Hugging Face's logo

Spaces:
capta1n
/
bas3
Running

App Files Community
capta1n commited on
Commit
798592a
·
verified ·
1 Parent(s): 056d336

Add 2 files

Browse files
Files changed (2) hide show
  1. index.html +381 -494
  2. prompts.txt +2 -1
index.html CHANGED
@@ -3,143 +3,246 @@
3
  <head>
4
  <meta charset="UTF-8">
5
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
6
- <title>Advanced Phishing Attack Kill Chain Visualization</title>
7
  <script src="https://cdn.tailwindcss.com"></script>
8
  <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/css/all.min.css">
9
- <script src="https://unpkg.com/vis-network/standalone/umd/vis-network.min.js"></script>
10
  <style>
11
- #network {
12
- width: 100%;
13
- height: 500px;
14
- border: 1px solid #e5e7eb;
15
- border-radius: 0.5rem;
16
- background-color: #f9fafb;
17
  }
18
- .node-tooltip {
19
- position: absolute;
20
- background: white;
21
- border: 1px solid #e5e7eb;
22
- border-radius: 0.5rem;
23
- padding: 1rem;
24
- box-shadow: 0 4px 6px -1px rgba(0, 0, 0, 0.1);
25
- max-width: 400px;
26
- z-index: 100;
27
- pointer-events: none;
28
- display: none;
 
29
  }
30
- .alert-item {
31
- border-left: 4px solid;
32
- transition: all 0.2s ease;
 
 
 
 
 
 
33
  }
34
- .alert-item:hover {
35
- background-color: #f8fafc;
 
36
  }
37
  .severity-critical {
38
- border-left-color: #ef4444;
 
39
  }
40
  .severity-high {
41
- border-left-color: #f59e0b;
 
42
  }
43
  .severity-emergency {
44
- border-left-color: #dc2626;
45
- }
46
- .node-phishing {
47
- background-color: #fef2f2;
48
- border-color: #fca5a5;
49
- }
50
- .node-execution {
51
- background-color: #fffbeb;
52
- border-color: #fcd34d;
53
  }
54
- .node-c2 {
55
- background-color: #ecfdf5;
56
- border-color: #6ee7b7;
57
  }
58
- .node-lateral {
59
- background-color: #eff6ff;
60
- border-color: #93c5fd;
61
  }
62
- .node-data-theft {
63
- background-color: #f5f3ff;
64
- border-color: #a78bfa;
65
- }
66
- .node-cloud {
67
- background-color: #fce7f3;
68
- border-color: #f9a8d4;
69
  }
70
- .node-exfiltration {
71
- background-color: #fefce8;
72
- border-color: #facc15;
73
  }
74
  </style>
75
  </head>
76
  <body class="bg-gray-50">
77
  <div class="container mx-auto px-4 py-8">
78
- <div class="flex justify-between items-center mb-6">
79
- <div>
80
- <h1 class="text-2xl font-bold text-gray-800">Advanced Phishing Attack Kill Chain</h1>
81
- <p class="text-gray-600">Visualization of the complete attack flow from initial compromise to data exfiltration</p>
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
82
  </div>
83
- <div class="flex space-x-2">
84
- <button id="zoom-in" class="p-2 bg-white rounded-md border border-gray-200 hover:bg-gray-50">
85
- <i class="fas fa-search-plus"></i>
86
- </button>
87
- <button id="zoom-out" class="p-2 bg-white rounded-md border border-gray-200 hover:bg-gray-50">
88
- <i class="fas fa-search-minus"></i>
89
- </button>
90
- <button id="fit-view" class="p-2 bg-white rounded-md border border-gray-200 hover:bg-gray-50">
91
- <i class="fas fa-expand"></i>
92
- </button>
 
 
93
  </div>
94
  </div>
95
 
96
- <div class="grid grid-cols-1 lg:grid-cols-3 gap-6">
97
  <div class="lg:col-span-2">
98
- <div id="network"></div>
99
- </div>
100
-
101
- <div class="bg-white rounded-lg shadow-sm border border-gray-200 p-4">
102
- <div class="flex justify-between items-center mb-4">
103
- <h3 class="font-semibold text-lg">Attack Step Details</h3>
104
- <span id="step-number" class="bg-blue-100 text-blue-800 text-xs font-medium px-2.5 py-0.5 rounded">Step 1</span>
105
- </div>
106
- <div id="node-details" class="space-y-4">
107
- <div>
108
- <h4 class="font-medium text-gray-700 mb-1">Attack Behavior</h4>
109
- <div id="attack-behavior" class="bg-gray-50 p-3 rounded text-sm text-gray-700"></div>
110
- </div>
111
- <div>
112
- <h4 class="font-medium text-gray-700 mb-1">Triggered Defenses</h4>
113
- <div id="triggered-defenses" class="text-sm text-gray-700"></div>
114
  </div>
115
- <div>
116
- <h4 class="font-medium text-gray-700 mb-1">Security Alerts</h4>
117
- <div id="security-alerts" class="space-y-2"></div>
 
 
 
 
 
118
  </div>
119
  </div>
120
  </div>
121
- </div>
122
 
123
- <div class="mt-8 bg-white rounded-lg shadow-sm border border-gray-200 overflow-hidden">
124
- <div class="border-b border-gray-200 px-4 py-3">
125
- <h3 class="font-semibold text-gray-800">Attack Kill Chain Timeline</h3>
126
- </div>
127
- <div class="divide-y divide-gray-200">
128
- <div id="timeline-container" class="divide-y divide-gray-200"></div>
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
129
  </div>
130
  </div>
131
  </div>
132
 
133
- <div id="node-tooltip" class="node-tooltip"></div>
134
-
135
  <script>
136
  // Attack steps data
137
  const attackSteps = [
138
  {
139
  id: 1,
140
- label: "1. Phishing Email",
141
  title: "Phishing Email Delivery",
142
- group: "phishing",
 
143
  behavior: "Forged 'Embrace AI Change' notification email containing malicious file disguised as files.zip",
144
  defenses: "Email Security Gateway",
145
  alerts: [
@@ -148,14 +251,18 @@
148
  message: "Detected spoofed sender email | From: itsupport@fakecompany[.]com → To: victim@corp.com | Contains malicious attachment (SHA256: a1b2c3...) | Identified as Emotet phishing template"
149
  }
150
  ],
151
- x: -300,
152
- y: 0
 
