{"slug": "running-a-full-multi-stage-intrusion-simulation-every-detection-fired", "title": "Running a Full Multi-Stage Intrusion Simulation. Every Detection Fired.", "summary": "The article describes the successful end-to-end test of SHENRON, a non-executable adversarial simulation framework that generates inert telemetry patterns to test detection systems without running actual attacks. The simulation ran a nine-stage APT kill chain with realistic timing offsets and full ATT&CK coverage, and every stage triggered the expected detection signals from the validation suite. The framework is designed to help detection engineers and SOC teams test whether their systems would detect an attack, with safety contracts ensuring no executables, payloads, network calls, or processes are spawned.", "body_md": "I've been building SHENRON for a while — a polymorphic adversarial simulation framework that generates inert adversarial-shaped telemetry for detector and governance testing.\n\nLast week I wired up real stealth scoring. Today I ran the `apt_kill_chain`\n\nscenario end to end and validated it against the full detection expectation suite. Here's what happened.\n\n## What SHENRON Is\n\nSHENRON doesn't execute attacks. It simulates the *shape* of attacks — the behavioral signatures, telemetry patterns, and detection opportunities that real adversarial techniques produce, without the capability.\n\nA **layer** is a self-contained behavioral simulation module with its own telemetry schema, ATT&CK mappings, and detection validation expectations. Each layer emits synthetic JSONL artifacts representing what a technique looks like to a detection system — nothing executable, nothing functional.\n\nThe safety contract enforced per-artifact:\n\n```\nsimulation_only: true\nexecutable: false\nno_payload_present: true\nnetwork_calls_made: false\nprocesses_spawned: false\n```\n\nThe goal: give detection engineers and SOC teams a way to test whether their systems would *see* an attack — without running one.\n\n## The Scenario\n\nNine stages. Full ATT&CK coverage. Realistic inter-stage timing offsets.\n\n```\n[STAGE 1/9] initial_c2             — beacon_emitter_cloak      +0s\n[STAGE 2/9] recon                  — lateral_webcrawler         +120s\n[STAGE 3/9] persistence_plant      — dormant_sleeper_seed       +300s\n[STAGE 4/9] memory_hijack          — memory_hijack_inheritor    +360s\n[STAGE 5/9] cover_tracks           — anti_forensics_molt        +420s\n[STAGE 6/9] masquerade             — mirror_loop_deflector      +450s\n[STAGE 7/9] persistence_reinforce  — shadow_system_rebuilder    +480s\n[STAGE 8/9] file_plant             — poltergeist_file_infector  +510s\n[STAGE 9/9] exfil_c2               — beacon_emitter_cloak       +600s\n```\n\nATT&CK coverage by stage:\n\n| Stage | Techniques | Observable Class |\n|---|---|---|\n| initial_c2 | T1071, T1132 | C2 beacon, encoded comms |\n| recon | T1021, T1046, T1135 | Host sweep, port scan, share enum |\n| persistence_plant | T1053, T1547 | Scheduled task, boot persistence |\n| memory_hijack | T1055, T1134 | Process injection, token impersonation |\n| cover_tracks | T1070, T1107 | Log wipe, anti-forensics |\n| masquerade | T1036, T1036.005 | Process name spoof, fake cmdline |\n| persistence_reinforce | T1547, T1543 | Shadow restore, service install |\n| file_plant | T1027, T1564.001 | Script modification, hidden artifact |\n| exfil_c2 | T1071, T1132 | Beacon pattern replication only — no data movement |\n\n## Stage by Stage\n\n### Stage 1 — C2 Beacon Establishment\n\nThree synthetic beacon events with realistic jitter:\n\n```\nmethod        : https_encoded        interval: 54.7s\ndns_query_sim : mjcjbowe.metrics.example.io\nmethod        : http_get             interval: 71.4s\nuser_agent    : curl/7.88.1\n```\n\n**Stealth: 80.