v1.7.1

SignalBench v1.7.1: I’m In The Middle Of A Chain Reaction

SignalBench enables security professionals to generate realistic endpoint telemetry patterns for analytics development, research, and training scenarios. It implements multiple techniques from the MITRE ATT&CK framework across categories including persistence, privilege escalation, defence evasion, credential access, discovery, lateral movement, collection, impact, command and control, and exfiltration.

New in SignalBench v1.7.1

With lots of working sitting on the development branch SignalBench is getting bumped
to a dot 0 release to make way for integration with https://github.com/gocortexio/gocortexbrokenbank .

FEATURES:

• Multi-technique run subcommand added (v1.7.1 feature)
• Added (experimental) --chain flag to run/category: genuine parent/child process tree using
  prctl(PR_SET_NAME) and argv[0] aliasing; all flags propagate down the chain

IMPROVEMENTS:

• T1071-IOC hardened: domains classified as safe (*.sigre.xyz, TEST-NET IPs) or
  unowned (.tk/.ru/.cn etc.); root mode adds /etc/hosts entries atomically via
  marker block (SIGNALBENCH-T1071-IOC-START/END) and removes them on cleanup;
  non-root mode skips unowned domains with a warning instead of connecting;
  marker integrity guard aborts cleanup if block is partially corrupt

This release includes binaries for multiple architectures and distributions:

Recommended (Static builds, no GLIBC dependency):

• linux-musl-x86_64: Universal Linux 64-bit (static, works on any Linux distribution)
• linux-musl-aarch64: Universal Linux ARM64 (static, works on any Linux distribution)

GLIBC builds (for specific distributions):

• debian12-glibc2.36-x86_64: Debian 12/Ubuntu 22.04+ 64-bit (requires GLIBC 2.36+)
• debian12-glibc2.36-aarch64: Debian 12/Ubuntu 22.04+ ARM64 (requires GLIBC 2.36+)

Installation

For maximum compatibility (recommended):

# Download universal static binary (works on any Linux distribution)
wget https://github.com/gocortexio/signalbench/releases/download/v1.7.1/signalbench-v1.7.1-linux-musl-x86_64
chmod +x signalbench-v1.7.1-linux-musl-x86_64
sudo mv signalbench-v1.7.1-linux-musl-x86_64 /usr/local/bin/signalbench

For Debian 12/Ubuntu 22.04+ systems:

# Download GLIBC 2.36+ compatible binary
wget https://github.com/gocortexio/signalbench/releases/download/v1.7.1/signalbench-v1.7.1-debian12-glibc2.36-x86_64
chmod +x signalbench-v1.7.1-debian12-glibc2.36-x86_64
sudo mv signalbench-v1.7.1-debian12-glibc2.36-x86_64 /usr/local/bin/signalbench

Usage

# List available techniques
./signalbench list

# Run a technique in dry-run mode
./signalbench run T1082 --dry-run

# Get help
./signalbench --help

Technical Details

• Built with Rust: High performance and memory safety
• MITRE ATT&CK Integration: Real technique implementations
• Cross-platform: Multiple Linux distributions supported
• Safe Testing: Built-in cleanup and safety mechanisms

Full Changelog: v1.7.0...v1.7.1

v1.7.0

SignalBench v1.7.0: I’m In The Middle Of A Chain Reaction

SignalBench enables security professionals to generate realistic endpoint telemetry patterns for analytics development, research, and training scenarios. It implements multiple techniques from the MITRE ATT&CK framework across categories including persistence, privilege escalation, defence evasion, credential access, discovery, lateral movement, collection, impact, command and control, and exfiltration.

New in SignalBench v1.7.0

With lots of working sitting on the development branch SignalBench is getting bumped
to a dot 0 release to make way for integration with https://github.com/gocortexio/gocortexbrokenbank .

FEATURES:

• Added (experimental) --chain flag to run/category: genuine parent/child process tree using
  prctl(PR_SET_NAME) and argv[0] aliasing; all flags propagate down the chain

IMPROVEMENTS:

• T1071-IOC hardened: domains classified as safe (*.sigre.xyz, TEST-NET IPs) or
  unowned (.tk/.ru/.cn etc.); root mode adds /etc/hosts entries atomically via
  marker block (SIGNALBENCH-T1071-IOC-START/END) and removes them on cleanup;
  non-root mode skips unowned domains with a warning instead of connecting;
  marker integrity guard aborts cleanup if block is partially corrupt

This release includes binaries for multiple architectures and distributions:

Recommended (Static builds, no GLIBC dependency):

• linux-musl-x86_64: Universal Linux 64-bit (static, works on any Linux distribution)
• linux-musl-aarch64: Universal Linux ARM64 (static, works on any Linux distribution)

GLIBC builds (for specific distributions):