 
 
 
153
  },
154
  {
155
  id: 2,
156
- label: "2. Malware Execution",
157
  title: "Trojan Execution",
158
- group: "execution",
 
159
  behavior: "Victim downloads malicious file triggering PowerShell script that downloads Cobalt Strike DLL and injects into legitimate process",
160
  defenses: "Endpoint Detection & Response (EDR)",
161
  alerts: [
@@ -164,14 +271,18 @@
164
  message: "Suspicious process injection | Process: C:\\Windows\\System32\\explorer.exe → Loaded module: a09xdf.dll | DLL signature invalid and matches known Cobalt Strike signature"
165
  }
166
  ],
167
- x: -150,
168
- y: -100
 
 
 
 
169
  },
170
  {
171
  id: 3,
172
- label: "3. C2 Establishment",
173
- title: "C2 Channel & Lateral Movement",
174
- group: "c2",
175
  behavior: "HTTPS heartbeat communication via CDN domain (api.cloudfront[.]com), deploying reverse SSH tunnel to internal jump server",
176
  defenses: "Network Traffic Analysis (NTA)",
177
  alerts: [
@@ -180,14 +291,18 @@
180
  message: "Anomalous outbound connection | Target IP: 54.231.1.1 (AWS Singapore) | Protocol: HTTPS | Abnormal certificate (CN=*.cloudfront[.]com but issued by wildcard Let's Encrypt cert)"
181
  }
182
  ],
183
- x: 0,
184
- y: 0
 
 
 
 
185
  },
186
  {
187
  id: 4,
188
- label: "4. Credential Theft",
189
- title: "Credential Theft & Browser Simulation",
190
- group: "data-theft",
191
  behavior: "Using Mimikatz to extract Chrome browser cookies and forging User-Agent (synchronizing victim's browser fingerprint)",
192
  defenses: "User Behavior Analytics (UEBA)",
193
  alerts: [
@@ -196,14 +311,18 @@
196
  message: "Abnormal browser session | User: Victim_Account | Source IP: 172.16.1.23 → Device fingerprint changed (new VM characteristics/QEMU virtual GPU)"
197
  }
198
  ],
199
- x: 150,
200
- y: -100
 
 
 
 
201
  },
202
  {
203
  id: 5,
204
- label: "5. Cloud Docs Access",
205
- title: "Cloud Documentation Penetration",
206
- group: "cloud",
207
  behavior: "Hijacked Yuque API Token used to access 'Production Environment Operations Manual', extracting embedded SSH private key (Base64 encoded)",
208
  defenses: "Data Loss Prevention (DLP)",
209
  alerts: [
@@ -212,14 +331,18 @@
212
  message: "Sensitive data access | User: Victim_Account | Action: Downloaded document ID: YUQUE-1234 | Content matched keyword: 'prod_ssh_private_key'"
213
  }
214
  ],
215
- x: 300,
216
- y: 0
 
 
 
 
217
  },
218
  {
219
  id: 6,
220
- label: "6. Production Access",
221
- title: "Production Network Intrusion",
222
- group: "lateral",
223
  behavior: "Using SSH certificate from jump server to log into MySQL database server (IP: 10.8.8.88, account: dba_admin)",
224
  defenses: "Host Intrusion Detection (HIDS)",
225
  alerts: [
@@ -228,14 +351,18 @@
228
  message: "Unusual time SSH login | Account: dba_admin | Source IP: 10.8.8.12 (test env jump server) | Action: Executed SHOW DATABASES"
229
  }
230
  ],
231
- x: 450,
232
- y: -100
 
 
 
 
233
  },
234
  {
235
  id: 7,
236
- label: "7. Data Exfiltration",
237
  title: "Data Exfiltration",
238
- group: "exfiltration",
 
239
  behavior: "Compressed and encrypted customer data (filename: taobaodata.tar.gz.enc) transmitted via DNS tunnel to alibaba-bas.com",
240
  defenses: "Full Traffic Threat Analysis",
241
  alerts: [
@@ -244,394 +371,154 @@
244
  message: "Abnormal data transfer | Protocol: DNS TXT records | Target domain: xyz.attacker[.]com | Data volume: 142MB (500% above threshold)"
245
  }
246
  ],
247
- x: 600,
248
- y: 0
 
 
 
