Home Updates Threat Intel APT Encyclopedia Blog
Cyllex

Framework Updates

Latest releases, features, and improvements to the Cyllex adversary emulation framework.

Feature Release Mar 10, 2026 v0.4.0

Cyllex v0.4.0 — Cloud, Containers & Documentation

604 TTPs across 7 platforms, 4 SIEM integrations, full Azure and GCP cloud coverage, Kubernetes & Docker container testing, and comprehensive professional documentation.

604 TTPs 7 Platforms 4 SIEMs Azure GCP Kubernetes Docker APT Codex

604 TTPs Across 7 Platforms:

  • Windows & Linux: 233 TTPs — credential access, lateral movement, Active Directory attacks, process injection, defense evasion
  • AWS Cloud: 143 TTPs — IAM, EC2, S3, Lambda, Secrets Manager, all with CloudTrail event correlation
  • Azure Cloud: 122 TTPs — Entra ID, Key Vault, VMs, Storage, Defender, Sentinel, Activity Log correlation
  • Kubernetes: 54 TTPs — pod escape, RBAC abuse, secret extraction, service account pivot, network policy bypass
  • Docker: 12 TTPs — container escape, privileged mode abuse, image backdoor, socket exploitation
  • GCP Cloud: 40 TTPs — IAM, Compute Engine, Cloud Storage, Secret Manager, Cloud Audit Log correlation

4 SIEM Integrations for Detection Validation:

  • Splunk — SPL query generation, campaign correlation across all 604 TTPs
  • Microsoft Sentinel — KQL queries, Entra ID log correlation for Windows + Azure TTPs
  • AWS Security Hub — CloudWatch Logs Insights, GuardDuty findings for AWS TTPs
  • GCP Cloud Logging — Cloud Audit Log queries, Security Command Center integration (new)

APT Codex — Threat Intelligence Reference:

  • 21 APT group profiles across Russia, China, North Korea, Iran, and cybercriminal organizations
  • Operational history, signature TTPs, malware arsenals, and indictment records for each group
  • Major incidents timeline from Moonlight Maze (1996) to Bybit (2025)

Professional Documentation:

  • Complete TTP Reference document with all 604 TTPs and their full commands
  • Executive Whitepaper, Technical Guide, and TTP Handbook — all updated to v0.4.0
  • 99+ API endpoints documented with OpenAPI/Swagger
Security Quality Feb 10, 2026 v0.3.1

Security Hardening, SIEM Correlation Fixes & CI/CD Pipeline

Major security hardening pass across the entire framework. Fixed critical gaps in the SIEM correlation engine (Splunk, Sentinel, AWS SecurityHub). Added CI/CD pipeline with GitHub Actions, OpenAPI documentation for all 99+ endpoints, and expanded test coverage to 47 automated tests.

SIEM Correlation CI/CD OpenAPI Security 47 Tests

SIEM Correlation Fixes:

  • CloudTrail events now parsed from TTP YAML definitions (was empty placeholder)
  • Correlation results persisted to database across all 3 SIEM integrations
  • Splunk now uses all detection fields (security_log + sysmon + powershell), not just legacy event_ids
  • Cloud/container TTPs filtered from Windows event log SIEMs (Splunk/Sentinel)
  • AWS CloudWatch queries use eventSource for cross-service precision

Security Hardening:

  • CORS restriction via configurable CORS_ORIGIN environment variable
  • Login rate limiting: 10 attempts/min per username
  • 7 new database indexes on foreign keys for query performance
  • SSRF prevention on webhook URLs (blocks private IPs, loopback, cloud metadata)
  • Query limits on unbounded endpoints (agents, clients, users)
  • Agent sleep interval bounds (1-3600s) and shell execution timeout (300s)
  • Cascading deletes for campaigns, users, and agents (data integrity)

Developer Experience:

  • CI/CD pipeline with GitHub Actions (fmt + clippy + 47 tests on every push)
  • Automated release workflow: build agents + server + create GitHub Release on tag
  • OpenAPI/Swagger documentation for all 99+ API endpoints at /swagger-ui/
  • 47 automated tests: 34 API integration + 13 agent protocol
Feature Feb 9, 2026 v0.3.0

Native Binary Execution — Disk & In-Memory PE Loading

Dual-mode native binary execution. Disk-based mode (write to temp, execute, cleanup) validates basic AV/EDR file scanning. In-memory PE loading (parse headers, allocate memory, resolve imports, execute from memory with zero disk footprint) validates advanced EDR behavioral detection.