• debian12-glibc2.36-x86_64: Debian 12/Ubuntu 22.04+ 64-bit (requires GLIBC 2.36+)
• debian12-glibc2.36-aarch64: Debian 12/Ubuntu 22.04+ ARM64 (requires GLIBC 2.36+)

Installation

For maximum compatibility (recommended):

# Download universal static binary (works on any Linux distribution)
wget https://github.com/gocortexio/signalbench/releases/download/v1.7.0/signalbench-1.7.0-linux-musl-x86_64
chmod +x signalbench-v1.7.0-linux-musl-x86_64
sudo mv signalbench-v1.7.0-linux-musl-x86_64 /usr/local/bin/signalbench

For Debian 12/Ubuntu 22.04+ systems:

# Download GLIBC 2.36+ compatible binary
wget https://github.com/gocortexio/signalbench/releases/download/v1.7.0/signalbench-1.7.0-debian12-glibc2.36-x86_64
chmod +x signalbench-v1.7.0-debian12-glibc2.36-x86_64
sudo mv signalbench-v1.7.0-debian12-glibc2.36-x86_64 /usr/local/bin/signalbench

Usage

# List available techniques
./signalbench list

# Run a technique in dry-run mode
./signalbench run T1082 --dry-run

# Get help
./signalbench --help

Technical Details

• Built with Rust: High performance and memory safety
• MITRE ATT&CK Integration: Real technique implementations
• Cross-platform: Multiple Linux distributions supported
• Safe Testing: Built-in cleanup and safety mechanisms

Full Changelog: v1.6.47...v1.7.0

v1.6.47

SignalBench v1.6.47: Nobody Puts Baby SignalBox In A Corner Container

SignalBench enables security professionals to generate realistic endpoint telemetry patterns for analytics development, research, and training scenarios. It implements multiple techniques from the MITRE ATT&CK framework across categories including persistence, privilege escalation, defence evasion, credential access, discovery, lateral movement, collection, impact, command and control, and exfiltration.

New in SignalBench v1.6.47 (Chasing easy wins because not ready for time sink that will be 1.7.x)

LICENSING:

• Moved to AGPL-3.0-or-later
• SPDX headers added everywhere, including CI configs (sorry)

FEATURES:

• (NEW IN v1.6.47) Added 1s timeout to ICMP ping in T1048/T1095 (no more hanging around forever)
• (NEW IN v1.6.47) Rust fallback for strings when binutils isn’t installed
• (NEW IN v1.6.47) libc setxattr syscall fallback when setfattr is missing
• (NEW IN v1.6.47) ASCII-only output markers: [OK], [FAIL], [WARN], [FORCE] for better greppability
• (SignalBench introduces (previous version) Voltron Mode, enabling distributed MITRE ATT&CK technique execution across multiple Linux endpoints through encrypted peer-to-peer coordination.
• Add global --force flag to bypass environment pre-checks and run both primary and fallback methods
• Add global --debug flag for verbose logging
• Add ALL_CAPS meta-category to run all techniques across all categories with force mode enabled
• Add global --delay-cleanup to pause before removing artefacts after technique execution

NETWORK TELEMETRY:

• Update T1046, T1095, T1048 default targets from loopback to Palo Alto sinkhole (198.135.184.22)
• T1021.004/T1021.005 retain localhost for service-dependent SSH/VNC lateral movement testing

TECHNIQUE ENHANCEMENTS:

• (NEW IN v1.6.47) T1068.001: CVE-2024-1086 Nftables Exploit
• (NEW IN v1.6.47) T1068.002: CVE-2025-38352 POSIX CPU Timer Race
• (NEW IN v1.6.47) T1068.003: CVE-2025-40190 Ext4 Xattr Underflow
• (NEW IN v1.6.47) T1611.012: RunC Masked Path Escape (CVE-2025-31133)
• (NEW IN v1.6.47) T1611.013: RunC Console Escape (CVE-2025-52565)
• (NEW IN v1.6.47) T1611.014: RunC Procfs Escape (CVE-2025-52881)
• T1003.001: Add ptrace/strace attachment attempts, /proc/[pid]/maps enumeration for memory access telemetry
• T1110.002: Execute hydra with visible process arguments (-l user -P wordlist target service)
• T1036-PROC: Extend runtime to 5 seconds, spawn 3 child processes for better masquerading detection
• T1070.004-SELF: Add network activity before deletion, extend delays for self-deleting binary pattern
• T1059.004.001: Add outbound connections to known bad ports (4444, 1337, 31337)
• T1548-GTFOBINS: Add actual exploitation commands for vim, python, perl, awk, find binaries
• T1119: Target sensitive paths including shadow, passwd, sudoers, SSH key patterns

CONTAINER ESCAPE TECHNIQUES:

• Add T1611-SOCK, T1611-PRIV, T1611-MOUNT, T1611-CGROUP, T1611-MODULE, T1611-RECON
• Add T1611-PIDNS, T1611-SUID, T1611-BREAKOUT, T1611-CVE, T1611-NS
• Based on Unit42 research, deepce, LinPEAS, and Traitor patterns (ACKNOWLEDGEMENTS.md)

What is Voltron Mode?