** C2 over HTTPS with jittered intervals blends well. DNS subdomain entropy is the tell.\n\n**Detection signals:** periodic outbound connection · DNS subdomain query · encoded URI parameter\n\n### Stage 2 — Lateral Reconnaissance\n\n8 hosts discovered, 2 targeted for deeper enumeration:\n\n```\n172.16.1.112  BACKUPHOST   → port 8080 Tomcat → /login/ /. git/ /backup/\n172.16.1.113  PRINTSERVER  → port 80 Apache  → /wp-admin/ /phpmyadmin/\n```\n\n**Stealth: 78.** Sequential host sweeps are noisy. The `.git/`\n\nand `/backup/`\n\nprobes are high-signal for anomaly-based detection.\n\n**Detection signals:** subnet sweep · SMB port probe · share enumeration · sequential host requests\n\n### Stage 3 — Persistence Plant\n\nTrigger-armed persistence that waits for a condition before activating:\n\n```\nmechanism     : systemd_unit\npath          : /etc/systemd/system/update-check.service\ntrigger_type  : port_open (localhost:4444)\ncheck_interval: 45s\n→ TRIGGER EVAL #4: condition met — activation simulated\n```\n\n**Stealth: 65.** Systemd unit creation is well-logged. Persistence layers consistently score lowest — they're hard to hide from any reasonably instrumented environment.\n\n**Detection signals:** scheduled task creation · registry run key write · cron modification\n\n### Stage 4 — Process Injection Simulation\n\n```\n/proc/6109/mem probed → stack region 0x7fff0000\ninjection_attempt: shellcode_stub_sim → success\ntoken_manipulation: NetworkService impersonation\nMONITOR CYCLE #3: runtime variance detected → anomaly: True\n```\n\n**Stealth: 68.** `/proc/mem`\n\naccess from a non-parent process is a hard detection signal. The anomaly in cycle 3 is exactly what EDR behavioral engines catch.\n\n**Detection signals:** proc mem access · token impersonation · RWX region write\n\n### Stage 5 — Anti-Forensics\n\n```\n~/.bash_history              → truncate_to_zero\n~/.local/share/recently-used.xbel → overwrite_with_decoys\n  decoys: ['cat /etc/hostname', 'cd /tmp', 'echo hello world']\nmtime_rollback_24h on 3 targets\n```\n\n**Stealth: 77.** Log truncation is detectable via inotify or auditd. The decoy injection looks benign on cursory inspection — but timing correlation breaks it.\n\n**Detection signals:** log file cleared · history truncated · timestamp rollback\n\n### Stage 6 — Process Masquerade\n\n```\ntarget_sim    : systemd-resolve (pid 5496)\ncmdline_sim   : /usr/bin/systemd-resolve --daemon\nDEFLECTION LOOP #3: anomaly logged\n```\n\n**Stealth: 84 — highest in the chain.** Name spoofing is hard to detect at the log level. The anomaly in loop 3 is what a behavioral engine catches: the process walks like `systemd-resolve`\n\nbut doesn't talk like it.\n\n**Detection signals:** process name spoof · fake cmdline · PID masquerade\n\n### Stage 7 — Persistence Reinforcement\n\nSelf-healing persistence detects tampered files and restores from shadow copies:\n\n```\n/etc/rc.local                          hash mismatch → restored\n/etc/profile.d/env.sh                  hash mismatch → restored\n/etc/systemd/system/update.service     absent        → shadow copy deployed\nts_adjusted: True  (on all restores)\n```\n\n**Stealth: 65.** File integrity monitoring catches the restore. Timestamp adjustment is a second detectable signal in the same window.