Native Binary PE Loader In-Memory Mimikatz Credential Access

What's new:

  • Native binary execution: download artifact, write to temp, execute with arguments, RAII cleanup
  • In-memory PE loader: full PE parsing (headers, sections, relocations, imports), VirtualAlloc, execute entry point in thread
  • PEB command line patching for argument passing to in-memory loaded binaries
  • Automatic fallback between execution methods (disk → memory or vice versa)
  • Two new mimikatz TTPs: T1003.001-05 (disk) and T1003.001-06 (in-memory)
  • Execution method selector in campaign UI (CLR, PowerShell, Native Binary, Native Memory)
  • 35 container TTPs expanded (Kubernetes + Docker across 9 MITRE tactics)
  • Microsoft Sentinel integration — KQL query console with campaign correlation
  • AWS Security Hub integration — CloudWatch Logs Insights + GuardDuty correlation
  • Campaign templates, gap analysis, Navigator export, compliance mapping
  • Campaign comparison and recurrent scheduling (daily/weekly/monthly)
Feature Feb 5, 2026 v0.2.2

TTP Event Definitions & Splunk Correlation

TTPs now include expected security events with descriptions, helping blue teams understand what to look for. Added Splunk integration to correlate TTP executions with SIEM detections.

TTP Events Splunk Correlation

What's new:

  • Each TTP now includes expected security events with descriptions and relevant info
  • Event details help defenders know what logs/alerts should trigger
  • Splunk integration to correlate TTP executions with detection alerts
Update Jan 30, 2026 v0.2.1

New AWS TTPs & Bug Fixes

Expanded cloud coverage with 15 new AWS TTPs for IAM, EC2, S3, and Lambda testing. Also fixed a bug where TTPs could occasionally run more than once during campaign execution.

AWS Cloud IAM EC2 Bugfix

What's new:

  • 15 new AWS Cloud TTPs: IAM enumeration, EC2 discovery, S3 bucket access, Lambda functions
  • Cloud credential injection per campaign
  • Fixed duplicate TTP execution bug in agent campaigns
UX-Feature Jan 18, 2026 v0.3.7-dev

Interactive Onboarding Tour, Cloud TTPs & UX Improvements

New guided tour system walks users through all framework features. Enhanced deployment workflow with remote agent management. Expanded AWS Cloud TTPs coverage to 33/57 techniques (57.9%).

Guided Tour Agent Deploy Remote Kill AWS Cloud

New Features:

  • 20-step interactive tour covering dashboard, TTPs, threat groups, agents, and campaigns
  • Deploy button to download helper scripts for agent deployment on remote hosts
  • Remote agent kill functionality with graceful cleanup
  • Enhanced agent status notifications in header
  • Improved TTP variable customization with {{variable}} syntax
  • Expanded AWS Cloud TTPs: 33/57 techniques (57.9% coverage)
  • Improved cloud campaign configuration workflow
Feature Jan 17, 2026 v0.3.7-dev

Rust Assembly Execution & Active Directory Attack TTPs

Enhanced assembly execution via Rust agent using inline .NET CLR hosting. New ADCS and Shadow Credentials TTPs with Certify and Whisker tooling. Pure LDAP enumeration techniques for stealthier reconnaissance.

Rust CLR ADCS Shadow Credentials LDAP Enum

New Features:

  • Rust agent supports .NET assembly execution
  • Improved Upload Assemblies section with better UX
  • ADCS attack TTPs using Certify (ESC1-ESC8) with maturity levels
  • Shadow Credentials TTPs using Whisker for DACL abuse
  • Pure LDAP enumeration TTPs for stealthy domain reconnaissance
  • TTP maturity classification (Basic, Intermediate, Advanced)
Feature Dec 25, 2025 v0.3.6-dev

APT Campaigns & Attack Chain Visualization

Complete overhaul of the Threat Groups module with APT Campaigns view, real-time execution tracking, and one-click campaign emulation based on documented attack patterns.

