Network Flight Simulator

I have been looking for training mechanisms lately for the team. Luckily, it looks like folks already have been trying to find the same, because this handy repository was already built


Adversary Emulation

  • APTSimulator – Windows Batch script that uses a set of tools and output files to make a system look as if it was compromised.
  • Atomic Red Team (ART) – Small and highly portable detection tests mapped to the Mitre ATT&CK Framework.
  • AutoTTP – Automated Tactics Techniques & Procedures. Re-running complex sequences manually for regression tests, product evaluations, generate data for researchers.
  • Blue Team Training Toolkit (BT3) – Software for defensive security training, which will bring your network analysis training sessions, incident response drills and red team engagements to a new level.
  • Caldera – Automated adversary emulation system that performs post-compromise adversarial behavior within Windows Enterprise networks. It generates plans during operation using a planning system and a pre-configured adversary model based on the Adversarial Tactics, Techniques & Common Knowledge (ATT&CK™) project.
  • DumpsterFire – Modular, menu-driven, cross-platform tool for building repeatable, time-delayed, distributed security events. Easily create custom event chains for Blue Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations.
  • Metta – Information security preparedness tool to do adversarial simulation.
  • Network Flight Simulator – Lightweight utility used to generate malicious network traffic and help security teams to evaluate security controls and network visibility.
  • Red Team Automation (RTA) – RTA provides a framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, modeled after MITRE ATT&CK.
  • RedHunt-OS – Virtual machine for adversary emulation and threat hunting.

Just scanning through the list, Network Flight Simulator looked cool. So, let’s go try it out!

Install instructions (hopefully you’re doing this on a testing VM right?)

  1. Go to the Github Page: https://github.com/alphasoc/flightsim
  2. Click on Releases
  3. Select the asset that is for your testing machine
  4. On the testing machine, from a shell, navigate to the folder you downloaded the file to.
  5. Run the program!

Running the program is pretty straight forward, I was surprised by how easy it is honestly. There is no installing extra modules, no long complicated commands to pass to it. Instead you literally just type:

.\flightsim-windows-amd64.exe run c2

And BAM! ‘fake’ malicious traffic goes crossing your boundaries! Going through the issues and looking at the code it looks like the program simply goes out to known publishers (Tor Project, CyberCrime Tracker, etc) and grabs some known malicious IP’s and starts communicating. So this isn’t that fake, you are actually communicating with hostile endpoints. Which is why you should run this on a throwaway computer…

The whole output looks like:

PS C:\Users\temp\Downloads> .\flightsim-windows-amd64.exe run c2:trickbot

AlphaSOC Network Flight Simulator™ v2.0.0-beta.2 (https://github.com/alphasoc/flightsim)
The IP address of the network interface is 1.1.1.1
The current time is 24-Nov-19 20:44:24

20:44:24 [c2:trickbot] Preparing a random sample of C2 domains
20:44:24 [c2:trickbot] Preparing a random sample of C2 IP:port pairs
20:44:24 [c2:trickbot] Connecting to 181.129.104.139:449
20:44:26 [c2:trickbot] Connecting to 185.57.167.32:449
20:44:27 [c2:trickbot] Connecting to 191.37.181.152:449

AlphaSOC Network Flight Simulator™ v2.0.0-beta.2 (https://github.com/alphasoc/flightsim)
The IP address of the network interface is 1.1.1.1
The current time is 24-Nov-19 20:48:14

20:48:14 [sink] Preparing a random sample of sinkholed domains
20:48:14 [sink] Resolving ladieslovelexus.com
20:48:16 [sink] Resolving superprazdnik134.ru
20:48:17 [sink] Resolving aasubbotina.ru
20:48:18 [sink] Resolving neurograff-space.ru
20:48:19 [sink] Preparing a random sample of sinkholed IP:port pairs
20:48:19 [sink] Connecting to 50.116.17.41:2628
20:48:20 [sink] Connecting to 141.239.151.46:2480
20:48:21 [sink] Connecting to 157.122.62.206:3780
20:48:22 [sink] Connecting to 141.239.151.46:7401
20:48:23 [sink] Connecting to 50.116.17.41:3388

All done! Check your SIEM for alerts using the timestamps and details above.

The end goal behind this type of program is to be able to test your SIEM and other detection methods. Given that these IP’s are being grabbed from known publishers, you really do hope that your detection methodologies will pick up the traffic.