A collection of controlled attack simulation scripts designed for cybersecurity professionals to test detection capabilities, validate security controls, and train incident response teams.
IMPORTANT: READ BEFORE USE
This repository contains security testing tools that simulate malicious behavior for DEFENSIVE PURPOSES ONLY.
This repository contains two main categories of attack simulations:
- AWS Attack Simulations - Cloud-based security testing scenarios
- Atomic Red Team Simulations - Endpoint-based MITRE ATT&CK technique simulations
All scripts are designed to generate observable security events that can be detected by properly configured security tools such as SIEM, EDR/XDR, CloudTrail, GuardDuty, and other monitoring solutions.
Test whether your security monitoring tools can detect common attack patterns:
- IAM privilege escalation attempts
- Public S3 bucket misconfigurations
- Ransomware behavior patterns
- Defense evasion techniques
Provide realistic attack scenarios for:
- SOC analyst training and skill development
- Incident response team exercises
- Purple team operations
- Security awareness demonstrations
Validate and optimize security tools:
- SIEM rule effectiveness
- EDR/XDR detection capabilities
- Cloud security posture management (CSPM)
- Alert tuning and false positive reduction
Demonstrate security control effectiveness:
- Validate monitoring coverage for compliance frameworks
- Provide evidence of detection capabilities
- Test incident response procedures
- Document security control validation
| Script | Description | Documentation |
|---|---|---|
| aws-iam-attack.sh | IAM privilege escalation demo | π Full Documentation |
| aws-create-bucket.sh | Public S3 bucket misconfiguration | π Full Documentation |
| aws-create-bucket-2.sh | Public S3 bucket with mock sensitive data (DLP testing) | π Full Documentation |
| Script | Description | Documentation |
|---|---|---|
| ransomware_simulation.ps1 | Multi-phase ransomware attack simulation | π Full Documentation |
| cleanup.ps1 | Cleanup script for ransomware simulation | π Full Documentation |
| run_ransomware_simulation.bat | Standalone batch launcher (downloads from GitHub) | π Full Documentation |
| run_cleanup.bat | Standalone cleanup batch launcher (downloads from GitHub) | π Full Documentation |
Simulates IAM privilege escalation from PowerUser to AdministratorAccess.
Quick Start:
# Install prerequisites (macOS)
brew install awscli jq
# Configure AWS CLI
aws configure
# Run simulation
./aws/aws-iam-attack.sh
# Cleanup
./aws/aws-iam-attack.sh cleanupDetection Opportunities: CloudTrail events, GuardDuty findings, privilege escalation patterns
Creates a publicly accessible S3 bucket to test misconfiguration detection.
Quick Start:
# Install prerequisites (macOS)
brew install awscli
# Configure AWS CLI
aws configure
# Run simulation
./aws/aws-create-bucket.sh
# Cleanup
aws s3 rb s3://<bucket-name> --forceDetection Opportunities: AWS Config violations, Security Hub findings, public bucket policies
Creates a publicly accessible S3 bucket containing mock sensitive data (PII) for DLP testing.
Quick Start:
# Same prerequisites as aws-create-bucket.sh
# Run simulation
./aws/aws-create-bucket-2.sh
# Cleanup
aws s3 rb s3://<bucket-name> --forceDetection Opportunities: DLP alerts, Amazon Macie findings, sensitive data exposure, CASB detection
Multi-phase ransomware attack using Atomic Red Team framework.
Quick Start (Option 1: Standalone Batch Files - Recommended for Demos):
# Download and run the batch file from GitHub
# The batch file will automatically download and execute the PowerShell script
# Run simulation with default 120-second delay
run_ransomware_simulation.bat
# Run with custom delay (60 seconds)
run_ransomware_simulation.bat 60
# Cleanup
run_cleanup.batQuick Start (Option 2: PowerShell Direct):
# Set execution policy (as Administrator)
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
# Run simulation
.\atomic-scripts\simple-ransomware-simulation\ransomware_simulation.ps1
# Cleanup
.\atomic-scripts\simple-ransomware-simulation\cleanup.ps1Detection Opportunities: EDR/XDR alerts, Sysmon events, shadow copy deletion, event log clearing
Each script has comprehensive documentation including:
- Detailed prerequisites and setup
- Step-by-step usage instructions
- Required permissions
- Observable security events and SIEM queries
- Troubleshooting guides
- Testing scenarios
See the docs/ directory or click the "π Full Documentation" links above.
