Adversary emulation tools facilitate scripting and automated execution of cyber attack chains, thereby reducing costs and manual expert effort required for security testing, cyber exercises, and intrusion detection research. However, due to the fact that existing tools typically rely on agents installed on target systems, they leave suspicious traces that make it easy to distinguish their activities from those of real human attackers. Moreover, these tools often lack relevant capabilities, such as handling of interactive prompts, and are unsuitable for emulating specific stages of the kill chain, such as initial access. This paper thus introduces AttackMate, an open-source attack scripting language and execution engine designed to mimic behavior patterns of actual attackers. We validate the tool in a case study covering common attack steps including privilege escalation, information gathering, and lateral movement. Our results indicate that log artifacts resulting from AttackMate's activities resemble those produced by human attackers more closely than those generated by standard adversary emulation tools.

翻译：对手仿真工具通过脚本化与自动化执行网络攻击链，显著降低了安全测试、网络攻防演练及入侵检测研究所需的成本与专家人工投入。然而，由于现有工具通常依赖部署在目标系统上的代理程序，其活动会留下可疑痕迹，易于与真实人类攻击者的行为区分开来。此外，这些工具往往缺乏关键能力（例如交互式提示处理），且不适用于仿真杀伤链的特定阶段（如初始访问）。为此，本文提出AttackMate——一种旨在模拟真实攻击者行为模式的开源攻击脚本语言与执行引擎。我们通过涵盖权限提升、信息收集与横向移动等常见攻击步骤的案例研究对该工具进行验证。结果表明，与标准对手仿真工具相比，AttackMate活动产生的日志特征更接近于人类攻击者所产生的痕迹。