Phantom Strike is an advanced, 7-phase kill-chain adversary emulation framework designed for authorized red team and purple team engagements. Built natively in Bash for Kali Linux, it bridges the gap between automated speed and manual precision. It automatically detects environment architectures, maps operations directly to the MITRE ATT&CK® framework, and executes evasion-first TTPs while ensuring strict operational safety controls and client-ready executive reporting.
Unlike fully autonomous tools, Phantom Strike is built with operator augmentation in mind. Strategic decisions—such as escalation, pivoting, or aborting—always remain firmly in the hands of the human operator.
- MITRE ATT&CK Mapping: Every action, scan, and payload execution is strictly tagged with MITRE ATT&CK IDs (e.g.,
T1595,T1190,T1071) for comprehensive defensive traceability and purple-teaming cross-reference. - Context-Aware Adaptation: The framework auto-detects the specific characteristics of the target environment—whether it is Active Directory, AWS/Cloud, Web Apps, or OT/ICS—and dynamically tunes its TTP profiles to fit.
- Evasion-First Design: Minimizes noisy indicators of compromise (IoCs) through randomized user agents, intelligent scan delays, packet fragmentation, sleep obfuscation, and malleable Command & Control (C2) profiles.
- Threat Actor Profiles: Out-of-the-box emulation modules for sophisticated threat actors, including APT29 (Cozy Bear), APT28 (Fancy Bear), LAZARUS, and CARBANAK, as well as support for custom, highly tailored pentest TTPs.
- Operational Safety & Boundaries: Features built-in safety brakes, rigid scope validation boundaries to prevent out-of-scope leakage, and comprehensive audit trails for post-engagement review.
- Executive Reporting: Generates clean, client-ready markdown and structured reports outlining kill-chain coverage maps and prioritized, actionable remediation steps.
Below is the step-by-step breakdown of how Phantom Strike orchestrates an engagement lifecycle, paired with the active execution environment:
Phantom Strike seamlessly orchestrates industry-standard security tools alongside proprietary evasion logic:
| Phase | Integrated Tooling |
|---|---|
| Recon & Intel | TheHarvester, DNSRecon, WhatWeb |
| Scanning & Scanning Evasion | Nmap (with custom fragmentation scripts), Gobuster, Nikto |
| Vulnerability Verification | SQLmap, Hydra |
| Infrastructure & Domain Control | Enum4linux, CrackMapExec |
| Core Logic | Native Bash engine & proprietary evasion/C2 modules |
This tool is developed strictly for authorized security assessments, red teaming engagements, and educational defense research. Usage of this tool against targets without prior written consent is illegal. The developers assume no liability for misuse or damage caused by this software.