Voltron Mode transforms SignalBench from a single-host telemetry generator into a multi-host attack simulation platform. Techniques requiring lateral movement, network-based command and control, or distributed operations can now execute across actual networked systems, generating authentic cross-host telemetry.

Architecture

• Server: Coordinator running on TCP 0.0.0.0:16969 with encrypted JSON-RPC 2.0 protocol
• Clients: Endpoint nodes executing techniques on command
• Encryption: Pre-shared key (PSK) authentication with ChaCha20-Poly1305 for all communication
• Journal: SQLite database tracking execution state for crash recovery
• Dual-Plane: Control channel (TCP 16969) plus native protocol ports (SSH 2222, VNC 5900, etc.)

Current Capabilities

T1021.004-PROTO - SSH Lateral Movement

• Real SSH connections between endpoints on port 2222 (avoiding system SSH)
• Actual authentication, key exchange, tunnel establishment
• Generates authentic SSH protocol telemetry

T1021.005-PROTO - VNC Remote Desktop

• Full RFB (Remote Framebuffer) protocol implementation
• TightVNC file transfer extension (messages 132-133)
• Simulates data exfiltration: uploads gocortex.sh (8KB) and ssigre-malware.bin (24KB)
• Generates authentic VNC protocol and file transfer telemetry

This release includes binaries for multiple architectures and distributions:
Recommended (Static builds, no GLIBC dependency):

• linux-musl-x86_64: Universal Linux 64-bit (static, works on any Linux distribution)
• linux-musl-aarch64: Universal Linux ARM64 (static, works on any Linux distribution)

GLIBC builds (for specific distributions):

• debian12-glibc2.36-x86_64: Debian 12/Ubuntu 22.04+ 64-bit (requires GLIBC 2.36+)
• debian12-glibc2.36-aarch64: Debian 12/Ubuntu 22.04+ ARM64 (requires GLIBC 2.36+)

Installation

For maximum compatibility (recommended):

# Download universal static binary (works on any Linux distribution)
wget https://github.com/gocortexio/signalbench/releases/download/v1.6.47/signalbench-1.6.47-linux-musl-x86_64
chmod +x signalbench-1.6.47-linux-musl-x86_64
sudo mv signalbench-1.6.47-linux-musl-x86_64 /usr/local/bin/signalbench

For Debian 12/Ubuntu 22.04+ systems:

# Download GLIBC 2.36+ compatible binary
wget https://github.com/gocortexio/signalbench/releases/download/v1.6.47/signalbench-1.6.47-debian12-glibc2.36-x86_64
chmod +x signalbench-1.6.47-debian12-glibc2.36-x86_64
sudo mv signalbench-1.6.47-debian12-glibc2.36-x86_64 /usr/local/bin/signalbench

Usage

# List available techniques
./signalbench list

# Run a technique in dry-run mode
./signalbench run T1082 --dry-run

# Get help
./signalbench --help

Technical Details

• Built with Rust: High performance and memory safety
• MITRE ATT&CK Integration: Real technique implementations
• Cross-platform: Multiple Linux distributions supported
• Safe Testing: Built-in cleanup and safety mechanisms

Full Changelog: v1.6.41...v1.6.47

v1.6.41

SignalBench v1.6.41: Nobody Puts Baby SignalBox In A Corner Container

SignalBench enables security professionals to generate realistic endpoint telemetry patterns for analytics development, research, and training scenarios. It implements multiple techniques from the MITRE ATT&CK framework across categories including persistence, privilege escalation, defence evasion, credential access, discovery, lateral movement, collection, impact, command and control, and exfiltration.

New in SignalBench v1.6.41:

FEATURES:

• (SignalBench introduces (previous version) Voltron Mode, enabling distributed MITRE ATT&CK technique execution across multiple Linux endpoints through encrypted peer-to-peer coordination.
• Add global --force flag to bypass environment pre-checks and run both primary and fallback methods
• Add global --debug flag for verbose logging
• Add ALL_CAPS meta-category to run all techniques across all categories with force mode enabled
• Add global --delay-cleanup to pause before removing artefacts after technique execution

NETWORK TELEMETRY:

• Update T1046, T1095, T1048 default targets from loopback to Palo Alto sinkhole (198.135.184.22)
• T1021.004/T1021.005 retain localhost for service-dependent SSH/VNC lateral movement testing

TECHNIQUE ENHANCEMENTS:

• T1003.001: Add ptrace/strace attachment attempts, /proc/[pid]/maps enumeration for memory access telemetry
• T1110.002: Execute hydra with visible process arguments (-l user -P wordlist target service)
• T1036-PROC: Extend runtime to 5 seconds, spawn 3 child processes for better masquerading detection
• T1070.004-SELF: Add network activity before deletion, extend delays for self-deleting binary pattern
• T1059.004.001: Add outbound connections to known bad ports (4444, 1337, 31337)
• T1548-GTFOBINS: Add actual exploitation commands for vim, python, perl, awk, find binaries
• T1119: Target sensitive paths including shadow, passwd, sudoers, SSH key patterns

CONTAINER ESCAPE TECHNIQUES:

• Add T1611-SOCK, T1611-PRIV, T1611-MOUNT, T1611-CGROUP, T1611-MODULE, T1611-RECON
• Add T1611-PIDNS, T1611-SUID, T1611-BREAKOUT, T1611-CVE, T1611-NS
• Based on Unit42 research, deepce, LinPEAS, and Traitor patterns (ACKNOWLEDGEMENTS.md)

What is Voltron Mode?

Voltron Mode transforms SignalBench from a single-host telemetry generator into a multi-host attack simulation platform. Techniques requiring lateral movement, network-based command and control, or distributed operations can now execute across actual networked systems, generating authentic cross-host telemetry.

Architecture

• Server: Coordinator running on TCP 0.0.0.0:16969 with encrypted JSON-RPC 2.0 protocol
• Clients: Endpoint nodes executing techniques on command
• Encryption: Pre-shared key (PSK) authentication with ChaCha20-Poly1305 for all communication
• Journal: SQLite database tracking execution state for crash recovery
• Dual-Plane: Control channel (TCP 16969) plus native protocol ports (SSH 2222, VNC 5900, etc.)

Current Capabilities

T1021.004-PROTO - SSH Lateral Movement

• Real SSH connections between endpoints on port 2222 (avoiding system SSH)
• Actual authentication, key exchange, tunnel establishment
• Generates authentic SSH protocol telemetry

T1021.005-PROTO - VNC Remote Desktop

• Full RFB (Remote Framebuffer) protocol implementation
• TightVNC file transfer extension (messages 132-133)
• Simulates data exfiltration: uploads gocortex.sh (8KB) and ssigre-malware.bin (24KB)
• Generates authentic VNC protocol and file transfer telemetry

This release includes binaries for multiple architectures and distributions:

Recommended (Static builds, no GLIBC dependency):

• linux-musl-x86_64: Universal Linux 64-bit (static, works on any Linux distribution)
• linux-musl-aarch64: Universal Linux ARM64 (static, works on any Linux distribution)

GLIBC builds (for specific distributions):

• debian12-glibc2.36-x86_64: Debian 12/Ubuntu 22.04+ 64-bit (requires GLIBC 2.36+)
• debian12-glibc2.36-aarch64: Debian 12/Ubuntu 22.04+ ARM64 (requires GLIBC 2.36+)

Installation

For maximum compatibility (recommended):

# Download universal static binary (works on any Linux distribution)
wget https://github.com/gocortex/signalbench/releases/download/v1.6.41/signalbench-v1.6.41-linux-musl-x86_64
chmod +x signalbench-v1.6.41-linux-musl-x86_64
sudo mv signalbench-v1.6.41-linux-musl-x86_64 /usr/local/bin/signalbench

For Debian 12/Ubuntu 22.04+ systems:

# Download GLIBC 2.36+ compatible binary
wget https://github.com/gocortex/signalbench/releases/download/v1.6.41/signalbench-v1.6.41-debian12-glibc2.36-x86_64
chmod +x signalbench-v1.6.41-debian12-glibc2.36-x86_64
sudo mv signalbench-v1.6.41-debian12-glibc2.36-x86_64 /usr/local/bin/signalbench

Usage

# List available techniques
./signalbench list

# Run a technique in dry-run mode
./signalbench run T1082 --dry-run

# Get help
./signalbench --help

Technical Details

• Built with Rust: High performance and memory safety
• MITRE ATT&CK Integration: Real technique implementations
• Cross-platform: Multiple Linux distributions supported
• Safe Testing: Built-in cleanup and safety mechanisms

Full Changelog: v1.6.19...v1.6.41

v1.6.19

SignalBench v1.6.19 - Endpoint Telemetry Generator

v1.6.19 “Activate interlock! Dynotherms connected! Infracells up! Mega thrusters are go!

SignalBench enables security professionals to generate realistic endpoint telemetry patterns for analytics development, research, and training scenarios. It implements multiple techniques from the MITRE ATT&CK framework across categories including persistence, privilege escalation, defence evasion, credential access, discovery, lateral movement, collection, impact, command and control, and exfiltration.