 
249
  }
250
  ];
251
 
252
- // Create nodes and edges for the network
253
- const nodes = new vis.DataSet(
254
- attackSteps.map(step => ({
255
- id: step.id,
256
- label: step.label,
257
- group: step.group,
258
- title: step.title,
259
- x: step.x,
260
- y: step.y,
261
- physics: false,
262
- fixed: {
263
- x: false,
264
- y: false
265
- }
266
- }))
267
- );
268
-
269
- const edges = new vis.DataSet(
270
- attackSteps.slice(0, -1).map((step, index) => ({
271
- id: index + 1,
272
- from: step.id,
273
- to: attackSteps[index + 1].id,
274
- arrows: "to",
275
- smooth: {
276
- type: "curvedCW",
277
- roundness: 0.2
278
- },
279
- color: {
280
- color: "#9ca3af",
281
- highlight: "#3b82f6",
282
- hover: "#3b82f6"
283
- },
284
- width: 2
285
- }))
286
- );
287
-
288
- // Network container
289
- const container = document.getElementById("network");
290
- const data = {
291
- nodes: nodes,
292
- edges: edges
293
- };
294
-
295
- const options = {
296
- nodes: {
297
- shape: "box",
298
- size: 20,
299
- borderWidth: 2,
300
- shadow: {
301
- enabled: true,
302
- color: "rgba(0,0,0,0.2)",
303
- size: 10,
304
- x: 5,
305
- y: 5
306
- },
307
- font: {
308
- size: 12,
309
- face: "Inter",
310
- bold: {
311
- color: "#1f2937"
312
- }
313
- },
314
- widthConstraint: {
315
- maximum: 100
316
- },
317
- margin: 10
318
- },
319
- edges: {
320
- smooth: {
321
- type: "curvedCW",
322
- roundness: 0.2
323
- },
324
- selectionWidth: 3,
325
- arrowStrikethrough: false
326
- },
327
- groups: {
328
- phishing: {
329
- color: {
330
- border: "#fca5a5",
331
- background: "#fef2f2",
332
- highlight: {
333
- border: "#ef4444",
334
- background: "#fee2e2"
335
- },
336
- hover: {
337
- border: "#ef4444",
338
- background: "#fee2e2"
339
- }
340
- }
341
- },
342
- execution: {
343
- color: {
344
- border: "#fcd34d",
345
- background: "#fffbeb",
346
- highlight: {
347
- border: "#f59e0b",
348
- background: "#fef3c7"
349
- },
350
- hover: {
351
- border: "#f59e0b",
352
- background: "#fef3c7"
353
- }
354
- }
355
- },
356
- c2: {
357
- color: {
358
- border: "#6ee7b7",
359
- background: "#ecfdf5",
360
- highlight: {
361
- border: "#10b981",
362
- background: "#d1fae5"
363
- },
364
- hover: {
365
- border: "#10b981",
366
- background: "#d1fae5"
367
- }
368
- }
369
- },
370
- "data-theft": {
371
- color: {
372
- border: "#a78bfa",
373
- background: "#f5f3ff",
374
- highlight: {
375
- border: "#8b5cf6",
376
- background: "#ede9fe"
377
- },
378
- hover: {
379
- border: "#8b5cf6",
380
- background: "#ede9fe"
381
- }
382
- }
383
- },
384
- cloud: {
385
- color: {
386
- border: "#f9a8d4",
387
- background: "#fce7f3",
388
- highlight: {
389
- border: "#ec4899",
390
- background: "#fbcfe8"
391
- },
392
- hover: {
393
- border: "#ec4899",
394
- background: "#fbcfe8"
395
- }
396
- }
397
- },
398
- lateral: {
399
- color: {
400
- border: "#93c5fd",
401
- background: "#eff6ff",
402
- highlight: {
403
- border: "#3b82f6",
404
- background: "#dbeafe"
405
- },
406
- hover: {
407
- border: "#3b82f6",
408
- background: "#dbeafe"
409
- }
410
- }
411
- },
412
- exfiltration: {
413
- color: {
414
- border: "#facc15",
415
- background: "#fefce8",
416
- highlight: {
417
- border: "#eab308",
418
- background: "#fef9c3"
419
- },
420
- hover: {
421
- border: "#eab308",
422
- background: "#fef9c3"
423
- }
424
- }
425
- }
426
- },
427
- physics: {
428
- enabled: true,
429
- solver: "forceAtlas2Based",
430
- forceAtlas2Based: {
431
- gravitationalConstant: -50,
432
- centralGravity: 0.01,
433
- springLength: 200,
434
- springConstant: 0.08,
435
- damping: 0.4
436
- },
437
- stabilization: {
438
- iterations: 100
439
- }
440
- },
441
- interaction: {
442
- dragNodes: true,
443
- dragView: true,
444
- hideEdgesOnDrag: false,
445
- multiselect: false,
446
- navigationButtons: false,
447
- keyboard: {
448
- enabled: true,
449
- speed: {
450
- x: 10,
451
- y: 10,
452
- zoom: 0.02
453
- }
454
- },
455
- tooltipDelay: 100
456
- },
457
- layout: {
458
- improvedLayout: true
459
- }
460
- };
461
-
462
- // Initialize network
463
- const network = new vis.Network(container, data, options);
464
-
465
- // Tooltip handling
466
- const tooltip = document.getElementById("node-tooltip");
467
-
468
- network.on("hoverNode", function(params) {
469
- const nodeId = params.node;
470
- const node = nodes.get(nodeId);
471
- const step = attackSteps.find(s => s.id === nodeId);
472
-
473
- if (step) {
474
- tooltip.innerHTML = `
475
- <h4 class="font-semibold text-gray-800 mb-2">${step.title}</h4>
476
- <p class="text-sm text-gray-600">${step.behavior}</p>
477
- `;
478
-
479
- const nodePos = network.getPositions([nodeId]);
480
- const canvasPos = network.canvasToDOM({
481
- x: nodePos[nodeId].x,
482
- y: nodePos[nodeId].y
483
- });
484
-
485
- tooltip.style.left = `${canvasPos.x + 20}px`;
486
- tooltip.style.top = `${canvasPos.y - 20}px`;
487
- tooltip.style.display = "block";
488
- }
489
- });
490
-
491
- network.on("blurNode", function() {
492
- tooltip.style.display = "none";
493
- });
494
-
495
- // Node click handling
496
- network.on("click", function(params) {
497
- if (params.nodes.length > 0) {
498
- const nodeId = params.nodes[0];
499
- const step = attackSteps.find(s => s.id === nodeId);
500
-
501
- if (step) {
502
- // Update step details
503
- document.getElementById("step-number").textContent = `Step ${step.id}`;
504
- document.getElementById("attack-behavior").textContent = step.behavior;
505
- document.getElementById("triggered-defenses").textContent = step.defenses;
506
-
507
- // Update alerts
508
- const alertsContainer = document.getElementById("security-alerts");
509
- alertsContainer.innerHTML = step.alerts.map(alert => `
510
- <div class="alert-item p-3 rounded ${`severity-${alert.severity}`}">
511
- <div class="text-sm font-medium text-gray-800">[${alert.severity.toUpperCase()}] ${alert.message}</div>
512
  </div>
513
- `).join("");
514
-
515
- // Highlight the timeline item
516
- document.querySelectorAll("#timeline-container div").forEach((el, idx) => {
517
- if (idx === step.id - 1) {
518
- el.classList.add("bg-blue-50");
519
- } else {
520
- el.classList.remove("bg-blue-50");
521
- }
522
- });
523
- }
524
- }
525
- });
526
-
527
- // Initialize timeline
528
- const timelineContainer = document.getElementById("timeline-container");
529
- timelineContainer.innerHTML = attackSteps.map(step => `
530
- <div class="px-4 py-3 hover:bg-gray-50 cursor-pointer transition-colors duration-150" data-step="${step.id}">
531
- <div class="flex items-start">
532
- <div class="flex-shrink-0 pt-0.5">
533
- <div class="w-3 h-3 rounded-full ${step.group === "phishing" ? "bg-red-500" :
534
- step.group === "execution" ? "bg-yellow-500" :
535
- step.group === "c2" ? "bg-green-500" :
536
- step.group === "data-theft" ? "bg-purple-500" :
537
- step.group === "cloud" ? "bg-pink-500" :
538
- step.group === "lateral" ? "bg-blue-500" : "bg-indigo-500"}"></div>
539
  </div>
540
- <div class="ml-3">
541
- <h4 class="text-sm font-medium text-gray-800">${step.title}</h4>
542
- <p class="text-xs text-gray-500 mt-1">${step.defenses}</p>
 
