Upload ad-attack-simulator Space

README.md

@@ -1,12 +1,111 @@
 ---
-title: Ad Attack Simulator
-emoji: 🏆
-colorFrom: gray
-colorTo: pink
+title: AD Attack Simulator
+emoji: 🏰
+colorFrom: purple
+colorTo: red
 sdk: gradio
-sdk_version: 6.5.1
+sdk_version: 4.44.0
+python_version: "3.10"
 app_file: app.py
 pinned: false
+license: apache-2.0
+tags:
+  - cybersecurity
+  - active-directory
+  - attack-simulation
+  - kill-chain
+  - mitre-attack
+  - ayinedjimi-consultants
 ---
 
-Check out the configuration reference at https://huggingface.co/docs/hub/spaces-config-reference
+# AD Attack Simulator - Interactive Kill Chain Visualizer
+
+An interactive visualization tool for understanding 20 critical Active Directory attack techniques with detailed kill chain analysis, MITRE ATT&CK mappings, detection methods, and defense recommendations.
+
+## Features
+
+- **20 AD Attack Techniques**: Comprehensive coverage of major AD attack vectors including:
+  - Golden Ticket
+  - DCSync
+  - Kerberoasting
+  - AS-REP Roasting
+  - Pass-the-Hash
+  - Pass-the-Ticket
+  - Skeleton Key
+  - DCShadow
+  - Silver Ticket
+  - AD CS/Certificates
+  - AdminSDHolder
+  - ACL Abuse
+  - NTLM Relay
+  - SIDHistory Injection
+  - RBCD Abuse
+  - GPO Abuse
+  - AD FS/SAML
+  - Forest Trust Abuse
+  - Password Filter DLL
+  - Computer Account Takeover
+
+- **Kill Chain Visualization**: Interactive Plotly diagrams showing attack progression through:
+  - Reconnaissance
+  - Initial Access
+  - Execution
+  - Persistence
+  - Privilege Escalation
+  - Lateral Movement
+  - Exfiltration
+
+- **Bilingual Support**: Full English and French language support for all content
+
+- **MITRE ATT&CK Integration**: Mapping of each attack to official MITRE ATT&CK techniques
+
+- **Detection & Defense**: Practical detection methods and security recommendations for each attack
+
+- **Tool Information**: Lists of both offensive and defensive tools for each technique
+
+## Resources
+
+### Top 10 Attacks
+- [Top 10 Attaques Active Directory](https://ayinedjimi-consultants.fr/top-10-attaques-active-directory.html)
+
+### Detailed Attack Guides
+- [Golden Ticket - Attaque & Défense](https://ayinedjimi-consultants.fr/attaques_active-directory/golden-ticket-attaque-defense.html)
+- [DCSync - Attaque & Défense](https://ayinedjimi-consultants.fr/attaques_active-directory/dcsync-attaque-defense.html)
+- [Kerberoasting - Attaque & Défense](https://ayinedjimi-consultants.fr/attaques_active-directory/kerberoasting-attaque-defense.html)
+- [Pass-the-Hash - Attaque & Défense](https://ayinedjimi-consultants.fr/attaques_active-directory/pass-the-hash-attaque-defense.html)
+- [Pass-the-Ticket - Attaque & Défense](https://ayinedjimi-consultants.fr/attaques_active-directory/pass-the-ticket-attaque-defense.html)
+- [Skeleton Key - Attaque & Défense](https://ayinedjimi-consultants.fr/attaques_active-directory/skeleton-key-attaque-defense.html)
+- [DCShadow - Attaque & Défense](https://ayinedjimi-consultants.fr/attaques_active-directory/dcshadow-attaque-defense.html)
+- [Silver Ticket - Attaque & Défense](https://ayinedjimi-consultants.fr/attaques_active-directory/silver-ticket-attaque-defense.html)
+- [AD CS/Certificats - Attaque & Défense](https://ayinedjimi-consultants.fr/attaques_active-directory/adcs-certificats-attaque-defense.html)
+
+### Security Guides & Tools
+- [Cluster Active Directory Hub](https://ayinedjimi-consultants.fr/cluster-active-directory-hub.html)
+- [Livre Blanc - Sécurité Active Directory](https://ayinedjimi-consultants.fr/livre-blanc-securite-active-directory.html)
+- [Guide de Sécurisation Active Directory 2025](https://ayinedjimi-consultants.fr/guide-securisation-active-directory-2025.html)
+- [Top 10 Outils d'Audit Active Directory 2025](https://ayinedjimi-consultants.fr/top-10-outils-audit-active-directory-2025.html)
+- [Top 5 Outils d'Audit Active Directory](https://ayinedjimi-consultants.fr/top-5-outils-audit-active-directory.html)
+
+## How to Use
+
+1. Select your preferred language (English or Français)
+2. Choose an attack from the dropdown menu
+3. Review the kill chain visualization showing attack phases
+4. Study the description and MITRE ATT&CK mapping
+5. Learn about detection methods and defense recommendations
+6. Explore the tools used for both offense and defense
+7. Visit the Resources tab for deep-dive guides and additional learning materials
+
+## About the Creator
+
+Created by [AYI-NEDJIMI Consultants](https://ayinedjimi-consultants.fr/bio.html) - Cybersecurity expertise and Active Directory security solutions.