APT Campaigns Attack Chains Execution Tracking MITRE Mapping

New Features:

  • APT Campaigns tab with documented attack patterns from threat intel sources
  • Visual attack chain diagrams showing kill chain progression
  • Real-time TTP execution tracking (Success/Failed/Untested status)
  • "Emulate Campaign" button to auto-load campaign TTPs
  • APT Matrix heatmap showing TTP coverage across threat groups
  • 8 pre-built campaigns: Scattered Spider, APT28, APT29, Lazarus, Volt Typhoon, FIN7, LockBit, BlackCat
Feature Dec 20, 2025 v0.3.5-dev

Cloud TTPs & Multi-Matrix MITRE View

Full cloud security testing support for AWS, Azure, GCP, and Office 365. Interactive MITRE ATT&CK matrix views now include Enterprise, Cloud, and Container matrices.

AWS Azure GCP Office 365

Cloud TTPs:

  • AWS: EC2/IAM/S3 enumeration, IMDS credential extraction
  • Azure: VM/Azure AD/Storage/Key Vault discovery
  • Per-campaign cloud credential injection (not stored)
  • Local execution mode for cloud commands
Feature Dec 15, 2025

Agentless Execution - WinRM & SSH

Execute TTPs on remote systems without deploying an agent. Agentless works as a transport layer — any PowerShell/CMD TTP runs via WinRM, any bash TTP via SSH. ~308 of 358 TTPs (86%) are compatible.

WinRM SSH Remote Execution

Agentless TTPs:

  • WinRM: ~288 TTPs compatible (PowerShell/CMD transport layer)
  • SSH: ~20 TTPs compatible (bash transport layer)
  • Connection testing before campaign execution
  • SSL/TLS support for WinRM (port 5986)
Feature Dec 10, 2025 v0.3.0-dev

Container TTPs - Kubernetes & Docker

New MITRE ATT&CK Container matrix support with Kubernetes and Docker security testing. 9 tactics covering container escape, privilege escalation, and lateral movement.

Kubernetes Docker Containers

Container Techniques:

  • K8S001: Kubernetes Pod Enumeration
  • Container Administration Command
  • Escape to Host techniques
  • Container and Resource Discovery
Feature Dec 5, 2025

Instant Agent Generation - Binary Patching

Generate configured agents in under 1 second using binary patching. No compiler required on deployment servers - single executable deployment.

Binary Patching All-in-One Cross-Platform

Key Features:

  • Agent generation in ~0.3 seconds
  • Embedded pre-compiled templates (Windows x64, Linux x64)
  • Configurable: C2 URL, sleep, jitter, agent ID
  • No Rust/compiler needed on target server
Intel Nov 28, 2025

Threat Groups Database - APT Emulation

Comprehensive APT database with detailed profiles, TTPs mapped to MITRE ATT&CK, and associated malware. Create campaigns based on real threat actor behaviors.

APT28 APT29 Lazarus FIN7

Included Groups:

  • Russia: APT28/Fancy Bear, APT29/Cozy Bear, Sandworm
  • China: APT41/Winnti, APT1/Comment Crew
  • North Korea: Lazarus Group, APT38
  • Iran: APT33/Elfin | FIN7/Carbanak
Feature Nov 20, 2025 v0.2.0-dev

Linux Agent - Full Cross-Platform Support

Native Linux agent built in Rust with cross-compilation via Zig. Deploy agents on Windows and Linux from a single server installation.

Linux x64 Rust Zig Cross-Compile

Key Features:

  • Native Rust implementation (~15MB binary)
  • Cross-compile from Windows using cargo-zigbuild
  • Systemd and cron-based persistence
  • SSH lateral movement capabilities
Feature Nov 10, 2025

Campaign Reports - CSV & PDF Export

Export campaign results to CSV and PDF formats. Generate detailed reports with execution status, detection metrics, and timeline visualization.

CSV Export PDF Reports Detection Metrics