 
543
  </div>
544
  </div>
545
- </div>
546
- `).join("");
547
-
548
- // Timeline click handling
549
- document.querySelectorAll("#timeline-container div[data-step]").forEach(el => {
550
- el.addEventListener("click", function() {
551
- const stepId = parseInt(this.getAttribute("data-step"));
552
- network.selectNodes([stepId]);
553
- network.focus(stepId, {
554
- animation: {
555
- duration: 500,
556
- easingFunction: "easeInOutQuad"
557
- }
558
- });
 
559
 
560
- // Simulate node click to update details
561
- const step = attackSteps.find(s => s.id === stepId);
562
- if (step) {
563
- document.getElementById("step-number").textContent = `Step ${step.id}`;
564
- document.getElementById("attack-behavior").textContent = step.behavior;
565
- document.getElementById("triggered-defenses").textContent = step.defenses;
566
-
567
- const alertsContainer = document.getElementById("security-alerts");
568
- alertsContainer.innerHTML = step.alerts.map(alert => `
569
- <div class="alert-item p-3 rounded ${`severity-${alert.severity}`}">
570
- <div class="text-sm font-medium text-gray-800">[${alert.severity.toUpperCase()}] ${alert.message}</div>
 
571
  </div>
572
- `).join("");
573
-
574
- // Highlight the timeline item
575
- document.querySelectorAll("#timeline-container div").forEach((el, idx) => {
576
- if (idx === step.id - 1) {
577
- el.classList.add("bg-blue-50");
578
- } else {
579
- el.classList.remove("bg-blue-50");
580
- }
581
- });
582
- }
583
- });
584
- });
585
-
586
- // Zoom controls
587
- document.getElementById("zoom-in").addEventListener("click", function() {
588
- network.moveTo({
589
- scale: network.getScale() * 1.2,
590
- animation: true
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
591
  });
 
 
 
 
 
 
 
 
 
592
  });
593
 
594
- document.getElementById("zoom-out").addEventListener("click", function() {
595
- network.moveTo({
596
- scale: network.getScale() / 1.2,
597
- animation: true
 
598
  });
599
  });
600
 
601
- document.getElementById("fit-view").addEventListener("click", function() {
602
- network.fit({
603
- animation: {
604
- duration: 1000,
605
- easingFunction: "easeInOutQuad"
606
- }
607
  });
608
  });
609
 
610
- // Initialize with first step selected
611
- setTimeout(() => {
612
- network.selectNodes([1]);
613
- network.focus(1, {
614
- animation: {
615
- duration: 500,
616
- easingFunction: "easeInOutQuad"
617
- }
618
- });
619
-
620
- const step = attackSteps[0];
621
- document.getElementById("step-number").textContent = `Step ${step.id}`;
622
- document.getElementById("attack-behavior").textContent = step.behavior;
623
- document.getElementById("triggered-defenses").textContent = step.defenses;
624
-
625
- const alertsContainer = document.getElementById("security-alerts");
626
- alertsContainer.innerHTML = step.alerts.map(alert => `
627
- <div class="alert-item p-3 rounded ${`severity-${alert.severity}`}">
628
- <div class="text-sm font-medium text-gray-800">[${alert.severity.toUpperCase()}] ${alert.message}</div>
629
- </div>
630
- `).join("");
631
-
632
- // Highlight first timeline item
633
- document.querySelector("#timeline-container div:first-child").classList.add("bg-blue-50");
634
- }, 500);
635
  </script>
636
  <p style="border-radius: 8px; text-align: center; font-size: 12px; color: #fff; margin-top: 16px;position: fixed; left: 8px; bottom: 8px; z-index: 10; background: rgba(0, 0, 0, 0.8); padding: 4px 8px;">Made with <img src="https://enzostvs-deepsite.hf.space/logo.svg" alt="DeepSite Logo" style="width: 16px; height: 16px; vertical-align: middle;display:inline-block;margin-right:3px;filter:brightness(0) invert(1);"><a href="https://enzostvs-deepsite.hf.space" style="color: #fff;text-decoration: underline;" target="_blank" >DeepSite</a> - 🧬 <a href="https://enzostvs-deepsite.hf.space?remix=capta1n/bas3" style="color: #fff;text-decoration: underline;" target="_blank" >Remix</a></p></body>
637
  </html>
 
3
  <head>
4
  <meta charset="UTF-8">
5
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
6
+ <title>Attack Flow Timeline Visualization</title>
7
  <script src="https://cdn.tailwindcss.com"></script>
8
  <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/css/all.min.css">
 
9
  <style>
10
+ .attack-card {
11
+ transition: all 0.3s ease;
12
+ transform-origin: center;
 
 
 
13
  }
14
+ .attack-card:hover {
15
+ transform: translateY(-5px);
16
+ box-shadow: 0 10px 15px -3px rgba(0, 0, 0, 0.1);
17
+ }
18
+ .attack-card.active {
19
+ border-left-width: 4px;
20
+ transform: translateY(-5px);
21
+ }
22
+ .timeline-connector {
23
+ position: relative;
24
+ height: 4px;
25
+ background: linear-gradient(90deg, #e5e7eb, #9ca3af);
26
  }
27
+ .timeline-connector::after {
28
+ content: '';
29
+ position: absolute;
30
+ top: -4px;
31
+ width: 12px;
32
+ height: 12px;
33
+ border-radius: 50%;
34
+ background-color: #3b82f6;
35
+ transform: translateX(-50%);
36
  }
37
+ .severity-badge {
38
+ font-size: 0.65rem;
39
+ padding: 0.15rem 0.4rem;
40
  }
41
  .severity-critical {
42
+ background-color: #fee2e2;
43
+ color: #dc2626;
44
  }
45
  .severity-high {
46
+ background-color: #fef3c7;
47
+ color: #d97706;
48
  }
49
  .severity-emergency {
50
+ background-color: #ffedd5;
51
+ color: #ea580c;
 
