisted telemetry drills: generate source-shaped event stories for SIEM parser, rule, dashboard, and correlation testing.

The result is a repeatable path from ATT&CK technique to telemetry evidence, SIEM ingestion, and documented validation gaps.

TTP-First Workflow

Attack Simulation TTP matrix with runnable cells
Select the technique first. Runnable simulation cells are visible directly in the ATT&CK-style matrix.

After selecting a technique, AdversaryGraph opens a dedicated configuration page for that TTP.

Attack Simulation selected TTP configuration page
The selected TTP page explains the scenario, production log sources, detection logic, tuning notes, validation gaps, and available actions.

Real Lab Telemetry

For web scenarios, the Docker deployment includes an attack-lab-web target. The API sends real HTTP requests to that lab target, and the target writes server-side logs. Analysts can inspect:

  • NGINX access logs.
  • NGINX error logs.
  • Application authentication logs.
  • WAF/security-style alert logs.
  • Structured web JSONL telemetry.
  • Endpoint fixture logs for endpoint/internal activity scenarios.
  • Merged attacked-server events.
Real-time Attack Simulation log panel
The real-time log panel tails target-side telemetry so the analyst can verify what the lab target actually emitted.

SIEM Forwarding

The forwarding panel sends selected Attack Simulation telemetry to an HTTP(S) collector such as Logstash HTTP input, Splunk HEC, XpoLog/Logeye, or a custom webhook.

Supported controls:

  • Full URL or raw host:port/path destination.
  • Direct, Docker host gateway, or automatic route selection.
  • Raw original line, JSON event per request, JSON lines, or batch envelope.
  • No auth, bearer token, token auth, basic auth, or custom token header.
  • Source selection: access, auth, endpoint, security/WAF, error, structured JSONL, run JSONL, or all attacked-server events.
  • Last 10 non-secret destinations are saved for reuse.
Attack Simulation SIEM forwarding configuration
Forward logs to a SIEM collector while preserving the selected source format.
Attack Simulation SIEM delivery status and recent destinations
Delivery status and saved destination history reduce friction during repeated parser and rule testing.

AI Attack Assistant

The AI Attack Assistant creates coherent telemetry stories for detection engineering. It can work in three modes:

  • Selected TTP: build a focused validation flow around the current technique.
  • Threat actor: build an actor-oriented scenario using relevant ATT&CK behavior.
  • Challenge Me: generate a blind multi-phase detection challenge.

Complicated mode produces longer multi-source event flows across Windows Event, Sysmon, EDR, DNS, proxy, firewall, web, and WAF-shaped telemetry. If the selected LLM is unavailable or times out, AdversaryGraph falls back to deterministic coherent scenario templates and reports that in the UI.

AI Attack Assistant scenario library
The Scenario Library contains named coherent kill chains with preconditions, success criteria, and expected detections.

Attack Chain Graph

Generated scenarios include an attack-chain graph. Each phase shows the phase number, ATT&CK technique, telemetry source, event format, event count, and detection goal.

AI generated attack chain graph in Attack Simulation
The graph confirms that the scenario is an ordered kill chain, not random unrelated telemetry.

The Explain attack action summarizes the kill chain, why each phase exists, which telemetry should be generated, and what the analyst should look for in the SIEM.

Explain attack panel in Attack Simulation
Explain Attack turns the generated event story into a readable analyst guide.

Scenario Library

The v5 library includes 25 named coherent scenarios:

ScenarioFocus
Web App to Endpoint CompromiseReconnaissance, web access, endpoint execution, credential access, persistence, C2/exfiltration
Password Spray to Valid Account FootholdUser enumeration, password spray, successful logon, endpoint discovery
SQL Injection to Data TheftSQLi-shaped web telemetry, database audit style events, staging, exfiltration
Recon to Web Shell PersistenceHTTP discovery, upload/web-shell canaries, persistence-style access
Valid Account to LSASS AccessSuccessful logon, discovery, LSASS access, credential-dumping detections
Password Spray to ExfiltrationIdentity attack, valid account, staged collection, proxy upload
XSS Canary to Session AbuseXSS-shaped telemetry, session token misuse, suspicious authenticated actions
SSRF Metadata Probe to C2SSRF-shaped requests, metadata access canaries, follow-on beaconing
Ransomware Precursor ChainDiscovery, defense evasion, credential access, mass file change canaries
Living-off-the-Land Transfer and ExecutionCertutil/BITS/rundll32 style telemetry and process lineage
Internal Discovery After FootholdHost, user, network, process, and service discovery telemetry
Web Enumeration to Password SprayHTTP enumeration followed by identity/authentication failures
Public App Exploit to PersistencePublic web exposure, endpoint execution, Run key/service persistence
Credential Dump to Cloud UploadLSASS access, archive creation, proxy/cloud upload telemetry
Signed Binary Proxy to C2LOLBin process creation, suspicious network connection, beacon pattern
FIN7-Style Web, Identity, PersistenceWeb entry, credential attack, persistence, lateral discovery signals
APT29-Style Identity and PowerShellIdentity abuse, PowerShell, discovery, C2-style telemetry
Lazarus-Style Delivery and ExfiltrationDelivery, execution, credential access, collection, exfiltration
Noisy Red-Team DrillHigh-volume multi-source detections for tuning and dashboard testing
Stealthy Low-Volume Intrusion ChainSparse cross-source correlation and low-noise detections
WAF Bypass Retry ChainRepeated web probes with encoding/bypass variation
Service Account AbuseService-account logon behavior, privilege use, unusual source host
External Recon to Credential AccessPublic discovery, credential attack, endpoint credential-access telemetry
C2 Telemetry ValidationDNS/proxy/beacon detections and periodicity checks
Persistence Control ValidationRun key, scheduled task, service, WMI, and startup artifact events

Validation Rule

Attack Simulation output is validation assistance, not proof of coverage by itself. Mark a detection as passed only when the expected behavior happened in an authorized lab, the expected telemetry was collected, the detection fired, and known benign lookalikes or tuning gaps were reviewed.