NEW in v1.6: SignalBench introduces Voltron Mode, enabling distributed MITRE ATT&CK technique execution across multiple Linux endpoints through encrypted peer-to-peer coordination.

What is Voltron Mode?

Voltron Mode transforms SignalBench from a single-host telemetry generator into a multi-host attack simulation platform. Techniques requiring lateral movement, network-based command and control, or distributed operations can now execute across actual networked systems, generating authentic cross-host telemetry.

Architecture

• Server: Coordinator running on TCP 0.0.0.0:16969 with encrypted JSON-RPC 2.0 protocol
• Clients: Endpoint nodes executing techniques on command
• Encryption: Pre-shared key (PSK) authentication with ChaCha20-Poly1305 for all communication
• Journal: SQLite database tracking execution state for crash recovery
• Dual-Plane: Control channel (TCP 16969) plus native protocol ports (SSH 2222, VNC 5900, etc.)

Current Capabilities

T1021.004-PROTO - SSH Lateral Movement

• Real SSH connections between endpoints on port 2222 (avoiding system SSH)
• Actual authentication, key exchange, tunnel establishment
• Generates authentic SSH protocol telemetry

T1021.005-PROTO - VNC Remote Desktop

• Full RFB (Remote Framebuffer) protocol implementation
• TightVNC file transfer extension (messages 132-133)
• Simulates data exfiltration: uploads gocortex.sh (8KB) and ssigre-malware.bin (24KB)
• Generates authentic VNC protocol and file transfer telemetry

This release includes binaries for multiple architectures and distributions:

Recommended (Static builds, no GLIBC dependency):

• linux-musl-x86_64: Universal Linux 64-bit (static, works on any Linux distribution)
• linux-musl-aarch64: Universal Linux ARM64 (static, works on any Linux distribution)

GLIBC builds (for specific distributions):

• debian12-glibc2.36-x86_64: Debian 12/Ubuntu 22.04+ 64-bit (requires GLIBC 2.36+)
• debian12-glibc2.36-aarch64: Debian 12/Ubuntu 22.04+ ARM64 (requires GLIBC 2.36+)

Installation

For maximum compatibility (recommended):

# Download universal static binary (works on any Linux distribution)
wget https://github.com/gocortex/signalbench/releases/download/v1.6.19/signalbench-v1.6.19-linux-musl-x86_64
chmod +x signalbench-v1.6.19-linux-musl-x86_64
sudo mv signalbench-v1.6.19-linux-musl-x86_64 /usr/local/bin/signalbench

For Debian 12/Ubuntu 22.04+ systems:

# Download GLIBC 2.36+ compatible binary
wget https://github.com/gocortex/signalbench/releases/download/v1.6.19/signalbench-v1.6.19-debian12-glibc2.36-x86_64
chmod +x signalbench-v1.6.19-debian12-glibc2.36-x86_64
sudo mv signalbench-v1.6.19-debian12-glibc2.36-x86_64 /usr/local/bin/signalbench

Usage

# List available techniques
./signalbench list

# Run a technique in dry-run mode
./signalbench run T1082 --dry-run

# Get help
./signalbench --help

Technical Details

• Built with Rust: High performance and memory safety
• MITRE ATT&CK Integration: Real technique implementations
• Cross-platform: Multiple Linux distributions supported
• Safe Testing: Built-in cleanup and safety mechanisms

Full Changelog: v1.5.22...v1.6.19

v1.5.22

SignalBench v1.5.22 - Endpoint Telemetry Generator

v1.5.22 The Ultimate Supersized Release

SignalBench v1.5.22 represents the pinnacle of realistic telemetry generation with 42 total techniques and 36 supersized (86% coverage). This release adds 9 powerful new techniques (4 upgrades + 5 brand new) including the COLLECTION and IMPACT categories, bringing comprehensive coverage across the MITRE ATT&CK framework whilst maintaining 100% safety and reversibility:

4 UPGRADED SUPERSIZED TECHNIQUES:

• T1053.003 Cron Job: Creates REAL system-wide and user cron jobs in /etc/cron.d/ and via crontab, executes benign commands, full backup/restore
• T1547.002 Startup Folder: Actually modifies /etc/profile.d/, ~/.bashrc, ~/.bash_profile with persistence commands, comprehensive backup/restoration
• T1036.003 Masquerading: Compiles REAL C binaries with misleading names ([kworker/0:0], systemd-journald, crond), uses prctl() for process name spoofing
• T1505.003 Web Shell: Deploys REAL malicious PHP and Python web shells with eval(), system(), exec() backdoor patterns, multiple variants

