Uncover Detection Blindspots with Network Flight Simulator
Today at AlphaSOC we released Network Flight Simulator (flightsim) 2.2.1, which is our free, open source adversary simulation tool. This latest release includes a number of new modules that security teams can use to instantly evaluate detection and response coverage within SIEM and SOAR tools.
Installing Network Flight Simulator
The flightsim binaries are freely available for Apple macOS, Linux, FreeBSD, and Microsoft Windows, as found under the project’s releases page.
Network Flight Simulator is a command line tool that generates egress network traffic patterns from your system out to the public Internet. The idea is to safely synthesize malicious traffic patterns within your environment, so that you can check the configuration and coverage of your detection tools.
Upon unpacking, as below, you can execute flightsim run to invoke all of the modules and generate many different malicious traffic patterns, including C2 beacons, DGA events, cryptomining traffic, tunneling over DNS and ICMP, SFTP data exfiltration, and traffic to known malware sinkholes.
Simulator Module Breakdown
The latest flightsim release includes 11 modules, as listed below. By running these modules within your environment, you can quickly assess whether your security analytics and detection mechanisms are configured to identify malicious patterns within your north-south Internet bound traffic.
Simulating Command and Control (C2) Beacons
The flightsim C2 module retrieves a random sample of C2 domains and IP:port pairs from the AlphaSOC API, and then generates DNS requests and TCP/IP connection traffic to each, as shown below.
Domain Generation Algorithm (DGA) Traffic Simulation
The DGA module within flightsim programmatically generates a list of high entropy domains that should trigger DGA detection mechanisms within your environment, and then resolves each domain, as below.
Simulating Traffic to Lookalike Imposter Domains
At AlphaSOC we maintain parent domains with suspicious properties for testing purposes, such as com-edge2-cdn.net in the example below. This domain is young (registered 30 September 2021) with low prevalence.
Within flightsim we then prepare a list of legitimate B2B domains to impersonate and generate events to these FQDNs, as shown below.
Detecting traffic to lookalike imposter domains is critical within enterprise environments, as the threat actor who successfully compromised Wipro had used similar domains to evade detection, as listed here.
Within the AlphaSOC Analytics Engine we detect these lookalike domain patterns, along with many others, as discussed within previous blog posts:
Cryptomining Simulation
The flightsim miner module generates Stratum cryptomining check-in traffic to legitimate public cryptomining pools online. The module pulls a list of destinations from the AlphaSOC API, and then connects to each, as below.
Outbound Port Scanning Simulation
Infected hosts commonly perform outbound network scanning, which we simulate within flightsim using the scan module. First we prepare a list of RFC 5737 destinations, and then generate TCP/IP traffic to common ports on each to simulate an outbound port scan, as below.
Sending Traffic to Known Malware Sinkholes
Security research teams including Microsoft and Kaspersky maintain malware sinkholes online which are used to commandeer botnets and infected hosts. On the AlphaSOC side, we maintain a list of these, and can generate traffic to them via flightsim with the sink module, as below.
Connecting to Multiple SMTP Servers
The flightsim spambot module simulates connections out to 10 randomly selected public mail servers, as below. Infected hosts generate these patterns when they are generating SMTP spam traffic to send malicious content.
Simulating SFTP / SSH Exfiltration
The flightsim ssh-exfil and ssh-transfer modules generate legitimate SFTP exfiltration traffic out to the AlphaSOC sandbox, and transfer 200MB of content to the service over SSH. The ssh-exfil module uses a non-standard port, and the ssh-transfer module uses TCP port 22, as shown below.
DNS Tunneling Simulation
Cobalt Strike and other C2 frameworks use DNS tunneling for C2 and exfiltration purposes to evade detection. The flightsim tunnel-dns module generates a high volume of DNS tunneling events to *.sandbox.alphasoc.xyz, as shown below.
ICMP Tunneling Simulation
Sophisticated threat actors are also using ICMP tunneling to evade detection. The flightsim tunnel-icmp module requires superuser privileges to run, and generates a high volume of ICMP tunneling events to the AlphaSOC sandbox, as shown below.
Improving Coverage and Visibility
Teams can operationalize Network Flight Simulator to generate malicious traffic patterns within their environments to ensure coverage of various C2 and exfiltration patterns, along with cryptomining, port scanning, spambot traffic, and spear phishing traffic to lookalike imposter domains.
The AlphaSOC Analytics Engine supports detection of the patterns found within flightsim, and generates high fidelity alerts to support both reactive triage and proactive threat hunting activities, as summarized below.
This screenshot is of our Network Behavior Analytics for Splunk integration. The AlphaSOC Analytics Engine can natively integrate with Splunk, Elastic, Snowflake, Amazon S3, and many other sources, and escalate alerts to any SIEM or SOAR platform, along with Slack, and other destinations.
Please get in touch for a demo, and to discuss your requirements further!
