About MACAT
MACAT is a desktop application maintained by me (thebleucheese). I love practical cybersecurity, especially when we can do things to improve tedious processes or common practices. MACAT started as a simple utility to fill some gaps while I was building and configuring other personal cybersecurity defense software. I was slowed down during adversary simulation activity. I either got stuck writing throwaway code to configure and automate existing powershell or python-based adversary simulation utilities, or I was installing and learning massive pseudo-C2 web applications with docker and plugins and agents, etc. Neither of these felt like a good use of my time while I was trying to perform basic adversary simulation to inform content engineering activities for my defense tools.
There are plenty of adversary simulation frameworks that are Red Team-focused. They're stealthy and capable, and you should use them where appropriate. However, when you're trying to rip through some procedures doing detection engineering and defense validation, there is a gap in tools that are immediately accessible. This includes both the technical expertise required for setup and execution as well as discoverability in the UI. While your dedicated Red Team members can intuit most of these tools, what happens if you're working across more of the security landscape, or you want your defenders to be able to test their detections and IR response? Shouldn't it be easier?
MACAT is intended to make basic Adversary Simulation much easier. Detecting C2 network traffic from a skilled Red Team is challenging and probably not the best use of your time as you begin developing your program. Limit time spent setting up Red Team & C2 infrastructure, maintaining large web applications for automation, or building custom payloads and implants for defense validation and detection engineering. There's a lot of fun to be had in tinkering with all the C2 frameworks out there as your program matures, but if you're not regularly running tests and making progress detecting or defending against post-exploitation adversary procedures, it might be time to reevaluate your approach. Or alternatively, if you haven't gotten started with Adversary Simulation at all yet, take a look at just how much initial capability you need. MACAT can probably fit your immediate needs.
The effort and energy you put into Adversary Simulation should generally be weighted towards defense and tracking. The most important work in securing your organization is in detecting, defending, and responding to the attacker actions, not intimately learning all the attacker tools. An ideal setup for many organizations is:
You can easily expand on this once you need more capability, but VECTR is the foundation on which you build the program so no matter what you need to do on the Red Team side, you have a common reporting location with smart data structures designed specifically to help you improve your defenses.
Note that MACAT is not designed to be a 100% emulation tool! You should be performing regular, manual Purple Team exercises to test techniques and procedures as they're run by the attacker for authenticity. MACAT's ease of use and method of execution makes it much more likely to be signatured by defense tools. It allows you to generate the necessary log conditions to test detection and help with engineering. Additionally, it may assist in determining defense regression in some scenarios.
MACAT is built using the following core technologies:
Note: Tauri is a great utility, but I don't think electron / webview apps are ideal for portable applications. A native cross-platform desktop UI library for Rust would be excellent. Qt and GTK weren't particularly good options given my needs for the project.