5 BRAND NEW SUPERSIZED TECHNIQUES:

• T1119 Automated Collection: Recursively collects sensitive files from /home/, /var/, /opt/, creates tar archives, generates comprehensive JSON reports
• T1070.004 File Deletion: Anti-forensics with shred -uvz, secure file wiping, log tampering simulation, all with backup/restore
• T1003.008 /etc/passwd and /etc/shadow: Comprehensive user enumeration, shadow file parsing (if root), password hash extraction
• T1098 Account Manipulation: Modifies user accounts, injects SSH keys into authorized_keys, changes shells, group manipulation (requires root)
• T1496 Resource Hijacking: Controlled CPU stress (crypto-mining simulation), memory allocation, disk I/O stress with safety limits

All 36 supersized techniques generate high-volume, realistic telemetry designed for detection by security products whilst remaining 100% safe and reversible through comprehensive artifact tracking and cleanup verification.

This release includes binaries for multiple architectures and distributions:

Recommended (Static builds, no GLIBC dependency):

• linux-musl-x86_64: Universal Linux 64-bit (static, works on any Linux distribution)
• linux-musl-aarch64: Universal Linux ARM64 (static, works on any Linux distribution)

GLIBC builds (for specific distributions):

• debian12-glibc2.36-x86_64: Debian 12/Ubuntu 22.04+ 64-bit (requires GLIBC 2.36+)
• debian12-glibc2.36-aarch64: Debian 12/Ubuntu 22.04+ ARM64 (requires GLIBC 2.36+)

Installation

For maximum compatibility (recommended):

# Download universal static binary (works on any Linux distribution)
wget https://github.com/gocortex/signalbench/releases/download/v1.5.22/signalbench-v1.5.22-linux-musl-x86_64
chmod +x signalbench-v1.5.22-linux-musl-x86_64
sudo mv signalbench-v1.5.22-linux-musl-x86_64 /usr/local/bin/signalbench

For Debian 12/Ubuntu 22.04+ systems:

# Download GLIBC 2.36+ compatible binary
wget https://github.com/gocortex/signalbench/releases/download/v1.5.22/signalbench-v1.5.22-debian12-glibc2.36-x86_64
chmod +x signalbench-v1.5.22-debian12-glibc2.36-x86_64
sudo mv signalbench-v1.5.22-debian12-glibc2.36-x86_64 /usr/local/bin/signalbench

Usage

# List available techniques
./signalbench list

# Run a technique in dry-run mode
./signalbench run T1082 --dry-run

# Get help
./signalbench --help

Technical Details

• Built with Rust: High performance and memory safety
• MITRE ATT&CK Integration: Real technique implementations
• Cross-platform: Multiple Linux distributions supported
• Safe Testing: Built-in cleanup and safety mechanisms

Full Changelog: v1.5.13...v1.5.22

v1.5.13

SignalBench v1.5.13 - Endpoint Telemetry Generator

v1.5.13 The Supersized Menu

SignalBench v1.5.13 dramatically expands aggressive telemetry coverage to 27 of 37 techniques (73%) with 13 new or enhanced implementations driven by real-world Cortex XDR testing that showed 50% detection on v1.5.0. This release maximises EDR/XDR detection whilst maintaining 100% safety and reversibility:

6 NEW SUPERSIZED TECHNIQUES:

• T1110.002 SSH Brute Force: Creates temporary test user, performs REAL failed SSH authentication attempts against localhost:22, generates auth.log entries, measures timing patterns
• T1021.004 SSH Lateral Movement: Generates SSH keys, modifies authorized_keys, executes REAL SSH connections with port forwarding attempts
• T1049 Network Connections: Aggressive enumeration via netstat/ss/lsof, parses active connections, listening ports, process-to-socket mappings
• T1070.003 Clear Command History: Actually backs up and modifies shell history files (.bash_history, .zsh_history, etc.), removes suspicious patterns, full restoration
• T1548.003 Sudoers Modification: Creates REAL sudoers files with NOPASSWD rules, validates with visudo, comprehensive backup/restore
• T1548.001 SUID Binary: Compiles C wrapper, sets SUID bit, attempts privileged operations, complete cleanup

7 ENHANCED v1.5.0 TECHNIQUES FOR HIGHER XDR DETECTION:

• T1056.001 Keylogging: Expanded to enumerate ALL /dev/input/event0-15 (16 devices), added 5 new history files (.sqlite_history, .redis_history, .node_repl_history), enhanced auth.log parsing
• T1552.001 Credentials in Files: Added 8 new search directories (/var/www, /opt, /srv, /var/lib, /root/.ssh, /usr/local/etc), database dump file analysis, expanded credential patterns
• T1046 Port Scanning: Increased from 10 ports to 1,032 TCP ports (1-1024 + backdoor ports), added UDP scanning (DNS, NTP, SNMP), scans both IPv4/IPv6 localhost
• T1059.006 Python Script: Added persistent socket listener (20s accept loop), /proc/*/fd enumeration, reads environment variables from all processes, comprehensive recon reporting
• T1574.007 PATH Interception: Expanded from 3 to 7 trojan binaries (added sudo, ssh, curl, wget), enhanced logging with PID/timestamp/arguments
• T1562.002 Disable Audit: Added systemctl service manipulation, /etc/audit/audit.rules modification option, multi-method approach
• T1068 Privilege Escalation: Attempts actual exploitation - creates systemd test services, tests Docker operations, executes sudo -l vulnerabilities