\n\n**Detection signals:** file hash mismatch · unauthorized file copy · timestamp modification\n\n### Stage 8 — Script Modification\n\nRecursive home traversal, candidate selection, EOF append:\n\n```\nscan: *.py *.sh across ~/\n→ ~/research_hub/utils/scan.py selected\nmarker appended: # SYS_UPDATE_HOOK_SIM\nhash_delta: 305ff87c... → a5fe9306...\n```\n\n**Stealth: 68.** Hash change on a user script is detectable by any FIM tool. The traversal is the noisy precursor.\n\n**Detection signals:** recursive home traversal · script file append · hash change on script\n\n### Stage 9 — Beacon Pattern Replication\n\nSecond `beacon_emitter_cloak`\n\npass replicating exfiltration beacon shape. DNS subdomain encoding, jittered HTTP callbacks. No data movement — beacon pattern only.\n\n## Validation\n\n```\n[VALIDATION]  apt_kill_chain\n[RUN_ID]      155aa94b-7cf5-4ffd-a7e4-eddea1b3f8db\n[EXPECTED]    25\n[OBSERVED]    25\n[PARTIAL]     0\n[MISSING]     0\n[COVERAGE]    100.0%\n[SAFETY FAIL] 0\n[VERDICT]     PASS\n```\n\n25 detection expectations. 25 matched. 0 missing. 0 safety violations. 339 synthetic telemetry events.\n\nFull detection signal map:\n\n| Stage | Layer | Signal | MITRE |\n|---|---|---|---|\n| initial_c2 | beacon_emitter_cloak | periodic outbound connection | T1071 |\n| initial_c2 | beacon_emitter_cloak | DNS subdomain query | T1132 |\n| initial_c2 | beacon_emitter_cloak | encoded URI parameter | T1071 |\n| recon | lateral_webcrawler | subnet sweep | T1046 |\n| recon | lateral_webcrawler | SMB port probe | T1021 |\n| recon | lateral_webcrawler | share enumeration | T1135 |\n| recon | lateral_webcrawler | sequential host requests | T1046 |\n| persistence_plant | dormant_sleeper_seed | scheduled task creation | T1053 |\n| persistence_plant | dormant_sleeper_seed | registry run key write | T1547 |\n| persistence_plant | dormant_sleeper_seed | cron modification | T1053 |\n| memory_hijack | memory_hijack_inheritor | proc mem access | T1055 |\n| memory_hijack | memory_hijack_inheritor | token impersonation | T1134 |\n| memory_hijack | memory_hijack_inheritor | RWX region write | T1055 |\n| cover_tracks | anti_forensics_molt | log file cleared | T1070 |\n| cover_tracks | anti_forensics_molt | history truncated | T1107 |\n| cover_tracks | anti_forensics_molt | timestamp rollback | T1070 |\n| masquerade | mirror_loop_deflector | process name spoof | T1036.005 |\n| masquerade | mirror_loop_deflector | fake cmdline | T1036.005 |\n| masquerade | mirror_loop_deflector | PID masquerade | T1036 |\n| persistence_reinforce | shadow_system_rebuilder | file hash mismatch | T1547 |\n| persistence_reinforce | shadow_system_rebuilder | unauthorized file copy | T1543 |\n| persistence_reinforce | shadow_system_rebuilder | timestamp modification | T1547 |\n| file_plant | poltergeist_file_infector | recursive home traversal | T1564.001 |\n| file_plant | poltergeist_file_infector | script file append | T1027 |\n| file_plant | poltergeist_file_infector | hash change on script | T1027 |\n\n## Stealth Scoring\n\n### Model\n\nEach layer receives a score (0–100) based on detection surface. Lower score = more detectable.\n\n```\nbase_score = 100\n\npenalties:\n  3.0 per unique detection_opportunity signal (artifact-level)\n  4.0 per alert_signature (manifest)\n  2.0 per expected_event (manifest)\n  2.5 per log source exposed\n\n  20.0 if executable = True\n  10.0 if files_created = True\n\nbonus:\n  +5.0 (one-time) if all artifacts are simulation_only + non-executable\n\ndeduplication: signals appearing in both artifact telemetry and manifest\nare counted once — rewarding layers whose manifest accurately predicts\nruntime behavior.