+
+## License
+
+Apache License 2.0
+
+## Technologies
+
+- **Gradio 4.44.0**: Interactive web interface
+- **Plotly**: Interactive kill chain visualizations
+- **Python 3.10**: Core application logic

app.py

@@ -0,0 +1,1116 @@
+import gradio as gr
+import plotly.graph_objects as go
+import plotly.express as px
+from typing import Tuple
+
+# Attack Data Dictionary
+ATTACKS_DATA = {
+    "Golden Ticket": {
+        "en": {
+            "description": "Forges a Kerberos Ticket Granting Ticket (TGT) using the KRBTGT account hash. Allows attackers to create valid authentication tickets without needing the legitimate account credentials.",
+            "mitre": "T1558.001",
+            "kill_chain": ["Recon", "Persistence", "Privilege Escalation", "Lateral Movement"],
+            "detection": [
+                "Monitor for unusual TGT requests",
+                "Detect logon events without corresponding network logons",
+                "Alert on KRBTGT hash changes",
+                "Monitor Event ID 4768 (Kerberos TGT requested)"
+            ],
+            "defense": [
+                "Reset KRBTGT password twice",
+                "Enable Kerberos armoring",
+                "Monitor and restrict DC access",
+                "Implement strong audit policies",
+                "Use Kerberos pre-authentication"
+            ],
+            "tools": {
+                "offensive": ["Mimikatz", "Rubeus", "kekeo"],
+                "defensive": ["Splunk", "ELK Stack", "Windows Defender", "CrowdStrike"]
+            }
+        },
+        "fr": {
+            "description": "Forge un ticket Kerberos TGT en utilisant le hash du compte KRBTGT. Permet aux attaquants de créer des tickets d'authentification valides sans avoir besoin des identifiants du compte légitime.",
+            "mitre": "T1558.001",
+            "kill_chain": ["Recon", "Persistence", "Privilege Escalation", "Lateral Movement"],
+            "detection": [
+                "Surveiller les demandes TGT inhabituelles",
+                "Détecter les événements de connexion sans logons réseau correspondants",
+                "Alerter sur les modifications du hash KRBTGT",
+                "Surveiller Event ID 4768 (Kerberos TGT demandé)"
+            ],
+            "defense": [
+                "Réinitialiser le mot de passe KRBTGT deux fois",
+                "Activer l'armure Kerberos",
+                "Surveiller et restreindre l'accès DC",
+                "Implémenter des politiques d'audit robustes",
+                "Utiliser la pré-authentification Kerberos"
+            ],
+            "tools": {
+                "offensive": ["Mimikatz", "Rubeus", "kekeo"],
+                "defensive": ["Splunk", "ELK Stack", "Windows Defender", "CrowdStrike"]
+            }
+        }
+    },
+    "DCSync": {
+        "en": {
+            "description": "Uses the Directory Replication Service (DRS) protocol to replicate AD database contents. Attackers with replication permissions can extract password hashes from the domain controller.",
+            "mitre": "T1033",
+            "kill_chain": ["Recon", "Lateral Movement", "Exfiltration"],
+            "detection": [
+                "Monitor DRS (Directory Replication Service) requests",
+                "Alert on DS-Replication-Get-Changes operations",
+                "Monitor Event ID 4662 (Object accessed)",
+                "Track logons with replication permissions"
+            ],
+            "defense": [
+                "Restrict replication permissions",
+                "Monitor and audit DRS requests",
+                "Implement least privilege access",
+                "Use RBAC for sensitive operations",
+                "Enable object access auditing"
+            ],
+            "tools": {
+                "offensive": ["Mimikatz", "secretsdump.py", "BloodHound"],
+                "defensive": ["Splunk", "ELK Stack", "Microsoft Defender for Identity"]
+            }
+        },
+        "fr": {
+            "description": "Utilise le protocole DRS (Directory Replication Service) pour répliquer le contenu de la base de données AD. Les attaquants disposant de permissions de réplication peuvent extraire les hashes de mot de passe du contrôleur de domaine.",
+            "mitre": "T1033",
+            "kill_chain": ["Recon", "Lateral Movement", "Exfiltration"],
+            "detection": [
+                "Surveiller les demandes DRS (Directory Replication Service)",
+                "Alerter sur les opérations DS-Replication-Get-Changes",
+                "Surveiller Event ID 4662 (Objet accédé)",
+                "Suivre les connexions avec permissions de réplication"
+            ],
+            "defense": [
+                "Restreindre les permissions de réplication",
+                "Surveiller et auditer les demandes DRS",
+                "Implémenter l'accès au moindre privilège",
+                "Utiliser RBAC pour les opérations sensibles",
+                "Activer l'audit d'accès aux objets"
+            ],
+            "tools": {
+                "offensive": ["Mimikatz", "secretsdump.py", "BloodHound"],
+                "defensive": ["Splunk", "ELK Stack", "Microsoft Defender for Identity"]
+            }
+        }
+    },
+    "Kerberoasting": {
+        "en": {
+            "description": "Requests Kerberos Service Tickets (TGS) for Service Principal Names (SPNs) and cracks the session key offline. Targets service accounts that don't use managed passwords.",
+            "mitre": "T1558.003",
+            "kill_chain": ["Recon", "Execution"],
+            "detection": [
+                "Monitor for mass TGS requests (Event ID 4769)",
+                "Detect TGS tickets with weak encryption",
+                "Alert on SPN enumeration",
+                "Monitor Kerberos ticket requests patterns"
+            ],
+            "defense": [
+                "Use Managed Service Accounts (MSA)",
+                "Implement strong password policies for service accounts",
+                "Enable Kerberos pre-authentication",
+                "Use Group Managed Service Accounts (gMSA)",
+                "Monitor TGS request patterns"
+            ],
+            "tools": {
+                "offensive": ["Rubeus", "GetUserSPNs.py", "hashcat"],
+                "defensive": ["Splunk", "Microsoft Defender for Identity", "Nessus"]
+            }
+        },
+        "fr": {
+            "description": "Demande des tickets de service Kerberos (TGS) pour les noms de principal de service (SPN) et déchiffre la clé de session hors ligne. Cible les comptes de service qui n'utilisent pas de mots de passe gérés.",
+            "mitre": "T1558.003",
+            "kill_chain": ["Recon", "Execution"],
+            "detection": [
+                "Surveiller les demandes TGS massives (Event ID 4769)",
+                "Détecter les tickets TGS avec chiffrement faible",
+                "Alerter sur l'énumération SPN",
+                "Surveiller les modèles de demandes de tickets Kerberos"
+            ],
+            "defense": [
+                "Utiliser les comptes de service gérés (MSA)",
+                "Implémenter des politiques de mot de passe robustes pour les comptes de service",
+                "Activer la pré-authentification Kerberos",
+                "Utiliser des comptes de service gérés par groupe (gMSA)",
+                "Surveiller les modèles de demandes TGS"
+            ],
+            "tools": {
+                "offensive": ["Rubeus", "GetUserSPNs.py", "hashcat"],
+                "defensive": ["Splunk", "Microsoft Defender for Identity", "Nessus"]
+            }
+        }
+    },
+    "AS-REP Roasting": {
+        "en": {
+            "description": "Requests Kerberos Authentication Server (AS-REP) responses for accounts with pre-authentication disabled. The response contains encrypted password information crackable offline.",
+            "mitre": "T1558.004",
+            "kill_chain": ["Recon", "Execution"],
+            "detection": [
