Microsoft SimuLand, an open-source lab environment to simulate attack scenarios

Microsoft SimuLand, an open-source lab environment to simulate attack scenarios

Microsoft released SimuLand, an open-source tool that can be used to build lab environments to simulate attacks and verify their detection.

Microsoft has released SimuLand, an open-source lab environment that allows to reproduce the techniques used in real attack scenarios. The tool could be used to test and improve Microsoft solutions, including Microsoft 365 Defender, Azure Defender, and Azure Sentinel defenses against real attack scenarios.

“SimuLand is an open-source initiative by Microsoft to help security researchers around the world deploy lab environments that reproduce well-known techniques used in real attack scenarios, actively test and verify effectiveness of related Microsoft 365 Defender, Azure Defender and Azure Sentinel detections, and extend threat research using telemetry and forensic artifacts generated after each simulation exercise.” reads the announcement published by Microsoft.

“These lab environments will provide use cases from a variety of data sources including telemetry from Microsoft 365 Defender security products, Azure Defender and other integrated data sources through Azure Sentinel data connectors.”


The project has a modular structure, each module can be re-used to test combinations of attacker actions using different lab environment designs. 

Microsoft has also released a lab environment for SimuLand that focuses on Golden SAML attacks, the IT giant plans to release new ones in the future. Anyway, Microsoft is inviting security experts to contribute to the creation of new lab environments and improved detection rules for the attack scenario they have shared.

“Every simulation plan provided through this project is research-based and broken down into attacker actions mapped to the MITRE ATT&CK framework.” reads a blog post published by Microsoft. “The goal of the simulate and detect component is to also summarize the main steps used by a threat actor to accomplish a specific object and allow security researchers to get familiarized with the attacker behavior at a high level.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Simuland)

Leave a Reply

Your email address will not be published. Required fields are marked *