Attackmate Achieves Realistic Cyber Attack Emulation across the Entire Kill Chain

Researchers are increasingly focused on realistically simulating cyber attacks to improve security testing and threat detection. Max Landauer, Wolfgang Hotwagner, Thorina Boenke, Florian Skopik, Markus Wurzenberger, and colleagues at the Austrian Institute of Technology have developed AttackMate, a novel attack scripting language and execution engine designed to address limitations in current adversary emulation tools. Unlike existing systems that rely on detectable agents, AttackMate mimics genuine attacker behaviour more convincingly, offering improved emulation across the entire cyber kill chain , including crucial initial access stages. This advancement is significant because it allows for more accurate and effective security assessments, ultimately strengthening defences against increasingly sophisticated threats.

The core innovation lies in AttackMate’s ability to avoid the use of implanted agents, a common feature of other tools that introduces artificial traces into log data. Instead, the system focuses on replicating human attacker behaviours, such as utilising standard text editors for file modification rather than automated stream editors, thereby generating more authentic log artifacts. Results demonstrate that log data produced by AttackMate more closely resembles that of genuine human attackers, improving the realism and effectiveness of security assessments.

This work establishes a new benchmark for adversary emulation, offering a platform for more accurate and reliable security testing and training. The team’s approach prioritises realistic execution of pre-defined attack chains, rather than focusing on automatic attack planning, allowing for compatibility with existing attack modelling algorithms. Furthermore, the researchers have made their log datasets publicly available, enabling further research and validation by the wider security community. Experiments show that AttackMate’s output is demonstrably more difficult to distinguish from genuine attacks compared to those generated by tools like MITRE Caldera and Atomic Red Team.
The research highlights the importance of considering behavioural realism in adversary emulation, moving beyond simple automation to create truly representative attack scenarios. This advancement opens new possibilities for proactive cyber defence, allowing organisations to better prepare for and respond to evolving threats. The development of AttackMate represents a substantial contribution to the field, providing a powerful tool for enhancing cybersecurity posture and improving the accuracy of threat detection.

Scientists Method

This innovative approach significantly reduces the ease with which security teams can differentiate between automated emulations and actual malicious activity. Researchers developed AttackMate to function without requiring pre-installed agents, a key departure from conventional tools like MITRE Caldera and Atomic Red Team, which often necessitate such agents and consequently limit emulation to post-intrusion phases. Experiments employed a custom-built scripting language allowing precise control over attack actions and their sequencing, enabling the team to model complex, multi-step attacks with greater fidelity. This method achieves a higher degree of realism by focusing on behavioural mimicry rather than simply executing individual attack techniques.
To validate the tool, scientists conducted a case study replicating common attack sequences, meticulously documenting each step and its corresponding system impact. The team harnessed detailed logging and analysis techniques to compare AttackMate’s generated logs against those produced by human attackers and standard emulation tools. This comparison revealed that AttackMate’s log artifacts exhibited a significantly higher degree of similarity to human-driven attacks, demonstrating the tool’s effectiveness in masking its presence. The system delivers a more nuanced emulation experience, moving beyond simple technique execution to encompass the subtle patterns and behaviours characteristic of skilled adversaries. Furthermore, the work addresses the challenge of modelling dependencies between attack steps, where privileges or information gained in one phase are crucial for subsequent actions. The research team implemented a pre-condition/post-condition framework within the scripting language, allowing them to define the necessary prerequisites for each attack step and ensure a logically consistent attack chain.

AttackMate replicates human attacker log artefacts to enhance

The team measured the realism of AttackMate’s generated log artifacts, finding they more closely resembled those produced by human attackers compared to those from conventional adversary emulation tools. This improvement stems from AttackMate’s agentless design, eliminating the artificial traces introduced by software implants. Data shows that AttackMate avoids reliance on automated tools atypical for human attackers, such as stream editors, instead favouring more natural choices like text editors during file modification. Tests prove that AttackMate’s approach significantly enhances the authenticity of attack traces, crucial for effective cyber exercises and accurate intrusion detection evaluations.

Participants in cyber exercises benefit from more realistic scenarios, improving their ability to analyse log data and respond to threats appropriately. Moreover, meaningful evaluation of intrusion detection systems depends on authentic attack data; when traces are easily identified as emulated, detection becomes trivial and provides misleading results. The breakthrough delivers a solution to the problem of realistic attack execution, focusing on technical aspects rather than automatic attack planning. Scientists recorded that AttackMate facilitates scripting and execution of attack chains that mimic human behaviour, addressing a gap in current publicly available tools.

The work does not focus on deriving attack plans automatically, but rather on the accurate technical execution of pre-defined attack sequences. Results demonstrate that AttackMate’s open-source nature and compatibility with existing attack-planning algorithms offer flexibility and extensibility for security professionals. The research highlights the importance of avoiding artificial artifacts in log data to ensure the validity of security assessments and training exercises.

Realistic Attack Emulation Via Human Behaviour

Unlike conventional adversary emulation tools that rely on agents installed on target systems, AttackMate prioritises mirroring genuine human attacker behaviours, notably through interactive prompting and session management. Researchers found that AttackMate overcomes many of the difficulties faced by standard tools when creating authentic-looking activity logs. The authors acknowledge that the tool’s current capabilities are limited to the scenarios tested and further development is needed to broaden its applicability. Future research directions include integrating AttackMate with attack-planning algorithms and leveraging large language models to automate the creation of attack playbooks and generate realistic test environments with embedded vulnerabilities. This work represents a significant advancement in adversary emulation, offering a more realistic and technically sound method for security testing and research. The project received funding from the European Union’s Horizon Europe and European Defence Fund programmes, supporting ongoing efforts to improve cybersecurity capabilities.