 
 
 
 
 
 
52
  }
53
+ .defense-badge {
54
+ font-size: 0.7rem;
55
+ padding: 0.2rem 0.5rem;
56
  }
57
+ .animate-pulse-slow {
58
+ animation: pulse 3s cubic-bezier(0.4, 0, 0.6, 1) infinite;
 
59
  }
60
+ @keyframes pulse {
61
+ 0%, 100% {
62
+ opacity: 1;
63
+ }
64
+ 50% {
65
+ opacity: 0.5;
66
+ }
67
  }
68
+ .attack-flow-container {
69
+ scroll-behavior: smooth;
 
70
  }
71
  </style>
72
  </head>
73
  <body class="bg-gray-50">
74
  <div class="container mx-auto px-4 py-8">
75
+ <div class="text-center mb-10">
76
+ <h1 class="text-3xl font-bold text-gray-800 mb-2">Advanced Persistent Threat Kill Chain</h1>
77
+ <p class="text-gray-600 max-w-3xl mx-auto">Visualization of the complete attack flow with interactive defense detection points</p>
78
+ </div>
79
+
80
+ <div class="bg-white rounded-xl shadow-sm border border-gray-200 p-6 mb-8">
81
+ <div class="flex justify-between items-center mb-6">
82
+ <div>
83
+ <h2 class="text-xl font-semibold text-gray-800">Attack Flow Timeline</h2>
84
+ <p class="text-gray-500 text-sm">Click on any attack phase to view detailed forensic evidence</p>
85
+ </div>
86
+ <div class="flex space-x-2">
87
+ <button id="scroll-left" class="p-2 bg-white rounded-md border border-gray-200 hover:bg-gray-50">
88
+ <i class="fas fa-chevron-left"></i>
89
+ </button>
90
+ <button id="scroll-right" class="p-2 bg-white rounded-md border border-gray-200 hover:bg-gray-50">
91
+ <i class="fas fa-chevron-right"></i>
92
+ </button>
93
+ </div>
94
  </div>
95
+
96
+ <div class="relative">
97
+ <div class="attack-flow-container overflow-x-auto pb-6 -mx-4 px-4" style="scrollbar-width: none;">
98
+ <div class="flex space-x-6 min-w-max">
99
+ <!-- Timeline connectors -->
100
+ <div class="flex items-center">
101
+ <div class="timeline-connector w-24" style="background: linear-gradient(90deg, #3b82f6, #9ca3af);"></div>
102
+ </div>
103
+
104
+ <!-- Attack cards will be inserted here by JavaScript -->
105
+ </div>
106
+ </div>
107
  </div>
108
  </div>
109
 
110
+ <div class="grid grid-cols-1 lg:grid-cols-3 gap-8">
111
  <div class="lg:col-span-2">
112
+ <div class="bg-white rounded-xl shadow-sm border border-gray-200 overflow-hidden">
113
+ <div class="border-b border-gray-200 px-6 py-4 bg-gray-50">
114
+ <h3 class="font-semibold text-gray-800">Attack Phase Forensic Details</h3>
 
 
 
 
 
 
 
 
 
 
 
 
 
115
  </div>
116
+ <div id="attack-details" class="p-6">
117
+ <div class="text-center py-12">
118
+ <div class="mx-auto w-16 h-16 rounded-full bg-blue-50 flex items-center justify-center mb-4">
119
+ <i class="fas fa-mouse-pointer text-blue-500 text-2xl"></i>
120
+ </div>
121
+ <h4 class="text-lg font-medium text-gray-700 mb-2">Select an attack phase</h4>
122
+ <p class="text-gray-500 max-w-md mx-auto">Click on any attack card in the timeline to view detailed forensic information about the attack behavior and triggered defenses</p>
123
+ </div>
124
  </div>
125
  </div>
126
  </div>
 
