Chris McNab

Chris McNab

Chris McNab is an author, computer hacker, and founder of AlphaSOC (https://www.alphasoc.com). McNab is best known for his Network Security Assessment books, which detail practical penetration testing tactics that can be adopted to evaluate the security of networks.
Today at AlphaSOC we released Network Flight Simulator (flightsim) 2.2.1, which is our free, open source adversary simulation tool. This latest release includes a number of new modules that security teams can use to instantly evaluate detection and response coverage within SIEM and SOAR tools.
Network Flight Recorder

Installing Network Flight Simulator

The flightsim binaries are freely available for Apple macOS, Linux, FreeBSD, and Microsoft Windows, as found under the project’s releases page.

Network Flight Simulator is a command line tool that generates egress network traffic patterns from your system out to the public Internet. The idea is to safely synthesize malicious traffic patterns within your environment, so that you can check the configuration and coverage of your detection tools.

Upon unpacking, as below, you can execute flightsim run to invoke all of the modules and generate many different malicious traffic patterns, including C2 beacons, DGA events, cryptomining traffic, tunneling over DNS and ICMP, SFTP data exfiltration, and traffic to known malware sinkholes.

Network Flight Recorder

Simulator Module Breakdown

The latest flightsim release includes 11 modules, as listed below. By running these modules within your environment, you can quickly assess whether your security analytics and detection mechanisms are configured to identify malicious patterns within your north-south Internet bound traffic.
Network Flight Recorder

Simulating Command and Control (C2) Beacons

The flightsim C2 module retrieves a random sample of C2 domains and IP:port pairs from the AlphaSOC API, and then generates DNS requests and TCP/IP connection traffic to each, as shown below.
Network Flight Recorder

Domain Generation Algorithm (DGA) Traffic Simulation

The DGA module within flightsim programmatically generates a list of high entropy domains that should trigger DGA detection mechanisms within your environment, and then resolves each domain, as below.
Network Flight Recorder

Simulating Traffic to Lookalike Imposter Domains

At AlphaSOC we maintain parent domains with suspicious properties for testing purposes, such as com-edge2-cdn.net in the example below. This domain is young (registered 30 September 2021) with low prevalence. Within flightsim we then prepare a list of legitimate B2B domains to impersonate and generate events to these FQDNs, as shown below.
Network Flight Recorder
Network Flight Recorder

Within the AlphaSOC Analytics Engine we detect these lookalike domain patterns, along with many others, as discussed within previous blog posts:

Cryptomining Simulation

The flightsim miner module generates Stratum cryptomining check-in traffic to legitimate public cryptomining pools online. The module pulls a list of destinations from the AlphaSOC API, and then connects to each, as below.
Network Flight Recorder

Outbound Port Scanning Simulation

Infected hosts commonly perform outbound network scanning, which we simulate within flightsim using the scan module. First we prepare a list of RFC 5737 destinations, and then generate TCP/IP traffic to common ports on each to simulate an outbound port scan, as below.

Network Flight Recorder

Sending Traffic to Known Malware Sinkholes

Security research teams including Microsoft and Kaspersky maintain malware sinkholes online which are used to commandeer botnets and infected hosts. On the AlphaSOC side, we maintain a list of these, and can generate traffic to them via flightsim with the sink module, as below.
Network Flight Recorder

Connecting to Multiple SMTP Servers

The flightsim spambot module simulates connections out to 10 randomly selected public mail servers, as below. Infected hosts generate these patterns when they are generating SMTP spam traffic to send malicious content.
Network Flight Recorder

Simulating SFTP / SSH Exfiltration

The flightsim ssh-exfil and ssh-transfer modules generate legitimate SFTP exfiltration traffic out to the AlphaSOC sandbox, and transfer 200MB of content to the service over SSH. The ssh-exfil module uses a non-standard port, and the ssh-transfer module uses TCP port 22, as shown below.
Network Flight Recorder

DNS Tunneling Simulation

Cobalt Strike and other C2 frameworks use DNS tunneling for C2 and exfiltration purposes to evade detection. The flightsim tunnel-dns module generates a high volume of DNS tunneling events to *.sandbox.alphasoc.xyz, as shown below.
Network Flight Recorder

ICMP Tunneling Simulation

Sophisticated threat actors are also using ICMP tunneling to evade detection. The flightsim tunnel-icmp module requires superuser privileges to run, and generates a high volume of ICMP tunneling events to the AlphaSOC sandbox, as shown below.
Network Flight Recorder

Improving Coverage and Visibility

Teams can operationalize Network Flight Simulator to generate malicious traffic patterns within their environments to ensure coverage of various C2 and exfiltration patterns, along with cryptomining, port scanning, spambot traffic, and spear phishing traffic to lookalike imposter domains.

The AlphaSOC Analytics Engine supports detection of the patterns found within flightsim, and generates high fidelity alerts to support both reactive triage and proactive threat hunting activities, as summarized below.

AlphaSOC Splunk Integration

This screenshot is of our Network Behavior Analytics for Splunk integration. The AlphaSOC Analytics Engine can natively integrate with Splunk, Elastic, Snowflake, Amazon S3, and many other sources, and escalate alerts to any SIEM or SOAR platform, along with Slack, and other destinations.

Please get in touch for a demo, and to discuss your requirements further – sales@mintsecurity.fi.

Alphasoc NBA

AlphaSOC

Instantly identify infected hosts Uncover data exfiltration channels Threat hunt with high fidelity alerts Accurately identify security threats Hundreds of security teams around the world

Read More »
AlphaSOC Network Flight Recorder
Blogs

Uncover Detection Blindspots with Network Flight Simulator

Today at AlphaSOC we released Network Flight Simulator (flightsim) 2.2.1, which is our free, open source adversary simulation tool. This latest release includes a number of new modules that security teams can use to instantly evaluate detection and response coverage within SIEM and SOAR tools.

Read More »
AlphaSOC - running an on-prem AE server
Blogs

Different AlphaSOC deployment options

“The cloud!” somebody shouts out loud. “This means my data is sent to the cloud – my precious telemetry data that in the hands of the bad guys could reveal too much about myself!”. This is correct. And for the sake of transparency, let’s have a look at what actually goes on behind the scenes.

Read More »
Blogs

Automating the Hunt

Through Network Behavior Analytics for Splunk and our native integrations for Demisto and Graylog, we instantly enrich network indicators (FQDNs, URLs, and IP addresses) to provide security teams with hunting material.

Read More »
Chris McNab

Chris McNab

Chris McNab is an author, computer hacker, and founder of AlphaSOC (https://www.alphasoc.com). McNab is best known for his Network Security Assessment books, which detail practical penetration testing tactics that can be adopted to evaluate the security of networks.

contact us

Please do contact us. We most likely respond faster than you thought,