Required Software:
- AWS CLI
- jq (for IAM attack script)
Installation:
# macOS
brew install awscli jq
# Linux
sudo apt-get install awscli jq
# Windows
choco install awscli jqConfiguration:
aws configureRequired:
- Windows 10/11 or Windows Server 2016+
- PowerShell 5.1+ with Administrator privileges
- Internet connection (for Atomic Red Team installation)
Setup:
# Check PowerShell version
$PSVersionTable.PSVersion
# Set execution policy
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUserPurpose: Test IAM privilege escalation detection Techniques: T1078, T1098, T1136 Duration: ~2-3 minutes Cleanup: Built-in π Full Docs
Purpose: Test S3 misconfiguration detection Techniques: T1530 Duration: ~1-2 minutes Cleanup: Manual π Full Docs
Purpose: Test DLP and data exposure detection Techniques: T1530, Data Exfiltration Duration: ~1-2 minutes Cleanup: Manual π Full Docs
Purpose: Test endpoint detection and response Techniques: T1082, T1087.001, T1053.005, T1136.001, T1491.001, T1490, T1070.001 Duration: ~8-10 minutes (default) Cleanup: Automated script π Full Docs
After running simulations, check your security tools for detection:
- IAM:
CreateUser,AttachUserPolicy,CreateAccessKey - S3:
CreateBucket,PutBucketPolicy,PutPublicAccessBlock
- Security: Event IDs 4720, 4732, 4698, 1102
- Sysmon: Process creation, file creation, registry modifications
- Privilege escalation patterns
- Public S3 buckets
- Shadow copy deletion
- Event log clearing
- Scheduled task creation
See individual script documentation for detailed SIEM queries and detection patterns.
- Get Authorization: Written approval from management/system owners
- Use Test Environment: Dedicated test AWS account or isolated VM
- Take Snapshots: VM snapshots before running Windows simulations
- Notify Teams: Alert SOC/security teams about test window
- Configure Monitoring: Verify security tools are operational
- Monitor Actively: Watch for alerts in real-time
- Document Events: Record timestamps and event IDs
- Capture Evidence: Screenshots of detections
- Note Response Times: Track detection lag
- Run Cleanup: Always execute cleanup scripts/commands
- Verify Cleanup: Confirm all resources removed
- Analyze Results: Review generated events and detections
- Document Findings: Record gaps and improvement opportunities
- Update Rules: Improve detections based on results
For detailed troubleshooting, see individual script documentation:
- AWS IAM Attack Troubleshooting
- AWS S3 Bucket Troubleshooting
- Ransomware Simulation Troubleshooting
- Cleanup Script Troubleshooting
AWS: "AWS CLI not installed"
brew install awscli # macOSAWS: "Credentials not configured"
aws configureWindows: "Scripts disabled"
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUserWindows: "Access Denied"
- Run PowerShell as Administrator
When adding new attack simulations:
- Follow existing script structure and conventions
- Include comprehensive comments
- Provide cleanup functionality
- Update documentation:
- Test in isolated environment
- Document MITRE ATT&CK techniques
See CLAUDE.md for detailed development guidelines.
These scripts are provided exclusively for:
- Security professionals testing detection and response capabilities
- Organizations validating their security monitoring and alerting
- Security teams developing and testing detection rules
- Incident response teams conducting training exercises
- Penetration testers with written authorization from the target organization
- Security researchers in controlled, authorized environments
DO NOT USE THESE SCRIPTS:
- Against systems you do not own or have explicit written authorization to test
- In production environments without proper approval and safety measures
- For malicious purposes or unauthorized access
- To cause harm, disruption, or data loss
- In violation of any applicable laws or regulations
By using these scripts, you acknowledge and agree that:
- You have proper authorization to test the target systems
- You understand the potential impact of running these simulations
- You accept full responsibility for any consequences of use or misuse
- The repository maintainers are not liable for any damages, legal consequences, or other issues arising from the use of these tools
- You will comply with all applicable laws, regulations, and organizational policies
Unauthorized access to computer systems is illegal under laws including but not limited to:
- Computer Fraud and Abuse Act (CFAA) in the United States
- Computer Misuse Act in the United Kingdom
- Equivalent legislation in other jurisdictions
Use at your own risk. Always obtain proper authorization before testing.
These scripts are provided for educational and defensive security testing purposes. Use responsibly and ethically.
Always obtain proper authorization before testing and comply with all applicable laws and regulations.