127
 
128
+ <div>
129
+ <div class="bg-white rounded-xl shadow-sm border border-gray-200 overflow-hidden">
130
+ <div class="border-b border-gray-200 px-6 py-4 bg-gray-50">
131
+ <h3 class="font-semibold text-gray-800">Defense Detection Summary</h3>
132
+ </div>
133
+ <div id="defense-summary" class="p-6">
134
+ <div class="space-y-4">
135
+ <div class="flex items-start">
136
+ <div class="flex-shrink-0 mt-1">
137
+ <div class="w-3 h-3 rounded-full bg-red-500 animate-pulse-slow"></div>
138
+ </div>
139
+ <div class="ml-3">
140
+ <h4 class="text-sm font-medium text-gray-800">7 Attack Phases Detected</h4>
141
+ <p class="text-xs text-gray-500 mt-1">Complete kill chain visibility</p>
142
+ </div>
143
+ </div>
144
+ <div class="flex items-start">
145
+ <div class="flex-shrink-0 mt-1">
146
+ <div class="w-3 h-3 rounded-full bg-yellow-500"></div>
147
+ </div>
148
+ <div class="ml-3">
149
+ <h4 class="text-sm font-medium text-gray-800">6 Security Products Triggered</h4>
150
+ <p class="text-xs text-gray-500 mt-1">Multi-layer defense detection</p>
151
+ </div>
152
+ </div>
153
+ <div class="flex items-start">
154
+ <div class="flex-shrink-0 mt-1">
155
+ <div class="w-3 h-3 rounded-full bg-green-500"></div>
156
+ </div>
157
+ <div class="ml-3">
158
+ <h4 class="text-sm font-medium text-gray-800">100% Phases Logged</h4>
159
+ <p class="text-xs text-gray-500 mt-1">Comprehensive forensic evidence</p>
160
+ </div>
161
+ </div>
162
+ </div>
163
+
164
+ <div class="mt-8">
165
+ <h4 class="text-sm font-semibold text-gray-700 mb-3">Defense Coverage</h4>
166
+ <div class="space-y-3">
167
+ <div>
168
+ <div class="flex justify-between text-xs text-gray-500 mb-1">
169
+ <span>Email Security</span>
170
+ <span>Phase 1</span>
171
+ </div>
172
+ <div class="w-full bg-gray-200 rounded-full h-2">
173
+ <div class="bg-red-500 h-2 rounded-full" style="width: 14%"></div>
174
+ </div>
175
+ </div>
176
+ <div>
177
+ <div class="flex justify-between text-xs text-gray-500 mb-1">
178
+ <span>Endpoint Protection</span>
179
+ <span>Phase 2</span>
180
+ </div>
181
+ <div class="w-full bg-gray-200 rounded-full h-2">
182
+ <div class="bg-yellow-500 h-2 rounded-full" style="width: 28%"></div>
183
+ </div>
184
+ </div>
185
+ <div>
186
+ <div class="flex justify-between text-xs text-gray-500 mb-1">
187
+ <span>Network Analysis</span>
188
+ <span>Phase 3</span>
189
+ </div>
190
+ <div class="w-full bg-gray-200 rounded-full h-2">
191
+ <div class="bg-green-500 h-2 rounded-full" style="width: 42%"></div>
192
+ </div>
193
+ </div>
194
+ <div>
195
+ <div class="flex justify-between text-xs text-gray-500 mb-1">
196
+ <span>User Behavior</span>
197
+ <span>Phase 4</span>
198
+ </div>
199
+ <div class="w-full bg-gray-200 rounded-full h-2">
200
+ <div class="bg-blue-500 h-2 rounded-full" style="width: 56%"></div>
201
+ </div>
202
+ </div>
203
+ <div>
204
+ <div class="flex justify-between text-xs text-gray-500 mb-1">
205
+ <span>Data Protection</span>
206
+ <span>Phase 5</span>
207
+ </div>
208
+ <div class="w-full bg-gray-200 rounded-full h-2">
209
+ <div class="bg-purple-500 h-2 rounded-full" style="width: 70%"></div>
210
+ </div>
211
+ </div>
212
+ <div>
213
+ <div class="flex justify-between text-xs text-gray-500 mb-1">
214
+ <span>Host Detection</span>
215
+ <span>Phase 6</span>
216
+ </div>
217
+ <div class="w-full bg-gray-200 rounded-full h-2">
218
+ <div class="bg-pink-500 h-2 rounded-full" style="width: 84%"></div>
219
+ </div>
220
+ </div>
221
+ <div>
222
+ <div class="flex justify-between text-xs text-gray-500 mb-1">
223
+ <span>Full Traffic Analysis</span>
224
+ <span>Phase 7</span>
225
+ </div>
226
+ <div class="w-full bg-gray-200 rounded-full h-2">
227
+ <div class="bg-indigo-500 h-2 rounded-full" style="width: 100%"></div>
228
+ </div>
229
+ </div>
230
+ </div>
231
+ </div>
232
+ </div>
233
+ </div>
234
  </div>
235
  </div>
236
  </div>
237
 
 
 
238
  <script>
239
  // Attack steps data
240
  const attackSteps = [
241
  {
242
  id: 1,
 
243
  title: "Phishing Email Delivery",
244
+ icon: "envelope",
245
+ color: "bg-red-100 text-red-600",
246
  behavior: "Forged 'Embrace AI Change' notification email containing malicious file disguised as files.zip",
247
  defenses: "Email Security Gateway",
248
  alerts: [
 
251
  message: "Detected spoofed sender email | From: itsupport@fakecompany[.]com → To: victim@corp.com | Contains malicious attachment (SHA256: a1b2c3...) | Identified as Emotet phishing template"
252
  }
253
  ],
254
+ forensic: [
255
+ "Sender IP: 192.168.1.45 (Bulgaria)",
256
+ "Attachment SHA256: a1b2c3d4e5f6...",
257
+ "Email headers show DKIM failure",
258
+ "Matched known Emotet template (90% similarity)"
259
+ ]
260
  },
261
  {
262
  id: 2,
 
263
  title: "Trojan Execution",
264
+ icon: "bug",
265
+ color: "bg-yellow-100 text-yellow-600",
266
  behavior: "Victim downloads malicious file triggering PowerShell script that downloads Cobalt Strike DLL and injects into legitimate process",
267
  defenses: "Endpoint Detection & Response (EDR)",
268
  alerts: [
 
271
  message: "Suspicious process injection | Process: C:\\Windows\\System32\\explorer.exe → Loaded module: a09xdf.dll | DLL signature invalid and matches known Cobalt Strike signature"
272
  }
273
  ],
274
+ forensic: [
275
+ "Process tree: files.zip → powershell.exe → explorer.exe",
276
+ "DLL memory allocation pattern matches Cobalt Strike",
277
+ "Network connection attempt to 185.123.32.1",
278
+ "Registry key modification: HKLM\\Software\\Microsoft\\Windows"
279
+ ]
280
  },
281
  {
282
  id: 3,
283
+ title: "C2 Establishment",
284
+ icon: "satellite-dish",
285
+ color: "bg-green-100 text-green-600",
286
  behavior: "HTTPS heartbeat communication via CDN domain (api.cloudfront[.]com), deploying reverse SSH tunnel to internal jump server",
287
  defenses: "Network Traffic Analysis (NTA)",
288
  alerts: [
 
291
  message: "Anomalous outbound connection | Target IP: 54.231.1.1 (AWS Singapore) | Protocol: HTTPS | Abnormal certificate (CN=*.cloudfront[.]com but issued by wildcard Let's Encrypt cert)"
292
  }
293
  ],
294
+ forensic: [
295
+ "C2 Domain: api.cloudfront[.]com (resolved to 54.231.1.1)",
296
+ "HTTPS traffic pattern: 5KB every 17 seconds",
297
+ "Certificate issuer: Let's Encrypt (unusual for CDN)",
298
+ "SSH tunnel established to 10.8.8.12 (internal jump server)"
299
+ ]
300
  },
301
  {
302
  id: 4,
303
+ title: "Credential Theft",
304
+ icon: "user-secret",
305
+ color: "bg-blue-100 text-blue-600",
306
  behavior: "Using Mimikatz to extract Chrome browser cookies and forging User-Agent (synchronizing victim's browser fingerprint)",
307
  defenses: "User Behavior Analytics (UEBA)",
308
  alerts: [
 
