MITRE ATT&CK Simulator

Validate your security controls against a sequential adversary Kill Chain.

Adversary Kill Chain Execution

Unlike isolated signature tests, real-world attacks happen in stages. This simulator executes four major phases of the MITRE ATT&CK framework sequentially to test if your perimeter defenses can break the kill chain before an attacker achieves their objective.

Initial Access

Exploit Public-Facing App (T1190)

Apache Struts HTTP Header RCE (CVE-2017-5638) malicious OGNL injection.

Execution

Unix Shell (T1059.004)

ThinkPHP RCE (CVE-2018-20062) outbound reverse shell attempt.

Credential Access

OS Credential Dumping (T1003.001)

Pulse Secure VPN (CVE-2019-11510) accessing cached cleartext passwords DB.

Exfiltration

Unencrypted Protocol (T1048.003)

Shellshock (CVE-2014-6271) payload exfiltrating system files over netcat.

>__ ATT&CK Simulation Output
Waiting for test execution...
Learn more about this tool

MITRE ATT&CK Kill Chain Simulator

Real-world cyberattacks don't happen in isolation — they follow a sequence of stages known as the kill chain. ITSecTools simulates a complete adversary kill chain mapped to the MITRE ATT&CK framework, executing Initial Access, Execution, Credential Access, and Exfiltration stages sequentially to test whether your perimeter defenses can break the chain at any point.

Simulated Techniques

  • T1190 — Initial Access: Exploit Public-Facing Application via Log4j JNDI/LDAP injection targeting external-facing services.
  • T1059.001 — Execution: PowerShell download cradle attempting to fetch a malicious .ps1 payload, testing post-exploitation tool download detection.
  • T1003.001 — Credential Access: OS Credential Dumping using Mimikatz string patterns over the wire, testing deep packet inspection of credential theft indicators.
  • T1048.003 — Exfiltration: Data extraction over an unencrypted protocol, simulating /etc/passwd content exfiltration via cleartext query strings.

Each stage depends on the previous one succeeding — just like a real attack. If your firewall, IPS, or EDR blocks any stage, the kill chain is broken. The console output shows exactly which stages were blocked and which payloads reached their destination, giving you a clear security posture assessment aligned to the MITRE ATT&CK framework.