+                "Monitor Event ID 4768 (Kerberos TGT requested) for AS-REP responses",
+                "Alert on accounts with pre-auth disabled",
+                "Monitor KDC responses without pre-authentication",
+                "Track accounts requiring encryption"
+            ],
+            "defense": [
+                "Enable Kerberos pre-authentication for all users",
+                "Regularly audit pre-authentication settings",
+                "Disable accounts that don't require pre-auth",
+                "Implement Group Policy for pre-auth enforcement",
+                "Monitor policy compliance"
+            ],
+            "tools": {
+                "offensive": ["Rubeus", "GetNPUsers.py", "hashcat"],
+                "defensive": ["Microsoft Defender for Identity", "Splunk", "BloodHound"]
+            }
+        },
+        "fr": {
+            "description": "Demande des réponses du serveur d'authentification Kerberos (AS-REP) pour les comptes avec pré-authentification désactivée. La réponse contient des informations de mot de passe chiffrées crackables hors ligne.",
+            "mitre": "T1558.004",
+            "kill_chain": ["Recon", "Execution"],
+            "detection": [
+                "Surveiller Event ID 4768 (Kerberos TGT demandé) pour les réponses AS-REP",
+                "Alerter sur les comptes avec pré-auth désactivé",
+                "Surveiller les réponses KDC sans pré-authentification",
+                "Suivre les comptes nécessitant un chiffrement"
+            ],
+            "defense": [
+                "Activer la pré-authentification Kerberos pour tous les utilisateurs",
+                "Auditer régulièrement les paramètres de pré-authentification",
+                "Désactiver les comptes qui ne nécessitent pas de pré-auth",
+                "Implémenter la stratégie de groupe pour l'application de la pré-auth",
+                "Surveiller la conformité de la politique"
+            ],
+            "tools": {
+                "offensive": ["Rubeus", "GetNPUsers.py", "hashcat"],
+                "defensive": ["Microsoft Defender for Identity", "Splunk", "BloodHound"]
+            }
+        }
+    },
+    "Pass-the-Hash": {
+        "en": {
+            "description": "Uses captured NTLM hashes to authenticate without knowing the plaintext password. The hash acts as proof of authentication over the network.",
+            "mitre": "T1550.002",
+            "kill_chain": ["Execution", "Lateral Movement"],
+            "detection": [
+                "Monitor for logon events without interactive login",
+                "Detect NTLM authentication from unusual sources",
+                "Alert on credential access patterns",
+                "Monitor Event ID 4624 (Successful logon) for unusual sources"
+            ],
+            "defense": [
+                "Disable NTLM protocol (use Kerberos)",
+                "Implement NTLMv2 authentication",
+                "Enable MFA for critical accounts",
+                "Monitor credential access",
+                "Use Windows Defender Credential Guard"
+            ],
+            "tools": {
+                "offensive": ["Mimikatz", "PsExec", "CrackMapExec"],
+                "defensive": ["Microsoft Defender for Identity", "Splunk", "Windows Defender"]
+            }
+        },
+        "fr": {
+            "description": "Utilise les hashes NTLM capturés pour s'authentifier sans connaître le mot de passe en clair. Le hash sert de preuve d'authentification sur le réseau.",
+            "mitre": "T1550.002",
+            "kill_chain": ["Execution", "Lateral Movement"],
+            "detection": [
+                "Surveiller les événements de connexion sans connexion interactive",
+                "Détecter l'authentification NTLM à partir de sources inhabituelles",
+                "Alerter sur les modèles d'accès aux identifiants",
+                "Surveiller Event ID 4624 (Connexion réussie) pour les sources inhabituelles"
+            ],
+            "defense": [
+                "Désactiver le protocole NTLM (utiliser Kerberos)",
+                "Implémenter l'authentification NTLMv2",
+                "Activer l'AMF pour les comptes critiques",
+                "Surveiller l'accès aux identifiants",
+                "Utiliser Windows Defender Credential Guard"
+            ],
+            "tools": {
+                "offensive": ["Mimikatz", "PsExec", "CrackMapExec"],
+                "defensive": ["Microsoft Defender for Identity", "Splunk", "Windows Defender"]
+            }
+        }
+    },
+    "Pass-the-Ticket": {
+        "en": {
+            "description": "Uses captured Kerberos tickets to access resources without credentials. Stolen TGT or TGS tickets can be injected into new sessions.",
+            "mitre": "T1550.003",
+            "kill_chain": ["Execution", "Lateral Movement"],
+            "detection": [
+                "Monitor for ticket usage by unexpected users",
+                "Alert on ticket injection attempts",
+                "Monitor Kerberos ticket reuse",
+                "Track Event ID 4769 (Kerberos TGS issued) anomalies"
+            ],
+            "defense": [
+                "Enable Kerberos armoring",
+                "Use ticket encryption",
+                "Implement short ticket lifetimes",
+                "Monitor ticket issuance and usage",
+                "Enable detailed Kerberos auditing"
+            ],
+            "tools": {
+                "offensive": ["Mimikatz", "Rubeus", "Kekeo"],
+                "defensive": ["Microsoft Defender for Identity", "Splunk", "ELK Stack"]
+            }
+        },
+        "fr": {
+            "description": "Utilise les tickets Kerberos capturés pour accéder aux ressources sans identifiants. Les tickets TGT ou TGS volés peuvent être injectés dans de nouvelles sessions.",
+            "mitre": "T1550.003",
+            "kill_chain": ["Execution", "Lateral Movement"],
+            "detection": [
+                "Surveiller l'utilisation du ticket par des utilisateurs inattendus",
+                "Alerter sur les tentatives d'injection de ticket",
+                "Surveiller la réutilisation des tickets Kerberos",
+                "Suivre les anomalies Event ID 4769 (Kerberos TGS émis)"
+            ],
+            "defense": [
+                "Activer l'armure Kerberos",
+                "Utiliser le chiffrement des tickets",
+                "Implémenter des durées de vie de ticket courtes",
+                "Surveiller l'émission et l'utilisation des tickets",
+                "Activer l'audit Kerberos détaillé"
+            ],
+            "tools": {
+                "offensive": ["Mimikatz", "Rubeus", "Kekeo"],
+                "defensive": ["Microsoft Defender for Identity", "Splunk", "ELK Stack"]
+            }
+        }
+    },
+    "Skeleton Key": {
+        "en": {
+            "description": "Injects a master password into the Domain Controller's LSASS memory. Allows authentication to any account in the domain using the injected password.",
+            "mitre": "T1556",
+            "kill_chain": ["Persistence", "Privilege Escalation"],
+            "detection": [
+                "Monitor LSASS process access and modification",
+                "Alert on Skeleton Key installation attempts",
+                "Monitor Event ID 4675 (Pre-authentication tickets were requested)",
+                "Detect unusual DC memory access patterns"
+            ],
+            "defense": [
+                "Protect LSASS memory (Credential Guard)",
+                "Monitor DC process access",
+                "Enable kernel-mode code signing",
+                "Use Windows Defender for LSASS protection",
+                "Implement strict DC access controls"
+            ],
+            "tools": {
+                "offensive": ["Mimikatz", "PowerShell"],
+                "defensive": ["Windows Defender", "Splunk", "Microsoft Defender for Identity"]
+            }
+        },
+        "fr": {