311
  message: "Abnormal browser session | User: Victim_Account | Source IP: 172.16.1.23 → Device fingerprint changed (new VM characteristics/QEMU virtual GPU)"
312
  }
313
  ],
314
+ forensic: [
315
+ "Mimikatz process detected in memory (obfuscated as svchost.exe)",
316
+ "Chrome cookie database accessed",
317
+ "User-Agent changed to match victim's original browser",
318
+ "New login session from 172.16.1.23 with VM fingerprint"
319
+ ]
320
  },
321
  {
322
  id: 5,
323
+ title: "Cloud Docs Penetration",
324
+ icon: "cloud",
325
+ color: "bg-purple-100 text-purple-600",
326
  behavior: "Hijacked Yuque API Token used to access 'Production Environment Operations Manual', extracting embedded SSH private key (Base64 encoded)",
327
  defenses: "Data Loss Prevention (DLP)",
328
  alerts: [
 
331
  message: "Sensitive data access | User: Victim_Account | Action: Downloaded document ID: YUQUE-1234 | Content matched keyword: 'prod_ssh_private_key'"
332
  }
333
  ],
334
+ forensic: [
335
+ "API call to yuque.com/v2/api/documents/YUQUE-1234",
336
+ "Document contains Base64 encoded SSH key",
337
+ "Key belongs to dba_admin@10.8.8.88",
338
+ "Unusual access time: 02:37 AM local time"
339
+ ]
340
  },
341
  {
342
  id: 6,
343
+ title: "Production Intrusion",
344
+ icon: "server",
345
+ color: "bg-pink-100 text-pink-600",
346
  behavior: "Using SSH certificate from jump server to log into MySQL database server (IP: 10.8.8.88, account: dba_admin)",
347
  defenses: "Host Intrusion Detection (HIDS)",
348
  alerts: [
 
351
  message: "Unusual time SSH login | Account: dba_admin | Source IP: 10.8.8.12 (test env jump server) | Action: Executed SHOW DATABASES"
352
  }
353
  ],
354
+ forensic: [
355
+ "SSH login at 03:12 AM from 10.8.8.12",
356
+ "Executed commands: SHOW DATABASES, SELECT * FROM users",
357
+ "Session duration: 8 minutes 23 seconds",
358
+ "Unusual query pattern (scanning all tables)"
359
+ ]
360
  },
361
  {
362
  id: 7,
 
363
  title: "Data Exfiltration",
364
+ icon: "file-export",
365
+ color: "bg-indigo-100 text-indigo-600",
366
  behavior: "Compressed and encrypted customer data (filename: taobaodata.tar.gz.enc) transmitted via DNS tunnel to alibaba-bas.com",
367
  defenses: "Full Traffic Threat Analysis",
368
  alerts: [
 
371
  message: "Abnormal data transfer | Protocol: DNS TXT records | Target domain: xyz.attacker[.]com | Data volume: 142MB (500% above threshold)"
372
  }
373
  ],
374
+ forensic: [
375
+ "Data file created: /tmp/taobaodata.tar.gz.enc",
376
+ "DNS queries to xyz.attacker[.]com (TXT records)",
377
+ "Data transfer rate: 18.5KB per query",
378
+ "Total exfiltrated: 142MB in 8,234 DNS requests"
379
+ ]
380
  }
381
  ];
382
 
383
+ // Render attack cards
384
+ const timelineContainer = document.querySelector('.attack-flow-container .flex');
385
+
386
+ attackSteps.forEach((step, index) => {
387
+ const card = document.createElement('div');
388
+ card.className = `attack-card w-64 flex-shrink-0 bg-white rounded-lg border border-gray-200 overflow-hidden cursor-pointer transition-all duration-300 ${index === 0 ? 'active border-l-4 border-red-500' : ''}`;
389
+ card.innerHTML = `
390
+ <div class="p-5">
391
+ <div class="flex items-center justify-between mb-3">
392
+ <div class="flex items-center">
393
+ <div class="w-10 h-10 rounded-full ${step.color} flex items-center justify-center mr-3">
394
+ <i class="fas fa-${step.icon}"></i>
395
+ </div>
396
+ <span class="text-xs font-semibold text-gray-500">PHASE ${step.id}</span>
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
397
  </div>
398
+ <span class="severity-badge ${step.alerts[0].severity === 'critical' ? 'severity-critical' : step.alerts[0].severity === 'high' ? 'severity-high' : 'severity-emergency'} rounded-full">${step.alerts[0].severity.toUpperCase()}</span>
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
399
  </div>
400
+ <h3 class="font-semibold text-gray-800 mb-2">${step.title}</h3>
401
+ <p class="text-sm text-gray-600 line-clamp-2 mb-3">${step.behavior}</p>
402
+ <div class="flex justify-between items-center">
403
+ <span class="defense-badge bg-gray-100 text-gray-800 rounded-full">${step.defenses}</span>
404
+ <span class="text-xs text-gray-400">${step.id < 10 ? '0' + step.id : step.id}:00</span>
405
  </div>
406
  </div>
407
+ `;
408
+
409
+ card.addEventListener('click', () => {
410
+ // Update active card
411
+ document.querySelectorAll('.attack-card').forEach(c => c.classList.remove('active', 'border-l-4', 'border-red-500', 'border-yellow-500', 'border-green-500', 'border-blue-500', 'border-purple-500', 'border-pink-500', 'border-indigo-500'));
412
+ card.classList.add('active', 'border-l-4');
413
+
414
+ // Add specific border color
415
+ if (step.color.includes('red')) card.classList.add('border-red-500');
416
+ else if (step.color.includes('yellow')) card.classList.add('border-yellow-500');
417
+ else if (step.color.includes('green')) card.classList.add('border-green-500');
418
+ else if (step.color.includes('blue')) card.classList.add('border-blue-500');
419
+ else if (step.color.includes('purple')) card.classList.add('border-purple-500');
420
+ else if (step.color.includes('pink')) card.classList.add('border-pink-500');
421
+ else if (step.color.includes('indigo')) card.classList.add('border-indigo-500');
422
 
