Aurora-demos: Automated Cyberattack Emulation

🚨 Test your defense systems with live, high-fidelity cyberattacks — or build real-world datasets about attack traces! 🚨

Welcome to a repository of emulated cyberattacks generated by Aurora — an automated cyberattack emulation system powered by symbolic planning and large language models (LLMs). Perfect for stress-testing defenses or collecting detailed system traces during simulated intrusions.

Updates and News

• [Updated on 01/06/2025] We added emulated attacks customized based on 250 different CTI reports.

🎉 Introduction

Aurora is a framework that can automatically construct cyberattacks for emulation. Using LLM capabilities, it leverages external attack tools and threat intelligence reports. This repository stores the outputs of Aurora. For more designing details about of Aurora, please refer to this page.

⏰ We are preparing publishing the source code of Aurora.

If you use the cyberattacks in this repo, please cite our paper. Thanks! ☺️

@article{wang2024sands,
  title={From Sands to Mansions: Towards Automated Cyberattack Emulation with Classical Planning and Large Language Models},
  author={Wang, Lingzhi and Li, Zhenyuan and Jiang, Yi and Wang, Zhengkai and Guo, Zonghan and Wang, Jiahui and Wei, Yangyang and Shen, Xiangmin and Ruan, Wei and Chen, Yan},
  journal={arXiv preprint arXiv:2407.16928},
  year={2024},
  archivePrefix={arXiv},
  url={https://arxiv.org/abs/2407.16928}
}

Attack Emulation Plans

The attacks/ folder stores the emulated cyberattacks. Each folder in attacks/ contains an attach chain, which includes:

• readme.md: The human-readable documentation of the emulated attack;
• attack_chain.yml: The raw data of the emulated attack;
• attack_chain.py: The Python script to execute the emulated attack.

For more details, please refer to the introduction to attack chains.

Execute Attacks

We show how to reproduce (execute) the generated attacks in this section. Please clone this repo first:

git clone https://github.com/LexusWang/Aurora-demos.git && cd Aurora-demos

0. Dependencies

Viewing the attacks in this repo does not require any dependencies. To reproduce the attacks, however, you will need to install VirtualBox for deploying and managing virtual machines (we use VirtualBox as the default virtualization software; VMware users can manually download and deploy the virtual machines).

Specifically, You need to know the path of the command-line interface (CLI) tool for VirtualBox (e.g. C:\\Program Files\\Oracle\\VirtualBox\\VBoxManage.exe or /usr/bin/VBoxManage).

1. Deploy the attack emulation environments:

You first need to deploy the emulation environment, including both the attacker and victim machines.

Each attack plan defines its required environment in the attack_chain.yml file. You can easily deploy it by running a Python script. For example:

# Windows
python pull.py -vm C:\\Program Files\\Oracle\\VirtualBox\\VBoxManage.exe --attack_plan attacks/1_AA23-341A/attack_chain.yml

# Linux
python pull.py -vm /usr/bin/VBoxManage --attack_plan attacks/1_AA23-341A/attack_chain.yml

If you want to build the emulation environments by yourself, please refer to this page.

We provide an example of the deployed attack emulation environments including two attacker machines and three victim machines here.

2. Execute attack scripts:

Once the emulation environment is deployed, follow the steps below to execute the attacks:

1. Move attack_chain.py to the attacker machine;
2. Open the terminal, run attack_chain.py on the attacker machine;
3. Follow the guidance and instructions from the terminal, set the parameters (e.g. IP addresses of the related VMs);
4. Some steps may need human intervention, please follow the guidance and instructions from the terminal.

Click the following headings to watch some demos:

EXAMPLE-1_AA23-341A

EXAMPLE-2_AA24-046A

EXAMPLE-3_ALPHVBlackcat

Mimicking CTI Reports

As demonstrated in the paper, Aurora can tailor generated attacks based on CTI reports to mimic specific real-world APT groups. While ensuring the correctness and causality of the attacks, Aurora selects TTPs that closely match those described in the reports. For instance, several actions in this repository simulate TTPs attributed to the Silver Fox threat actor, particularly their methods for defense evasion and persistence on Windows systems. Here are the CTI reports covered by in this repo.

