cymulate-framework: help red team construct fully customizable and automated APT attacks easily

cymulate-framework

The framework to automate Cymulate’s modules and templates for the purple team.

What is Cymulate?

Cymualte is a BAS (Break and Attack Simulation) platform that provides a comprehensive set of attack simulations based on the MITRE ATT&CK® framework to test the effectiveness of your security controls.

This project is aimed to help Purple Team to:

• Red part: Construct fully customizable and automated APT attacks easily.
• Blue part: Test their security defenses against APT attacks easily.

Functionality

•  Scrape modules and templates from Cymulate and transform them into scripts.
•  Automate the execution of templates such as APT, Phishing, etc.
•  Generate standalone EXE for templates and bypass AMSI, Antivirus

How it works

Cymulate’s execution module has 5 main steps:

1. Check dependency – Check if required dependencies are installed.
2. Execution -Run the Mitre ATT&CK technique execution.
3. Success Indicate – Check if the attack was successful via parsing execution output or checking the exit code.
4. Output Parsing – Parse the output of the execution for further uses.
5. Cleanup – Clean up the execution environment.

The framework will automate the execution of the above steps.

Development

Blueprint

• Basic structure – The basic structure of the project.
• APT template – APT template automation test.
• Scrape modules and templates – Scrape modules and templates via Cymulate’s API
• Transform modules and templates – Transform modules and templates into cymulate-framework modules.
• Automate execution – Automate the execution of templates.
• APT Script generator – Generate scripts for APT template with extracted specific execution scripts (don’t wanna load the 20+mb json file) and load corresponding required 3rd party pip packages into scripts
• Pack Script to EXE – Pack generated template script with its requirements(pip packages, execution scripts) into EXE via pyinstaller, py2exe or Nuitka
• ClI – A CLI to interact with the framework.

Notes

• Using builtin dataclass + dacite for JSON deserializing model instead of pydantic since dacite is enough for the purpose.

Install & Use

Copyright (c) 2023 Fate Walker