All 27 supersized techniques generate HIGH-VOLUME, AGGRESSIVE telemetry designed for maximum EDR/XDR detection whilst remaining 100% safe and reversible through comprehensive artifact tracking and cleanup verification.

This release includes binaries for multiple architectures and distributions:

Recommended (Static builds, no GLIBC dependency):

• linux-musl-x86_64: Universal Linux 64-bit (static, works on any Linux distribution)
• linux-musl-aarch64: Universal Linux ARM64 (static, works on any Linux distribution)

GLIBC builds (for specific distributions):

• debian12-glibc2.36-x86_64: Debian 12/Ubuntu 22.04+ 64-bit (requires GLIBC 2.36+)
• debian12-glibc2.36-aarch64: Debian 12/Ubuntu 22.04+ ARM64 (requires GLIBC 2.36+)

Installation

For maximum compatibility (recommended):

# Download universal static binary (works on any Linux distribution)
wget https://github.com/gocortex/signalbench/releases/download/v1.5.13/signalbench-v1.5.13-linux-musl-x86_64
chmod +x signalbench-v1.5.13-linux-musl-x86_64
sudo mv signalbench-v1.5.13-linux-musl-x86_64 /usr/local/bin/signalbench

For Debian 12/Ubuntu 22.04+ systems:

# Download GLIBC 2.36+ compatible binary
wget https://github.com/gocortex/signalbench/releases/download/v1.5.13/signalbench-v1.5.13-debian12-glibc2.36-x86_64
chmod +x signalbench-v1.5.13-debian12-glibc2.36-x86_64
sudo mv signalbench-v1.5.13-debian12-glibc2.36-x86_64 /usr/local/bin/signalbench

Usage

# List available techniques
./signalbench list

# Run a technique in dry-run mode
./signalbench run T1082 --dry-run

# Get help
./signalbench --help

Technical Details

• Built with Rust: High performance and memory safety
• MITRE ATT&CK Integration: Real technique implementations
• Cross-platform: Multiple Linux distributions supported
• Safe Testing: Built-in cleanup and safety mechanisms

Full Changelog: v1.1.1...v1.5.13

v1.4.3

SignalBench v1.4.3 - Endpoint Telemetry Generator

Overview

SignalBench allows security professionals to generate realistic endpoint telemetry patterns for analytics development, research, and training scenarios. It implements multiple techniques from the MITRE ATT&CK framework across different categories such as persistence, privilege escalation, defence evasion, credential access, discovery, lateral movement execution and software.

Important: Telemetry Generation Design

SignalBench executes actual OS commands that emulate technique-aligned activity patterns whilst remaining safe and non-destructive. This design choice ensures realistic telemetry generation for security analytics:

• Activities perform real actions (network operations, file manipulation, process injection, etc.)
• Each technique executes commands that generate observable endpoint signals
• All activities are designed to be controlled and limited to avoid actual compromise
• Proper cleanup procedures ensure no lasting system changes remain

New Capabilities:

• Malware Simulation Framework: Introduction of the SOFTWARE category enabling malware behaviour simulations. The flagship S1109 PACEMAKER credential stealer simulation accurately replicates the memory-reading techniques used in documented APT attacks against Pulse Secure VPN appliances, complete with YARA-detectable signatures matching FE_APT_Trojan_Linux_PACEMAKER rules.

• YARA Signature Verification: Automated CI/CD pipeline validation ensures embedded helper binaries contain required signature strings (/proc/%d/mem, credential format patterns, x86 byte patterns), guaranteeing detection by enterprise security tools during research and analytics development.

• Enhanced Technique Coverage: Four additional MITRE ATT&CK techniques including uncommon remote shell commands (T1059.004.001), process masquerading (T1036.003), suspicious tool transfers (T1105.001), and brute force tool simulation (T1110.002), bringing the total to 37 techniques across Discovery, Credential Access, Defence Evasion, Execution, Command and Control, and Exfiltration categories.

Infrastructure Improvements:

• Universal Linux Compatibility: Static MUSL binary builds ensure SignalBench runs on any modern Linux distribution without GLIBC version dependencies, eliminating compatibility issues across Debian, Ubuntu, Alpine, and enterprise distributions.

