Resources / Open-Source Tool

TESTERPy2

Open-Source Tool

github.com/BreachSimRange/TesterPy2

TESTERPy2 security testing platform

What is TESTERPy2

TESTERPy2 is a security testing platform for evaluating EDR and AV detection capabilities against Python-based offensive techniques. It focuses on the MITRE ATT&CK technique for the Python command and scripting interpreter (T1059.006) and ships five independent test scenarios that simulate real-world attack primitives: credential extraction, evasion tactics, browser data theft, system discovery, and shellcode execution.

The reason for building it comes down to how much threat actors lean on Python. It runs cross-platform without dropping additional binaries and leans on legitimate system libraries, which makes it a natural fit for living-off-the-land attacks and a genuinely hard thing to detect. TESTERPy2 lets defenders see exactly what their stack flags and what slips through.

Architecture

TESTERPy2 has two parts: a Flask dashboard that acts as the server, and lightweight Python agents that run on the targets. The dashboard runs on port 5000 and serves the UI along with a small API. Agents auto-detect their platform (Windows, Linux, or macOS), register with the dashboard, then beacon over HTTP on a configurable interval. On each beacon they receive base64-encoded test code, run it in an isolated subprocess, and return JSON results, so pass, detect, and fail statuses appear on the dashboard in real time. The stack is deliberately small: Python 3.8+, Flask, and the requests library, with nothing heavy to deploy on a target.

Test scenarios

Test 1: Python Shellcode Loader (T001)

Allocates RWX memory through VirtualAlloc, drops a NOP-sled payload, and spawns an execution thread with CreateThread.

  • Platforms: Windows
  • ATT&CK: T1059.006, T1055.001, T1106
  • Detection focus: VirtualAlloc with PAGE_EXECUTE_READWRITE from Python, and immediate thread creation targeting non-image memory.

Test 2: Python Defense Evasion (T002)

Locates AmsiScanBuffer, enumerates EtwEventWrite, reads ntdll.dll, and configures COMPLUS_ETWEnabled environment variables.

  • Platforms: Windows
  • ATT&CK: T1059.006, T1562.001, T1027
  • Detection focus: GetProcAddress targeting amsi.dll, ntdll.dll disk access, and ETW-disabling environment configurations.

Test 3: Python Credential Dumper (T003)

On Windows it extracts the SAM, SECURITY, and SYSTEM registry hives via reg.exe save and RegSaveKeyExW (requiring SeBackupPrivilege), dumps LSASS memory through dbghelp MiniDumpWriteDump (requiring SeDebugPrivilege), enumerates Volume Shadow Copies for offline SAM access, and surveys DPAPI master key directories. On Linux it enumerates /etc/shadow and locates SSH private keys.

  • Platforms: Windows and Linux
  • ATT&CK: T1059.006, T1003.001, T1003.002, T1552.001
  • Detection focus: registry save operations on sensitive hives, OpenProcess calls on lsass.exe, MiniDumpWriteDump invocation, and vssadmin shadow enumeration.

Test 4: Python Browser Stealer (T004)

Replicates Chrome Login Data, Firefox logins.json, Firefox cookies.sqlite, and Edge Login Data to temporary locations, then counts the stored credentials and cookies without decrypting them.

  • Platforms: Windows and Linux
  • ATT&CK: T1059.006, T1555.003, T1539, T1552.001
  • Detection focus: browser profile directory access, SQLite operations on credential and cookie databases, and credential store file replication.

Test 5: Python Discovery and Collection (T005)

Collects hostname, OS version, architecture, network interfaces, process lists, home directory contents, and environment variables. On Windows it also reads screen resolution and keyboard state.

  • Platforms: Windows and Linux
  • ATT&CK: T1059.006, T1082, T1083, T1056.001, T1113
  • Detection focus: bulk system enumeration, GetSystemMetrics and GetKeyboardState API calls, and rapid home directory traversal.

Installation

TESTERPy2 needs Python 3.8 or newer, plus Flask and requests. Install the dependencies, start the dashboard, then point an agent at it.

pip install flask requests
python app.py
# open http://localhost:5000

# on each target
python agent.py --server http://<dashboard-ip>:5000

How to use it

  1. Start app.py on the host that will run the dashboard.
  2. Run agent.py on each target system, pointing it at the dashboard address.
  3. Select a registered agent from the Agents panel.
  4. Run an individual test with Execute, or launch all five at once.
  5. Watch the live status and outcomes in the Results panel.

Result statuses

Each test reports one of the following:

  • success: completed without EDR intervention.
  • detected: EDR blocked or flagged the activity.
  • failed: a test error unrelated to detection.
  • skipped: not applicable to the target platform.
  • cancelled: the operator stopped execution.
  • running: currently executing.
  • pending: queued, awaiting the agent beacon.

Screenshots

Screenshots below are pulled from the project repository and act as placeholders.

TESTERPy2 dashboard
Dashboard
TESTERPy2 connected agents panel
Agents panel
TESTERPy2 running tests
Running tests
TESTERPy2 results view
Results view

View the project on GitHub

Browse the source, try TESTERPy2 against your own EDR and AV stack, and contribute. Issues, feature ideas, and pull requests are all welcome, and a star helps the project reach more defenders.

View on GitHub