Skip to content

The AttackBed is a simulated enterprise network with numerous vulnerabilities. Attacks in this testbed are executed automatically and cover a variety of tactics and techniques of the MITRE ATT&CK enterprise framework.

License

Notifications You must be signed in to change notification settings

ait-testbed/attackbed

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Welcome to AttackBed! Logo

The AttackBed is a simulated enterprise network packed with numerous vulnerabilities. This testbed can be applied to automatically launch several attack scenarios (using AttackMate) and collect log data (apache access logs, DNS logs, syslog, authentication logs, audit logs, suricata logs, exim/mail logs, monitoring logs, etc.) as well as network traffic for forensic or live analysis and IDS evaluation. The attack scenarios are designed to cover as many tactics and techniques of the MITRE ATT&CK enterprise framework as possible. This repository contains all scripts required to setup such a testbed and launch the attack scenarios within a virtualized environment.

Scenarios

The testbed comprises three segments connected via a firewall: Internet (contains public DNS server), DMZ (contains a video server), and Intranet (contains user hosts). The scenarios are designed as multi-step attacks; to incorporate as many different attack techniques as possible, attack scenarios can be launched with many different variations of specific attack steps. Each scenario targets certain components or services in the network, which are described in the following.

Videoserver Scenario

In the video server scenario, an attacker first scans the network for vulnerabilities. After disclosing a vulnerable CCTV software on a video server, the attacker gains access to the DMZ through unauthenticated remote code execution. Subsequently, one of several vulnerabilities is used by the attacker to escalate privileges. Finally, using root permissions, the attacker is able to pause the CCTV image momentarily, potentially allowing intruders to physically invade the enterprise without being recorded.

Videoserver Scenario

Linux Malware Scenario

The Linux malware scenario uses the same network components as the video server scenario. An attacker gains access to the system through a remote service and manages to increase their privileges there. Next, the malicious actor installs a post exploitation toolkit to persist their access. In a variation of this scenario, the attacker installs a Linux rootkit to hide the post exploitation toolkit.

Lateral Movement Scenario

In the lateral movement scenario, the attacker gains access to a repository server in the DMZ through various remote services. By sniffing network connections, they obtain access credentials that provide administrator permissions. Next, the malicious actor gains access to a linux share in the local network through various vulnerabilities. Finally, the attacker executes various malicious payloads (such as a ransomware attack) on the target system.

Lateral Movement Scenario

MITRE Navigator

The following figure shows which tactics and techniques are currently covered by the aforementioned scenarios:

MITRE Navigator

Requirements

Documentation

Publications

If you use the testbed environment or any of the generated datasets, please cite the following publications:

Contact

Austrian Institute of Technology

License

GNU General Public License v3.0