+            "description": "Injecte un mot de passe maître dans la mémoire LSASS du contrôleur de domaine. Permet l'authentification à n'importe quel compte du domaine en utilisant le mot de passe injecté.",
+            "mitre": "T1556",
+            "kill_chain": ["Persistence", "Privilege Escalation"],
+            "detection": [
+                "Surveiller l'accès et la modification du processus LSASS",
+                "Alerter sur les tentatives d'installation de clé de squelette",
+                "Surveiller Event ID 4675 (Tickets de pré-authentification demandés)",
+                "Détecter les modèles d'accès à la mémoire DC inhabituels"
+            ],
+            "defense": [
+                "Protéger la mémoire LSASS (Credential Guard)",
+                "Surveiller l'accès au processus DC",
+                "Activer la signature du code en mode noyau",
+                "Utiliser Windows Defender pour la protection LSASS",
+                "Implémenter des contrôles d'accès DC stricts"
+            ],
+            "tools": {
+                "offensive": ["Mimikatz", "PowerShell"],
+                "defensive": ["Windows Defender", "Splunk", "Microsoft Defender for Identity"]
+            }
+        }
+    },
+    "DCShadow": {
+        "en": {
+            "description": "Creates a rogue Domain Controller that replicates AD changes without detection. Allows attackers to modify any AD object or create backdoor accounts.",
+            "mitre": "T1207",
+            "kill_chain": ["Persistence", "Privilege Escalation", "Lateral Movement"],
+            "detection": [
+                "Monitor for unauthorized DC registration",
+                "Alert on DRS replication from unknown sources",
+                "Monitor Event ID 4742 (Computer object changed)",
+                "Track DC discovery events"
+            ],
+            "defense": [
+                "Restrict DC registration privileges",
+                "Monitor DRS traffic and sources",
+                "Implement network segmentation for DCs",
+                "Use DNSSEC for DC discovery",
+                "Monitor SRV record changes"
+            ],
+            "tools": {
+                "offensive": ["Mimikatz", "DCShadow"],
+                "defensive": ["Microsoft Defender for Identity", "Splunk", "NetworkNTA"]
+            }
+        },
+        "fr": {
+            "description": "Crée un contrôleur de domaine voyou qui réplique les modifications AD sans détection. Permet aux attaquants de modifier n'importe quel objet AD ou de créer des comptes de porte dérobée.",
+            "mitre": "T1207",
+            "kill_chain": ["Persistence", "Privilege Escalation", "Lateral Movement"],
+            "detection": [
+                "Surveiller l'enregistrement non autorisé de DC",
+                "Alerter sur la réplication DRS à partir de sources inconnues",
+                "Surveiller Event ID 4742 (Objet ordinateur modifié)",
+                "Suivre les événements de découverte DC"
+            ],
+            "defense": [
+                "Restreindre les privilèges d'enregistrement DC",
+                "Surveiller le trafic et les sources DRS",
+                "Implémenter la segmentation réseau pour les DC",
+                "Utiliser DNSSEC pour la découverte DC",
+                "Surveiller les modifications d'enregistrements SRV"
+            ],
+            "tools": {
+                "offensive": ["Mimikatz", "DCShadow"],
+                "defensive": ["Microsoft Defender for Identity", "Splunk", "NetworkNTA"]
+            }
+        }
+    },
+    "Silver Ticket": {
+        "en": {
+            "description": "Forges Kerberos Service Tickets (TGS) using a service account's NTLM hash. Provides direct access to services without needing legitimate credentials.",
+            "mitre": "T1558.002",
+            "kill_chain": ["Execution", "Lateral Movement"],
+            "detection": [
+                "Monitor for forged TGS tickets",
+                "Alert on service account hash compromise",
+                "Monitor Event ID 4624 (Successful logon) to services",
+                "Track unusual service access patterns"
+            ],
+            "defense": [
+                "Protect service account hashes",
+                "Monitor service account usage",
+                "Implement Kerberos pre-authentication",
+                "Use strong encryption for service accounts",
+                "Enable detailed service access auditing"
+            ],
+            "tools": {
+                "offensive": ["Mimikatz", "Rubeus"],
+                "defensive": ["Microsoft Defender for Identity", "Splunk", "CrowdStrike"]
+            }
+        },
+        "fr": {
+            "description": "Forge des tickets de service Kerberos (TGS) en utilisant le hash NTLM d'un compte de service. Fournit un accès direct aux services sans avoir besoin d'identifiants légitimes.",
+            "mitre": "T1558.002",
+            "kill_chain": ["Execution", "Lateral Movement"],
+            "detection": [
+                "Surveiller les tickets TGS forgés",
+                "Alerter sur la compromission du hash du compte de service",
+                "Surveiller Event ID 4624 (Connexion réussie) aux services",
+                "Suivre les modèles d'accès aux services inhabituels"
+            ],
+            "defense": [
+                "Protéger les hashes des comptes de service",
+                "Surveiller l'utilisation du compte de service",
+                "Implémenter la pré-authentification Kerberos",
+                "Utiliser le chiffrement fort pour les comptes de service",
+                "Activer l'audit d'accès au service détaillé"
+            ],
+            "tools": {
+                "offensive": ["Mimikatz", "Rubeus"],
+                "defensive": ["Microsoft Defender for Identity", "Splunk", "CrowdStrike"]
+            }
+        }
+    },
+    "AD CS/Certificates": {
+        "en": {
+            "description": "Exploits misconfigurations in Active Directory Certificate Services to issue fraudulent certificates for domain controllers or privileged accounts.",
+            "mitre": "T1649",
+            "kill_chain": ["Execution", "Privilege Escalation", "Lateral Movement"],
+            "detection": [
+                "Monitor certificate issuance requests",
+                "Alert on suspicious certificate templates",
+                "Monitor Event ID 4887 (Certificate enrollment operation completed)",
+                "Track certificate authority access"
+            ],
+            "defense": [
+                "Audit and harden certificate templates",
+                "Restrict certificate enrollment permissions",
+                "Monitor certificate issuance patterns",
+                "Implement certificate pinning",
+                "Use CRL checking and OCSP"
+            ],
+            "tools": {
+                "offensive": ["Certify", "Certipy"],
+                "defensive": ["Microsoft Defender for Identity", "Splunk", "Nessus"]
+            }
+        },
+        "fr": {
+            "description": "Exploite les mauvaises configurations des services de certificats Active Directory pour émettre des certificats frauduleux pour les contrôleurs de domaine ou les comptes privilégiés.",
+            "mitre": "T1649",
+            "kill_chain": ["Execution", "Privilege Escalation", "Lateral Movement"],
+            "detection": [
+                "Surveiller les demandes d'émission de certificats",
+                "Alerter sur les modèles de certificats suspects",
+                "Surveiller Event ID 4887 (Opération d'inscription de certificat terminée)",
+                "Suivre l'accès à l'autorité de certification"
+            ],
+            "defense": [
+                "Auditer et renforcer les modèles de certificats",
+                "Restreindre les permissions d'inscription de certificats",
+                "Surveiller les modèles d'émission de certificats",
+                "Implémenter l'épinglage de certificat",
