Realm: Open-source adversary emulation framework

Realm is an open-source adversary emulation framework emphasizing scalability, reliability, and automation. It’s designed to handle engagements of any size.

“Realm is unique in its custom interpreter written in Rust. This allows us to write complex TTPs as code. With these actions as code, defenders can replay attack actions, and red teams can create repositories of their TTPs and processes for multiple engagements. Realm is also extremely scalable! Group actions are easy to create in our Web GUI, allowing you to get information from multiple hosts at once,” a spokesperson for the project told Help Net Security.

Realm components

Agent (imix)

• Written in Rust with support for macOS, Linux, and Windows.
• Supports long-running tasks by reading output from tasks in real time.
• Interval callback times.
• Simple file-based configuration.
• Embedded files.
• Built-in interpreter.

Server (tavern)

• Web interface.
• Group actions.
• graphql backend for easy API access.
• OAuth login support.
• Cloud native deployment with pre-made terraform for production deployments.

Built-in interpreter (eldritch)

• Reflective DLL Loader.
• Port scanning.
• Remote execution over SSH.

Future plans and download

“For the future, we want to expand the ways you can contextualize information via our Web GUI. We want red teams to have the most visibility possible into how things are going during an engagement. We also want it to be easier for red teams to collaborate with defenders, allowing the defenders to learn from the engagement,” the spokesperson concluded.

Realm is available for free download on GitHub.

Must read:

• 20 free cybersecurity tools you might have missed
• 15 open-source cybersecurity tools you’ll wish you’d known earlier
• 20 essential open-source cybersecurity tools that save you time