Index	Attack Chain	CTI Report
1	AA23-341A	AA23-341A
2	AA24-046A	AA24-046A
3	ALPHVBlackcat	ALPHVBlackcat
4	PhobosRansomware	PhobosRansomware
5	PlayRansomware	PlayRansomware
6	RhysidaRansomware	RhysidaRansomware
7	ScatteredSpider	ScatteredSpider
8	SnatchRansomware	SnatchRansomware
9	BlackBasta	BlackBasta
10	RoyalRansomware	RoyalRansomware
11	DeputydogCampaign	DeputydogCampaign
12	DustySkyCampaign	DustySkyCampaign
13	TrickLoadSpywareCampaign	TrickLoadSpywareCampaign
14	HawkEyeCampaign	HawkEyeCampaign
15	EmotetCampaign	EmotetCampaign
16	UroburosCampaign	UroburosCampaign
17	APT41Campaign	APT41Campaign
18	EspionageCampaign	EspionageCampaign
19	SSHBinFmt-Elevate	SSHBinFmt-Elevate
20	Crambus	Crambus
21	IcedID	IcedID
22	Clasiopa	Clasiopa
23	C0001	C0001
24	C0002	C0002
25	C0004	C0004
26	C0005	C0005
27	C0006	C0006
28	C0007	C0007
29	C0010	C0010
30	C0011	C0011
31	C0012	C0012
32	C0013	C0013
33	C0014	C0014
34	C0015	C0015
35	C0016	C0016
36	C0017	C0017
37	C0018	C0018
38	C0020	C0020
39	C0021	C0021
40	C0022	C0022
41	C0023	C0023
42	C0024	C0024
43	C0025	C0025
44	C0026	C0026
45	C0027	C0027
46	C0028	C0028
47	C0029	C0029
48	C0030	C0030
49	C0031	C0031
50	C0032	C0032
51	C0033	C0033
52	C0034	C0034
53	C0035	C0035
54	C0036	C0036
55	C0037	C0037
56	C0038	C0038
57	C0039	C0039
58	58	58
59	59	59
60	60	60
61	61	61
62	62	62
63	63	63
64	64	64
65	65	65
66	66	66
67	67	67
68	68	68
69	69	69
70	70	70
71	71	71
72	72	72
73	73	73
74	74	74
75	75	75
76	76	76
77	77	77
78	78	78
79	79	79
80	80	80
81	81	81
82	82	82
83	83	83
84	84	84
85	85	85
86	86	86
87	87	87
88	88	88
89	89	89
90	90	90
91	91	91
92	92	92
93	93	93
94	94	94
95	95	95
96	96	96
97	97	97
98	98	98
99	99	99
100	100	100
101	101	101
102	102	102
103	103	103
104	104	104
105	105	105
106	106	106
107	107	107
108	108	108
109	109	109
110	110	110
111	111	111
112	112	112
113	113	113
114	114	114
115	115	115
116	116	116
117	117	117
118	118	118
119	119	119
120	120	120
121	121	121
122	122	122
123	123	123
124	124	124
125	125	125
126	126	126
127	127	127
128	128	128
129	129	129
130	130	130
131	131	131
132	132	132
133	133	133
134	134	134
135	135	135
136	136	136
137	137	137
138	138	138
139	139	139
140	140	140
141	141	141
142	142	142
143	143	143
144	144	144
145	145	145
146	146	146
147	147	147
148	148	148
149	149	149
150	150	150
151	151	151
152	152	152
153	153	153
154	154	154
155	155	155
156	156	156
157	157	157
158	158	158
159	159	159
160	160	160
161	161	161
162	162	162
163	163	163
164	164	164
165	165	165
166	166	166
167	167	167
168	168	168
169	169	169
170	170	170
171	171	171
172	172	172
173	173	173
174	174	174
175	175	175
176	176	176
177	177	177
178	178	178
179	179	179
180	180	180
181	181	181
182	182	182
183	183	183
184	184	184
185	185	185
186	186	186
187	187	187
188	188	188
189	189	189
190	190	190
191	191	191
192	192	192
193	193	193
194	194	194
195	195	195
196	196	196
197	197	197
198	198	198
199	199	199
200	200	200
201	201	201
202	202	202
203	203	203
204	204	204
205	205	205
206	206	206
207	207	207
208	208	208
209	209	209
210	210	210
211	211	211
212	212	212
213	213	213
214	214	214
215	215	215
216	216	216
217	217	217
218	218	218
219	219	219
220	220	220
221	221	221
222	222	222
223	223	223
224	224	224
225	225	225
226	226	226
227	227	227
228	228	228
229	229	229
230	230	230
231	231	231
232	232	232
233	233	233
234	234	234
235	235	235
236	236	236
237	237	237
238	238	238
239	239	239
240	240	240
241	241	241
242	242	242
243	243	243
244	244	244
245	245	245
246	246	246
247	247	247
248	248	248
249	249	249
250	250	250

Licensing

Distributed under the Apache License 2.0 License. See LICENSE for more information. The attack chains are for education, research, and testing purpose. The author does not condone any illegal use. Use as your own risk.

Contact the Contributors!

• Lingzhi Wang - [email protected]
• Yi Jiang - [email protected]
• Zhengkai Wang - [email protected]