+                "Utiliser la vérification CRL et OCSP"
+            ],
+            "tools": {
+                "offensive": ["Certify", "Certipy"],
+                "defensive": ["Microsoft Defender for Identity", "Splunk", "Nessus"]
+            }
+        }
+    },
+    "AdminSDHolder": {
+        "en": {
+            "description": "Manipulates the AdminSDHolder object ACL to add persistent backdoor permissions on privileged groups. Changes are replicated across the domain.",
+            "mitre": "T1548.004",
+            "kill_chain": ["Persistence", "Privilege Escalation"],
+            "detection": [
+                "Monitor AdminSDHolder ACL changes",
+                "Alert on unexpected permission additions",
+                "Monitor Event ID 4670 (Permissions changed on object)",
+                "Track privileged group membership changes"
+            ],
+            "defense": [
+                "Protect AdminSDHolder from modifications",
+                "Monitor AdminSDHolder ACL regularly",
+                "Restrict permissions on AdminSDHolder",
+                "Implement Group Policy for ACL enforcement",
+                "Enable detailed ACL auditing"
+            ],
+            "tools": {
+                "offensive": ["Mimikatz", "PowerShell", "BloodHound"],
+                "defensive": ["Microsoft Defender for Identity", "Splunk", "ADExplorer"]
+            }
+        },
+        "fr": {
+            "description": "Manipule l'ACL de l'objet AdminSDHolder pour ajouter des permissions de porte dérobée persistantes sur les groupes privilégiés. Les modifications sont répliquées dans tout le domaine.",
+            "mitre": "T1548.004",
+            "kill_chain": ["Persistence", "Privilege Escalation"],
+            "detection": [
+                "Surveiller les modifications ACL AdminSDHolder",
+                "Alerter sur les ajouts de permissions inattendus",
+                "Surveiller Event ID 4670 (Permissions modifiées sur objet)",
+                "Suivre les modifications d'appartenance aux groupes privilégiés"
+            ],
+            "defense": [
+                "Protéger AdminSDHolder des modifications",
+                "Surveiller régulièrement l'ACL AdminSDHolder",
+                "Restreindre les permissions sur AdminSDHolder",
+                "Implémenter Group Policy pour l'application ACL",
+                "Activer l'audit ACL détaillé"
+            ],
+            "tools": {
+                "offensive": ["Mimikatz", "PowerShell", "BloodHound"],
+                "defensive": ["Microsoft Defender for Identity", "Splunk", "ADExplorer"]
+            }
+        }
+    },
+    "ACL Abuse": {
+        "en": {
+            "description": "Exploits weak or overly permissive Access Control Lists (ACLs) to modify AD objects, reset passwords, or escalate privileges without proper authorization.",
+            "mitre": "T1098",
+            "kill_chain": ["Persistence", "Privilege Escalation"],
+            "detection": [
+                "Monitor ACL modifications on critical objects",
+                "Alert on suspicious permission assignments",
+                "Monitor Event ID 4670 (Permissions on object changed)",
+                "Track write access to sensitive attributes"
+            ],
+            "defense": [
+                "Implement least privilege ACLs",
+                "Regularly audit AD object permissions",
+                "Use Access Control Review tools",
+                "Implement role-based access controls",
+                "Enable detailed ACL auditing"
+            ],
+            "tools": {
+                "offensive": ["BloodHound", "PowerShell", "ADSI"],
+                "defensive": ["Microsoft Defender for Identity", "Splunk", "AdExplorer"]
+            }
+        },
+        "fr": {
+            "description": "Exploite les listes de contrôle d'accès (ACL) faibles ou trop permissives pour modifier les objets AD, réinitialiser les mots de passe ou escalader les privilèges sans autorisation appropriée.",
+            "mitre": "T1098",
+            "kill_chain": ["Persistence", "Privilege Escalation"],
+            "detection": [
+                "Surveiller les modifications ACL sur les objets critiques",
+                "Alerter sur les attributions d'autorisations suspectes",
+                "Surveiller Event ID 4670 (Permissions sur objet modifiées)",
+                "Suivre l'accès en écriture aux attributs sensibles"
+            ],
+            "defense": [
+                "Implémenter les ACL au moindre privilège",
+                "Auditer régulièrement les permissions des objets AD",
+                "Utiliser les outils d'examen du contrôle d'accès",
+                "Implémenter des contrôles d'accès basés sur les rôles",
+                "Activer l'audit ACL détaillé"
+            ],
+            "tools": {
+                "offensive": ["BloodHound", "PowerShell", "ADSI"],
+                "defensive": ["Microsoft Defender for Identity", "Splunk", "AdExplorer"]
+            }
+        }
+    },
+    "NTLM Relay": {
+        "en": {
+            "description": "Captures NTLM authentication attempts and relays them to other systems. Allows lateral movement by impersonating authenticated users without knowing passwords.",
+            "mitre": "T1557.002",
+            "kill_chain": ["Execution", "Lateral Movement"],
+            "detection": [
+                "Monitor for suspicious NTLM relay patterns",
+                "Alert on unexpected authentication sources",
+                "Monitor Event ID 4627 (Membership changes in security-sensitive groups)",
+                "Track unusual credential usage"
+            ],
+            "defense": [
+                "Disable NTLM (use Kerberos only)",
+                "Implement SMB signing",
+                "Enable Extended Protection for Authentication (EPA)",
+                "Use MFA for critical services",
+                "Monitor NTLM authentication patterns"
+            ],
+            "tools": {
+                "offensive": ["Responder", "ntlmrelayx", "Inveigh"],
+                "defensive": ["Microsoft Defender for Identity", "Splunk", "Zeek"]
+            }
+        },
+        "fr": {
+            "description": "Capture les tentatives d'authentification NTLM et les relaye vers d'autres systèmes. Permet le mouvement latéral en usurpant l'identité des utilisateurs authentifiés sans connaître les mots de passe.",
+            "mitre": "T1557.002",
+            "kill_chain": ["Execution", "Lateral Movement"],
+            "detection": [
+                "Surveiller les modèles de relais NTLM suspects",
+                "Alerter sur les sources d'authentification inattendues",
+                "Surveiller Event ID 4627 (Modifications d'appartenance dans les groupes sensibles)",
+                "Suivre l'utilisation d'identifiants inhabituels"
+            ],
+            "defense": [
+                "Désactiver NTLM (utiliser uniquement Kerberos)",
+                "Implémenter la signature SMB",
+                "Activer la protection étendue pour l'authentification (EPA)",
+                "Utiliser l'AMF pour les services critiques",
+                "Surveiller les modèles d'authentification NTLM"
+            ],
+            "tools": {
+                "offensive": ["Responder", "ntlmrelayx", "Inveigh"],
+                "defensive": ["Microsoft Defender for Identity", "Splunk", "Zeek"]
+            }
+        }
+    },
+    "SIDHistory Injection": {
+        "en": {
+            "description": "Injects fraudulent SIDHistory attributes into user objects to inherit permissions from other groups. Useful for creating persistent backdoors across domain boundaries.",
+            "mitre": "T1134.005",
+            "kill_chain": ["Persistence", "Privilege Escalation", "Lateral Movement"],
+            "detection": [
+                "Monitor SIDHistory attribute modifications",
+                "Alert on unexpected SID additions",
+                "Monitor Event ID 4738 (User object changed)",