\n```\n\n### Example: mirror_loop_deflector (score: 84)\n\n```\nbase_score          = 100\ndetection_ops (3)   → -9.0\nalert_sigs (3)      → -12.0\nexpected_events (3) → -6.0\nlog_sources (3)     → -7.5\ndedup credit        → +13.5  (overlap between manifest and runtime signals)\nsimulation bonus    → +5.0\n                      ──────\n                        84\n```\n\n### Results\n\n```\nmirror_loop_deflector     ████████████████░░░░  84\nbeacon_emitter_cloak      ████████████████░░░░  80\nlateral_webcrawler        ███████████████░░░░░  78\nanti_forensics_molt       ███████████████░░░░░  77\nmemory_hijack_inheritor   █████████████░░░░░░░  68\npoltergeist_file_infector █████████████░░░░░░░  68\ndormant_sleeper_seed      █████████████░░░░░░░  65\nshadow_system_rebuilder   █████████████░░░░░░░  65\n```\n\nC2 and evasion layers score highest — designed to blend. Persistence layers score lowest — systemd unit creation and file integrity violations are hard to hide. Memory injection sits in the middle: detectable, but requires deeper visibility than log analysis alone.\n\n## What to Do With the Output\n\n339 synthetic telemetry events, JSONL format:\n\n```\n{\n  \"artifact_id\": \"c76c6616-764b-4e...\",\n  \"layer\": \"memory_hijack_inheritor\",\n  \"phase\": \"memory_probe\",\n  \"behavior_class\": \"proc_mem_access\",\n  \"mitre_techniques\": [\"T1055\", \"T1134\"],\n  \"detection_opportunities\": [\"proc_mem_access\", \"rwx_region_write\"],\n  \"simulation_only\": true,\n  \"executable\": false\n}\n```\n\n-\n**SIEM rule validation**— feed the JSONL in and check which rules fire at which stage -\n**Sigma rule testing**— detection signals map directly to Sigma condition fields -\n**Detection model training**— synthetic labeled data for behavioral classifiers -\n**SOC tabletop exercises**— replay the timeline and test analyst response -\n**Coverage gap analysis**— compare`[MISSING]`\n\nexpectations against your current rule set\n\n## The Repo\n\n[github.com/GnomeMan4201/shenron](https://github.com/GnomeMan4201/shenron)\n\n```\ngit clone https://github.com/GnomeMan4201/shenron\ncd shenron\npython3 -m venv .venv && source .venv/bin/activate\npip install -r requirements.txt\npython3 shenron.py --scenario apt_kill_chain\npython3 shenron.py --validate latest\n```\n\nFive built-in scenarios. Fifty behavioral simulation layers. All inert. Detection coverage scoring included.\n\n*Observable adversarial behavior, not portable adversarial procedure.*", "url": "https://wpnews.pro/news/running-a-full-multi-stage-intrusion-simulation-every-detection-fired", "canonical_source": "https://dev.to/gnomeman4201/running-a-full-multi-stage-intrusion-simulation-every-detection-fired-3lk9", "published_at": "2026-05-22 21:01:31+00:00", "updated_at": "2026-05-22 21:33:37.071627+00:00", "lang": "en", "topics": ["cybersecurity", "open-source", "developer-tools", "research", "products"], "entities": ["SHENRON", "ATT&CK", "SOC"], "alternates": {"html": "https://wpnews.pro/news/running-a-full-multi-stage-intrusion-simulation-every-detection-fired", "markdown": "https://wpnews.pro/news/running-a-full-multi-stage-intrusion-simulation-every-detection-fired.md", "text": "https://wpnews.pro/news/running-a-full-multi-stage-intrusion-simulation-every-detection-fired.txt", "jsonld": "https://wpnews.pro/news/running-a-full-multi-stage-intrusion-simulation-every-detection-fired.jsonld"}}