StealthGuardian: The Middleware Shield for Adversary Simulation

Stealth Guardian

Performing adversary simulation exercises is a time-consuming task, especially when developing new attack mechanisms and testing those against defence systems that have been deployed to the target.

With this tool, we have streamlined the process of testing developed tools and attack patterns by forwarding those into a reference system and observing logfiles and alarm messages of defence tools. Based upon the results the tool decides if it would be safe to execute the action or let the Red Team know that the action has been detected.

The tool is easy to be integrated into existing adversary simulation tools and also easy to be extended with new defence systems.

StealthGuardian Components

The implementation of StealthGuardian consists of three parts that are described in the below in more detail:

  • Integration: The Integration component is the bridge between the adversary simulation tool and the middleware. It forwards executed actions to the Middleware.
  • Middleware: The Middleware takes actions from the Integration and forwards those to a reference system/implant where they will be executed. The middleware then communicates with the Endpoint Agent to verify if the executed action has been detected.
  • Endpoint Agent: The Endpoint Agent observes defined logfiles and alerts during the execution of actions to verify if a malicious event has been detected.

Integration

The Integration component is the bridge between the adversary simulation tool and the middleware. It forwards executed actions to the Middleware.

In Fortra’s Cobalt Strike threat emulation tool this has been implemented as a Agressor Script. Prior to a command/action being executed, the Red Teamer can decide if the action should be executed against a reference software beacon that mimics the actual target.

Middleware

The Middleware is a HTTP service that waits for actions to be executed against a reference system/implant. It utilizes a queuing system and various configuration options such as creating a new reference system after an action has been executed or re-using a system to test multiple actions in a row.

After execution of the actions, the Middleware communicates with the Endpoint Agent to verify if the executed actions have been detected. In both cases, the Middleware communicates back to the Integration to display its results. If no malicious behaviour has been detected, the Middleware can automatically execute the action against the target.

Endpoint Agent

The Endpoint Agent observes user-defined logfiles and alerts during the execution of actions to verify if a malicious event has been detected. After execution of the action by the Middleware, the Endpoint Agent communicates its results back.

Install & Use