+                "Track privilege escalations via SIDHistory"
+            ],
+            "defense": [
+                "Restrict SIDHistory modifications",
+                "Audit SIDHistory attributes regularly",
+                "Monitor cross-forest trusts",
+                "Implement least privilege SIDHistory",
+                "Enable detailed AD auditing"
+            ],
+            "tools": {
+                "offensive": ["Mimikatz", "PowerShell", "BloodHound"],
+                "defensive": ["Microsoft Defender for Identity", "Splunk", "AdExplorer"]
+            }
+        },
+        "fr": {
+            "description": "Injecte des attributs SIDHistory frauduleux dans les objets utilisateur pour hériter des permissions d'autres groupes. Utile pour créer des portes dérobées persistantes entre les limites du domaine.",
+            "mitre": "T1134.005",
+            "kill_chain": ["Persistence", "Privilege Escalation", "Lateral Movement"],
+            "detection": [
+                "Surveiller les modifications d'attribut SIDHistory",
+                "Alerter sur les ajouts de SID inattendus",
+                "Surveiller Event ID 4738 (Objet utilisateur modifié)",
+                "Suivre les escalades de privilèges via SIDHistory"
+            ],
+            "defense": [
+                "Restreindre les modifications SIDHistory",
+                "Auditer régulièrement les attributs SIDHistory",
+                "Surveiller les approbations entre forêts",
+                "Implémenter le SIDHistory au moindre privilège",
+                "Activer l'audit AD détaillé"
+            ],
+            "tools": {
+                "offensive": ["Mimikatz", "PowerShell", "BloodHound"],
+                "defensive": ["Microsoft Defender for Identity", "Splunk", "AdExplorer"]
+            }
+        }
+    },
+    "RBCD Abuse": {
+        "en": {
+            "description": "Exploits Resource-Based Constrained Delegation (RBCD) to impersonate any user and gain access to target resources. Works on computer accounts with delegation rights.",
+            "mitre": "T1548.004",
+            "kill_chain": ["Persistence", "Privilege Escalation", "Lateral Movement"],
+            "detection": [
+                "Monitor msDS-AllowedToActOnBehalfOfOtherIdentity changes",
+                "Alert on unusual delegation configurations",
+                "Monitor Event ID 4662 (Object accessed)",
+                "Track service ticket requests for delegation"
+            ],
+            "defense": [
+                "Limit RBCD delegation rights",
+                "Monitor delegation attribute changes",
+                "Restrict computer account privileges",
+                "Implement least privilege delegation",
+                "Enable detailed auditing of delegation"
+            ],
+            "tools": {
+                "offensive": ["Rubeus", "BloodHound", "PowerShell"],
+                "defensive": ["Microsoft Defender for Identity", "Splunk", "ADExplorer"]
+            }
+        },
+        "fr": {
+            "description": "Exploite la délégation contrainte basée sur les ressources (RBCD) pour usurper l'identité de n'importe quel utilisateur et accéder aux ressources cibles. Fonctionne sur les comptes d'ordinateur avec droits de délégation.",
+            "mitre": "T1548.004",
+            "kill_chain": ["Persistence", "Privilege Escalation", "Lateral Movement"],
+            "detection": [
+                "Surveiller les modifications msDS-AllowedToActOnBehalfOfOtherIdentity",
+                "Alerter sur les configurations de délégation inhabituelles",
+                "Surveiller Event ID 4662 (Objet accédé)",
+                "Suivre les demandes de tickets de service pour délégation"
+            ],
+            "defense": [
+                "Limiter les droits de délégation RBCD",
+                "Surveiller les modifications d'attribut de délégation",
+                "Restreindre les privilèges du compte d'ordinateur",
+                "Implémenter la délégation au moindre privilège",
+                "Activer l'audit détaillé de la délégation"
+            ],
+            "tools": {
+                "offensive": ["Rubeus", "BloodHound", "PowerShell"],
+                "defensive": ["Microsoft Defender for Identity", "Splunk", "ADExplorer"]
+            }
+        }
+    },
+    "GPO Abuse": {
+        "en": {
+            "description": "Exploits Group Policy Object (GPO) misconfigurations or takes over GPOs to push malicious policies across the domain. Affects all users and computers in the scope.",
+            "mitre": "T1098.004",
+            "kill_chain": ["Execution", "Persistence"],
+            "detection": [
+                "Monitor GPO creation and modifications",
+                "Alert on unusual policy deployments",
+                "Monitor Group Policy application events",
+                "Track changes to critical GPOs"
+            ],
+            "defense": [
+                "Restrict GPO modification permissions",
+                "Audit GPO changes regularly",
+                "Implement change management for GPOs",
+                "Monitor policy application",
+                "Use GPO versioning and backups"
+            ],
+            "tools": {
+                "offensive": ["BloodHound", "PowerShell", "SharpGPOAbuse"],
+                "defensive": ["Microsoft Defender for Identity", "Splunk", "Group Policy Analyzer"]
+            }
+        },
+        "fr": {
+            "description": "Exploite les mauvaises configurations de Group Policy Object (GPO) ou prend le contrôle des GPO pour pousser des politiques malveillantes dans tout le domaine. Affecte tous les utilisateurs et ordinateurs de la portée.",
+            "mitre": "T1098.004",
+            "kill_chain": ["Execution", "Persistence"],
+            "detection": [
+                "Surveiller la création et les modifications de GPO",
+                "Alerter sur les déploiements de politiques inhabituels",
+                "Surveiller les événements d'application Group Policy",
+                "Suivre les modifications des GPO critiques"
+            ],
+            "defense": [
+                "Restreindre les permissions de modification de GPO",
+                "Auditer régulièrement les modifications de GPO",
+                "Implémenter la gestion des modifications pour les GPO",
+                "Surveiller l'application de la politique",
+                "Utiliser la gestion des versions et les sauvegardes GPO"
+            ],
+            "tools": {
+                "offensive": ["BloodHound", "PowerShell", "SharpGPOAbuse"],
+                "defensive": ["Microsoft Defender for Identity", "Splunk", "Group Policy Analyzer"]
+            }
+        }
+    },
+    "AD FS/SAML": {
+        "en": {
+            "description": "Exploits vulnerabilities in Active Directory Federation Services (AD FS) or SAML trust relationships to forge tokens and gain unauthorized access.",
+            "mitre": "T1528",
+            "kill_chain": ["Initial Access", "Lateral Movement"],
+            "detection": [
+                "Monitor AD FS token requests and issuance",
+                "Alert on suspicious SAML assertions",
+                "Monitor Event ID 411 (AD FS audit events)",
+                "Track token validation failures"
+            ],
+            "defense": [
+                "Harden AD FS configuration",
+                "Implement token signing and encryption",
+                "Monitor AD FS audit logs",
+                "Restrict token lifetime",
+                "Implement MFA for AD FS"
+            ],
+            "tools": {
+                "offensive": ["AADInternals", "TokenTactics", "Custom scripts"],
+                "defensive": ["Microsoft Defender for Identity", "Splunk", "Azure Sentinel"]
+            }
+        },
+        "fr": {
+            "description": "Exploite les vulnérabilités dans Active Directory Federation Services (AD FS) ou les relations de confiance SAML pour forger des jetons et obtenir un accès non autorisé.",