• Cleanup Reliability: Comprehensive audit and remediation of cleanup mechanisms across all techniques, with proper directory removal and file cleanup. Addition of --no-cleanup flag for preserving artefacts during debugging and analysis workflows.

• Security Maintenance: Complete dependency updates addressing RUSTSEC-2025-0047 vulnerability, with all packages updated to latest stable versions including tokio, clap, serde, and chrono.

Recommended (Static builds, no GLIBC dependency):

• linux-musl-x86_64: Universal Linux 64-bit (static, works on any Linux distribution)
• linux-musl-aarch64: Universal Linux ARM64 (static, works on any Linux distribution)

GLIBC builds (for specific distributions):

• debian12-glibc2.36-x86_64: Debian 12/Ubuntu 22.04+ 64-bit (requires GLIBC 2.36+)
• debian12-glibc2.36-aarch64: Debian 12/Ubuntu 22.04+ ARM64 (requires GLIBC 2.36+)

Installation:

For maximum compatibility (recommended):

# Download universal static binary (works on any Linux distribution)
wget https://github.com/gocortex/signalbench/releases/download/v1.4.3/signalbench-v1.4.3-linux-musl-x86_64
chmod +x signalbench-v1.4.3-linux-musl-x86_64
sudo mv signalbench-v1.4.3-linux-musl-x86_64 /usr/local/bin/signalbench

For Debian 12/Ubuntu 22.04+ systems:

# Download GLIBC 2.36+ compatible binary
wget https://github.com/gocortex/signalbench/releases/download/v1.4.3/signalbench-v1.4.3-debian12-glibc2.36-x86_64
chmod +x signalbench-v1.4.3-debian12-glibc2.36-x86_64
sudo mv signalbench-v1.4.3-debian12-glibc2.36-x86_64 /usr/local/bin/signalbench

Usage

# List available techniques
./signalbench list

# Run a technique in dry-run mode
./signalbench run T1082 --dry-run

# Get help
./signalbench --help

Full Changelog: v1.1.1...v1.4.3

v1.1.1

SignalBench v1.1.1 - Endpoint Telemetry Generator

A Rust-based application for Linux that generates endpoint telemetry aligned with MITRE ATT&CK techniques for security analytics, research, and training environments.

Overview

SignalBench allows security professionals to generate realistic endpoint telemetry patterns for analytics development, research, and training scenarios. It implements multiple techniques from the MITRE ATT&CK framework across different categories such as persistence, privilege escalation, defence evasion, credential access, discovery, lateral movement, and execution.

Important: Telemetry Generation Design

SignalBench executes actual OS commands that emulate technique-aligned activity patterns whilst remaining safe and non-destructive. This design choice ensures realistic telemetry generation for security analytics:

• Activities perform real actions (network operations, file manipulation, process injection, etc.)
• Each technique executes commands that generate observable endpoint signals
• All activities are designed to be controlled and limited to avoid actual compromise
• Proper cleanup procedures ensure no lasting system changes remain

Recommended (Static builds, no GLIBC dependency):

• linux-musl-x86_64: Universal Linux 64-bit (static, works on any Linux distribution)
• linux-musl-aarch64: Universal Linux ARM64 (static, works on any Linux distribution)

GLIBC builds (for specific distributions):

• debian12-glibc2.36-x86_64: Debian 12/Ubuntu 22.04+ 64-bit (requires GLIBC 2.36+)
• debian12-glibc2.36-aarch64: Debian 12/Ubuntu 22.04+ ARM64 (requires GLIBC 2.36+)

Installation

For maximum compatibility (recommended):

# Download universal static binary (works on any Linux distribution)
wget https://github.com/gocortex/signalbench/releases/download/v1.1.1/signalbench-v1.1.1-linux-musl-x86_64
chmod +x signalbench-v1.1.1-linux-musl-x86_64
sudo mv signalbench-v1.1.1-linux-musl-x86_64 /usr/local/bin/signalbench

For Debian 12/Ubuntu 22.04+ systems:

# Download GLIBC 2.36+ compatible binary
wget https://github.com/gocortex/signalbench/releases/download/v1.1.1/signalbench-v1.1.1-debian12-glibc2.36-x86_64
chmod +x signalbench-v1.1.1-debian12-glibc2.36-x86_64
sudo mv signalbench-v1.1.1-debian12-glibc2.36-x86_64 /usr/local/bin/signalbench

Usage

# List available techniques
./signalbench list

# Run a technique in dry-run mode
./signalbench run T1082 --dry-run

# Get help
./signalbench --help

Technical Details

• Built with Rust: High performance and memory safety
• MITRE ATT&CK Integration: Real technique implementations
• Cross-platform: Multiple Linux distributions supported
• Safe Testing: Built-in cleanup and safety mechanisms

Full Changelog: https://github.com/gocortexio/signalbench/commits/v1.1.1