What is APT Simulator?
APT Simulator is a Windows Batch script that uses a set of tools and output files to make a system look as if it was compromised. In contrast to other adversary simulation tools, APT Simulator is deisgned to make the application as simple as possible. You don’t need to run a web server, database or any agents on set of virtual machines. Just download the prepared archive, extract and run the contained Batch file as Administrator. Running APT Simulator takes less than a minute of your time.
1. POCs: Endpoint detection agents / compromise assessment tools
2. Test your security monitoring’s detection capabilities
3. Test your SOCs response on a threat that isn’t EICAR or a port scan
4. Prepare an environment for digital forensics classes
The focus of this tool is to simulate adversary activity, not malware. See the Advanced Solutions section for advanced tools to simulate adversary and malware activity.
- Download the latest release from the “release” section
- Extract the package on a demo system (Password: apt)
- Start a cmd.exe as Administrator
- Navigate to the extracted program folder and run APTSimulator.bat
Extending the Test Cases
Since version 0.4 it is pretty easy to extend the test sets by adding a single .bat file to one of the test-set category folders.
E.g. If you want to write a simple test case for “privilege escalation”, that uses a tool named “privesc.exe”, clone the repo and do the following:
- Add your tool to the toolset folder
- Write a new batch script privesc-1.bat and add it to the ./test-sets/privilege-escalation folder
- Run build_pack.bat
- Add your test case to the table and test sets section in the README.md
- Create a pull request
The following table shows the different test cases and the expected detection results.
- AV = Antivirus
- NIDS = Network Intrusion Detection System
- EDR = Endpoint Detection and Response
- SM = Security Monitoring
- CA = Compromise Assessment