+            "mitre": "T1528",
+            "kill_chain": ["Initial Access", "Lateral Movement"],
+            "detection": [
+                "Surveiller les demandes et l'émission de jetons AD FS",
+                "Alerter sur les assertions SAML suspectes",
+                "Surveiller Event ID 411 (Événements d'audit AD FS)",
+                "Suivre les échecs de validation de jeton"
+            ],
+            "defense": [
+                "Renforcer la configuration AD FS",
+                "Implémenter la signature et le chiffrement de jetons",
+                "Surveiller les journaux d'audit AD FS",
+                "Restreindre la durée de vie des jetons",
+                "Implémenter l'AMF pour AD FS"
+            ],
+            "tools": {
+                "offensive": ["AADInternals", "TokenTactics", "Custom scripts"],
+                "defensive": ["Microsoft Defender for Identity", "Splunk", "Azure Sentinel"]
+            }
+        }
+    },
+    "Forest Trust Abuse": {
+        "en": {
+            "description": "Exploits transitive trusts between forests to move laterally and gain unauthorized access across forest boundaries.",
+            "mitre": "T1199",
+            "kill_chain": ["Lateral Movement"],
+            "detection": [
+                "Monitor inter-forest authentication events",
+                "Alert on unusual trust-based logons",
+                "Monitor Event ID 4706 (New trust established)",
+                "Track cross-forest security group changes"
+            ],
+            "defense": [
+                "Restrict forest trust transitivity",
+                "Monitor forest trust health",
+                "Implement selective authentication",
+                "Audit cross-forest access",
+                "Monitor trust modifications"
+            ],
+            "tools": {
+                "offensive": ["BloodHound", "PowerShell", "Mimikatz"],
+                "defensive": ["Microsoft Defender for Identity", "Splunk", "AD Auditing"]
+            }
+        },
+        "fr": {
+            "description": "Exploite les approbations transitives entre forêts pour se déplacer latéralement et accéder sans autorisation à travers les limites de la forêt.",
+            "mitre": "T1199",
+            "kill_chain": ["Lateral Movement"],
+            "detection": [
+                "Surveiller les événements d'authentification inter-forêts",
+                "Alerter sur les connexions basées sur la confiance inhabituelles",
+                "Surveiller Event ID 4706 (Nouvelle approbation établie)",
+                "Suivre les modifications des groupes de sécurité entre forêts"
+            ],
+            "defense": [
+                "Restreindre la transitivité des approbations forestales",
+                "Surveiller la santé des approbations forestales",
+                "Implémenter l'authentification sélective",
+                "Auditer l'accès entre forêts",
+                "Surveiller les modifications d'approbation"
+            ],
+            "tools": {
+                "offensive": ["BloodHound", "PowerShell", "Mimikatz"],
+                "defensive": ["Microsoft Defender for Identity", "Splunk", "AD Auditing"]
+            }
+        }
+    },
+    "Password Filter DLL": {
+        "en": {
+            "description": "Installs a malicious password filter DLL on domain controllers to intercept and exfiltrate passwords as they are changed.",
+            "mitre": "T1556.001",
+            "kill_chain": ["Persistence", "Credential Access"],
+            "detection": [
+                "Monitor password filter DLL installation",
+                "Alert on suspicious DLL loading on DCs",
+                "Monitor Event ID 4657 (Registry value modified)",
+                "Track DLL file access on DCs"
+            ],
+            "defense": [
+                "Protect password filter registry keys",
+                "Monitor password filter changes",
+                "Implement Code Integrity/Code Signing",
+                "Restrict DLL installation on DCs",
+                "Enable detailed audit logging"
+            ],
+            "tools": {
+                "offensive": ["Mimikatz", "Custom DLLs", "PowerShell"],
+                "defensive": ["Windows Defender", "Splunk", "Autoruns"]
+            }
+        },
+        "fr": {
+            "description": "Installe une DLL de filtre de mot de passe malveillante sur les contrôleurs de domaine pour intercepter et exfiltrer les mots de passe lors de leur modification.",
+            "mitre": "T1556.001",
+            "kill_chain": ["Persistence", "Credential Access"],
+            "detection": [
+                "Surveiller l'installation de DLL de filtre de mot de passe",
+                "Alerter sur le chargement de DLL suspect sur les DC",
+                "Surveiller Event ID 4657 (Valeur de registre modifiée)",
+                "Suivre l'accès aux fichiers DLL sur les DC"
+            ],
+            "defense": [
+                "Protéger les clés de registre du filtre de mot de passe",
+                "Surveiller les modifications du filtre de mot de passe",
+                "Implémenter l'intégrité du code/signature du code",
+                "Restreindre l'installation de DLL sur les DC",
+                "Activer la journalisation d'audit détaillée"
+            ],
+            "tools": {
+                "offensive": ["Mimikatz", "Custom DLLs", "PowerShell"],
+                "defensive": ["Windows Defender", "Splunk", "Autoruns"]
+            }
+        }
+    },
+    "Computer Account Takeover": {
+        "en": {
+            "description": "Compromises a computer account and uses it to gain elevated privileges. Computer accounts can be used for lateral movement and accessing sensitive resources.",
+            "mitre": "T1078.003",
+            "kill_chain": ["Initial Access", "Persistence", "Privilege Escalation"],
+            "detection": [
+                "Monitor computer account password changes",
+                "Alert on computer account logon anomalies",
+                "Monitor Event ID 4741 (Computer object changed)",
+                "Track unusual computer account activities"
+            ],
+            "defense": [
+                "Rotate computer account passwords regularly",
+                "Monitor computer account privilege usage",
+                "Restrict computer account delegation",
+                "Implement strong computer account security",
+                "Monitor for unusual computer account activity"
+            ],
+            "tools": {
+                "offensive": ["Mimikatz", "Rubeus", "PowerShell"],
+                "defensive": ["Microsoft Defender for Identity", "Splunk", "CrowdStrike"]
+            }
+        },
+        "fr": {
+            "description": "Compromet un compte d'ordinateur et l'utilise pour obtenir des privilèges élevés. Les comptes d'ordinateur peuvent être utilisés pour le mouvement latéral et l'accès aux ressources sensibles.",
+            "mitre": "T1078.003",
+            "kill_chain": ["Initial Access", "Persistence", "Privilege Escalation"],
+            "detection": [
+                "Surveiller les modifications de mot de passe du compte d'ordinateur",
+                "Alerter sur les anomalies de connexion du compte d'ordinateur",
+                "Surveiller Event ID 4741 (Objet ordinateur modifié)",
+                "Suivre les activités inhabituelles du compte d'ordinateur"
+            ],
+            "defense": [
+                "Faire pivoter les mots de passe du compte d'ordinateur régulièrement",
+                "Surveiller l'utilisation des privilèges du compte d'ordinateur",
+                "Restreindre la délégation du compte d'ordinateur",
+                "Implémenter la sécurité robuste du compte d'ordinateur",
+                "Surveiller l'activité inhabituelle du compte d'ordinateur"
+            ],
+            "tools": {
