Microsoft released SimuLand, so what is SimuLand?

What is SimuLand?

SimuLand is an open source lab environment that replicates well-known techniques used in real attack scenarios, proactively testing and verifying the effectiveness of Microsoft 365 Defender, Azure Defender, and Azure Sentinel. However, SimuLand also extends threat research using telemetry and forensic artifacts generated after each simulation exercise.

This lab environment will provide use cases from a variety of data sources, including telemetry from Microsoft 365 Defender security products and other integrated data sources via the connector. Azure Sentinel data.

Purpose of creating SimuLand

As Microsoft builds on SimuLand and begins rolling it out into lab environments, the company will work on the following basic principles:

1. Understand the basic behavior and function of the opponent profession
2. Identify mitigations and attacker paths by documenting the preconditions for each of their actions
3. Accelerate the design and implementation of threat research lab environments
4. Stay up to date with the latest techniques and tools used by threat actors dọa
5. Identify, document, and share relevant data sources to model and detect competitor actions
6. Validate and adjust detectability

Process

Microsoft released SimuLand, so what is SimuLand? Picture 1

Currently, SimuLand is available for researchers to test and improve their defenses against Golden SAML attacks that allow threat actors to forge authentication for cloud applications.

You can share your own end-to-end mock-ups by opening new issues on the SimuLand GitHub repository.

Future goals

Besides creating more attack scenarios, Microsoft will also work on some features to improve the project. List of ideas:

1. A data model to record simulation steps in a more organized and standardized way
2. CI/CD pipeline with Azure DevOps to deploy and maintain infrastructure
3. Automate Cloud Attacks with Azure Functions
4. Ability to export and share telemetry created with the InfoSec community cộng
5. Integrated Microsoft Defender Evaluation Lab

Last month, the Microsoft 365 Defender Research team also released an open source cyberattack simulator called CyberBattleSim.

This simulator allows the creation of simulated network environments that model how AI-controlled network agents (threat agents) spread through the network after the initial compromise.

"The simulated attacker's goal is to take ownership of certain parts of the network by exploiting these pre-installed vulnerabilities," Microsoft explains. "While a simulated attacker moves through the network, a protection agent monitors network activity to detect the attacker's presence and prevent the attack."

Kareem Winters

Update 21 May 2021