+                "offensive": ["Mimikatz", "Rubeus", "PowerShell"],
+                "defensive": ["Microsoft Defender for Identity", "Splunk", "CrowdStrike"]
+            }
+        }
+    }
+}
+
+def create_kill_chain_plot(kill_chain_phases):
+    """Create a Plotly visualization of the kill chain"""
+    phases_order = ["Recon", "Initial Access", "Execution", "Persistence", "Privilege Escalation", "Lateral Movement", "Exfiltration"]
+
+    phase_colors = {
+        "Recon": "#FF6B6B",
+        "Initial Access": "#FF8C42",
+        "Execution": "#FFC857",
+        "Persistence": "#9D84B7",
+        "Privilege Escalation": "#E63946",
+        "Lateral Movement": "#A8DADC",
+        "Exfiltration": "#1D3557"
+    }
+
+    filtered_phases = [p for p in phases_order if p in kill_chain_phases]
+
+    fig = go.Figure()
+
+    y_pos = 0
+    for i, phase in enumerate(filtered_phases):
+        fig.add_trace(go.Scatter(
+            x=[i],
+            y=[0],
+            mode='markers+text',
+            marker=dict(size=40, color=phase_colors.get(phase, "#gray")),
+            text=[phase],
+            textposition="middle center",
+            textfont=dict(color="white", size=12, family="Arial Black"),
+            hovertemplate=f"<b>{phase}</b><extra></extra>",
+            showlegend=False
+        ))
+
+        if i < len(filtered_phases) - 1:
+            fig.add_annotation(
+                x=i + 0.5,
+                y=0,
+                text="→",
+                font=dict(size=24),
+                showarrow=False
+            )
+
+    fig.update_layout(
+        title="Kill Chain Progression",
+        xaxis=dict(showgrid=False, showticklabels=False, zeroline=False),
+        yaxis=dict(showgrid=False, showticklabels=False, zeroline=False),
+        height=300,
+        margin=dict(l=20, r=20, t=50, b=20),
+        hovermode='closest',
+        plot_bgcolor='white'
+    )
+
+    return fig
+
+def create_attack_visualization(attack_name, language):
+    """Create comprehensive attack visualization"""
+    if attack_name not in ATTACKS_DATA:
+        return None, "Attack not found"
+
+    attack = ATTACKS_DATA[attack_name][language]
+
+    description_text = attack["description"]
+    mitre_text = f"MITRE ATT&CK: {attack['mitre']}"
+
+    detection_list = "\n".join([f"• {item}" for item in attack["detection"]])
+    defense_list = "\n".join([f"• {item}" for item in attack["defense"]])
+
+    offensive_tools = ", ".join(attack["tools"]["offensive"])
+    defensive_tools = ", ".join(attack["tools"]["defensive"])
+
+    kill_chain_fig = create_kill_chain_plot(attack["kill_chain"])
+
+    return kill_chain_fig, description_text, mitre_text, detection_list, defense_list, offensive_tools, defensive_tools
+
+def map_language(language_name):
+    """Map language radio value to dictionary key"""
+    return "en" if language_name == "English" else "fr"
+
+def update_content(attack_name, language):
+    """Update all content based on selected attack and language"""
+    if not attack_name:
+        attack_name = "Golden Ticket"
+
+    lang_key = map_language(language)
+    fig, desc, mitre, detect, defense, off_tools, def_tools = create_attack_visualization(attack_name, lang_key)
+
+    return fig, desc, mitre, detect, defense, off_tools, def_tools
+
+with gr.Blocks(title="AD Attack Simulator", theme=gr.themes.Soft(primary_hue="purple", secondary_hue="red")) as demo:
+    gr.Markdown("# AD Attack Simulator - Interactive Kill Chain Visualizer")
+    gr.Markdown("*Comprehensive visualization of Active Directory attack techniques with MITRE ATT&CK mappings*")
+
+    with gr.Row():
+        language = gr.Radio(
+            choices=["English", "Français"],
+            value="English",
+            label="Language / Langue",
+            scale=2
+        )
+
+    with gr.Row():
+        attack_dropdown = gr.Dropdown(
+            choices=list(ATTACKS_DATA.keys()),
+            value="Golden Ticket",
+            label="Select Attack / Sélectionner une attaque",
+            scale=3
+        )
+
+    with gr.Row():
+        plot_output = gr.Plot(label="Kill Chain Visualization", scale=1)
+
+    with gr.Row():
+        description_output = gr.Markdown(label="Description")
+
+    with gr.Row():
+        mitre_output = gr.Markdown(label="MITRE ATT&CK Mapping")
+
+    with gr.Row():
+        with gr.Column(scale=1):
+            gr.Markdown("### Detection Methods")
+            detection_output = gr.Markdown()
+
+        with gr.Column(scale=1):
+            gr.Markdown("### Defense Recommendations")
+            defense_output = gr.Markdown()
+
+    with gr.Row():
+        with gr.Column(scale=1):
+            gr.Markdown("### Offensive Tools")
+            offensive_tools_output = gr.Markdown()
+
+        with gr.Column(scale=1):
+            gr.Markdown("### Defensive Tools")
+            defensive_tools_output = gr.Markdown()
+
+    with gr.Tab("Resources"):
+        resources_content = """
+## AD Attack Resources
+
+### French Resources - AYI-NEDJIMI Consultants
+
+#### Top 10 Attacks
+- [Top 10 Attaques Active Directory](https://ayinedjimi-consultants.fr/top-10-attaques-active-directory.html)
+
+#### Detailed Attack Guides
+- [Golden Ticket - Attaque & Défense](https://ayinedjimi-consultants.fr/attaques_active-directory/golden-ticket-attaque-defense.html)
+- [DCSync - Attaque & Défense](https://ayinedjimi-consultants.fr/attaques_active-directory/dcsync-attaque-defense.html)
+- [Kerberoasting - Attaque & Défense](https://ayinedjimi-consultants.fr/attaques_active-directory/kerberoasting-attaque-defense.html)
+- [Pass-the-Hash - Attaque & Défense](https://ayinedjimi-consultants.fr/attaques_active-directory/pass-the-hash-attaque-defense.html)
+- [Pass-the-Ticket - Attaque & Défense](https://ayinedjimi-consultants.fr/attaques_active-directory/pass-the-ticket-attaque-defense.html)
+- [Skeleton Key - Attaque & Défense](https://ayinedjimi-consultants.fr/attaques_active-directory/skeleton-key-attaque-defense.html)
+- [DCShadow - Attaque & Défense](https://ayinedjimi-consultants.fr/attaques_active-directory/dcshadow-attaque-defense.html)
+- [Silver Ticket - Attaque & Défense](https://ayinedjimi-consultants.fr/attaques_active-directory/silver-ticket-attaque-defense.html)
+- [AD CS/Certificats - Attaque & Défense](https://ayinedjimi-consultants.fr/attaques_active-directory/adcs-certificats-attaque-defense.html)
+
+#### Security Guides & Tools
+- [Cluster Active Directory Hub](https://ayinedjimi-consultants.fr/cluster-active-directory-hub.html)
+- [Livre Blanc - Sécurité Active Directory](https://ayinedjimi-consultants.fr/livre-blanc-securite-active-directory.html)
+- [Guide de Sécurisation Active Directory 2025](https://ayinedjimi-consultants.fr/guide-securisation-active-directory-2025.html)
+- [Top 10 Outils d'Audit Active Directory 2025](https://ayinedjimi-consultants.fr/top-10-outils-audit-active-directory-2025.html)
+- [Top 5 Outils d'Audit Active Directory](https://ayinedjimi-consultants.fr/top-5-outils-audit-active-directory.html)
+
+---
+
+Created by [AYI-NEDJIMI Consultants](https://ayinedjimi-consultants.fr/bio.html)
+"""
+        gr.Markdown(resources_content)
+
+    language.change(
+        fn=update_content,
+        inputs=[attack_dropdown, language],
+        outputs=[plot_output, description_output, mitre_output, detection_output, defense_output, offensive_tools_output, defensive_tools_output]
+    )
+
+    attack_dropdown.change(
+        fn=update_content,
+        inputs=[attack_dropdown, language],
+        outputs=[plot_output, description_output, mitre_output, detection_output, defense_output, offensive_tools_output, defensive_tools_output]
+    )
+
+    demo.load(
+        fn=update_content,
+        inputs=[attack_dropdown, language],
+        outputs=[plot_output, description_output, mitre_output, detection_output, defense_output, offensive_tools_output, defensive_tools_output]
+    )
+
+if __name__ == "__main__":
+    demo.launch()

requirements.txt

@@ -0,0 +1,4 @@
+gradio==4.44.0
+huggingface_hub==0.24.7
+plotly==5.18.0
+pandas==2.1.4