423
+ // Update attack details
424
+ const detailsContainer = document.getElementById('attack-details');
425
+ detailsContainer.innerHTML = `
426
+ <div>
427
+ <div class="flex items-center mb-6">
428
+ <div class="w-12 h-12 rounded-full ${step.color} flex items-center justify-center mr-4">
429
+ <i class="fas fa-${step.icon} text-xl"></i>
430
+ </div>
431
+ <div>
432
+ <h3 class="text-xl font-semibold text-gray-800">${step.title}</h3>
433
+ <p class="text-sm text-gray-500">Attack Phase ${step.id}</p>
434
+ </div>
435
  </div>
436
+
437
+ <div class="mb-6">
438
+ <h4 class="font-medium text-gray-700 mb-3">Attack Behavior</h4>
439
+ <div class="bg-gray-50 p-4 rounded-lg text-sm text-gray-700">${step.behavior}</div>
440
+ </div>
441
+
442
+ <div class="mb-6">
443
+ <h4 class="font-medium text-gray-700 mb-3">Triggered Defenses</h4>
444
+ <div class="flex items-center">
445
+ <span class="defense-badge bg-gray-100 text-gray-800 rounded-full mr-2">${step.defenses}</span>
446
+ <span class="text-xs text-gray-500">Detected at ${step.id < 10 ? '0' + step.id : step.id}:00</span>
447
+ </div>
448
+ </div>
449
+
450
+ <div class="mb-6">
451
+ <h4 class="font-medium text-gray-700 mb-3">Security Alerts</h4>
452
+ <div class="space-y-3">
453
+ ${step.alerts.map(alert => `
454
+ <div class="p-3 rounded-lg ${alert.severity === 'critical' ? 'bg-red-50 border border-red-100' : alert.severity === 'high' ? 'bg-yellow-50 border border-yellow-100' : 'bg-orange-50 border border-orange-100'}">
455
+ <div class="flex items-start">
456
+ <div class="flex-shrink-0 mt-0.5">
457
+ <i class="fas fa-${alert.severity === 'critical' ? 'exclamation-triangle text-red-500' : alert.severity === 'high' ? 'exclamation-circle text-yellow-500' : 'exclamation text-orange-500'}"></i>
458
+ </div>
459
+ <div class="ml-3">
460
+ <div class="text-sm font-medium text-gray-800">${alert.message}</div>
461
+ </div>
462
+ </div>
463
+ </div>
464
+ `).join('')}
465
+ </div>
466
+ </div>
467
+
468
+ <div>
469
+ <h4 class="font-medium text-gray-700 mb-3">Forensic Evidence</h4>
470
+ <div class="space-y-2">
471
+ ${step.forensic.map(item => `
472
+ <div class="flex items-start text-sm">
473
+ <div class="flex-shrink-0 mt-1.5 mr-2">
474
+ <div class="w-1.5 h-1.5 rounded-full bg-gray-400"></div>
475
+ </div>
476
+ <div class="text-gray-700">${item}</div>
477
+ </div>
478
+ `).join('')}
479
+ </div>
480
+ </div>
481
+ </div>
482
+ `;
483
+
484
+ // Scroll to center the selected card
485
+ const container = document.querySelector('.attack-flow-container');
486
+ const cardLeft = card.offsetLeft;
487
+ const cardWidth = card.offsetWidth;
488
+ const containerWidth = container.offsetWidth;
489
+ container.scrollTo({
490
+ left: cardLeft - (containerWidth / 2) + (cardWidth / 2),
491
+ behavior: 'smooth'
492
+ });
493
  });
494
+
495
+ // Add connector after each card except the last one
496
+ timelineContainer.appendChild(card);
497
+ if (index < attackSteps.length - 1) {
498
+ const connector = document.createElement('div');
499
+ connector.className = 'flex items-center';
500
+ connector.innerHTML = '<div class="timeline-connector w-24"></div>';
501
+ timelineContainer.appendChild(connector);
502
+ }
503
  });
504
 
505
+ // Navigation buttons
506
+ document.getElementById('scroll-left').addEventListener('click', () => {
507
+ document.querySelector('.attack-flow-container').scrollBy({
508
+ left: -200,
509
+ behavior: 'smooth'
510
  });
511
  });
512
 
513
+ document.getElementById('scroll-right').addEventListener('click', () => {
514
+ document.querySelector('.attack-flow-container').scrollBy({
515
+ left: 200,
516
+ behavior: 'smooth'
 
 
517
  });
518
  });
519
 
520
+ // Auto-select first card on load
521
+ document.querySelector('.attack-card').click();
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
522
  </script>
523
  <p style="border-radius: 8px; text-align: center; font-size: 12px; color: #fff; margin-top: 16px;position: fixed; left: 8px; bottom: 8px; z-index: 10; background: rgba(0, 0, 0, 0.8); padding: 4px 8px;">Made with <img src="https://enzostvs-deepsite.hf.space/logo.svg" alt="DeepSite Logo" style="width: 16px; height: 16px; vertical-align: middle;display:inline-block;margin-right:3px;filter:brightness(0) invert(1);"><a href="https://enzostvs-deepsite.hf.space" style="color: #fff;text-decoration: underline;" target="_blank" >DeepSite</a> - 🧬 <a href="https://enzostvs-deepsite.hf.space?remix=capta1n/bas3" style="color: #fff;text-decoration: underline;" target="_blank" >Remix</a></p></body>
524
  </html>
prompts.txt CHANGED
@@ -1 +1,2 @@
1
- 将以下攻击步骤转化为攻击拓扑图表的形式进行展示,在一个图表中完整按顺序展示攻击步骤,以攻击者为起点,每个节点为一个攻击行为,每个攻击节点之间按顺序用箭头进行连接,每个攻击节点点开后在图表侧边弹窗展示具体的攻击行为内容,图表下方展示每个步骤触发的防护产品名称和告警信息内容。 图表设计要求 1. 图表中的连线和节点不要重叠 2. 缩小每个节点的大小确保图表可以完整清晰的展示全部攻击节点和节点之间的执行顺序 3. 节点和连线在图表上可以自由拖拽 步骤1:钓鱼邮件投递 ● 攻击行为:伪造"拥抱AI变革"通知邮件,内含带恶意木马的文件(伪造成files.zip文件) ● 触发防护:邮件安全网关 ● 告警信息:[严重] 检测到仿冒发件人邮件 | 发件人: itsupport@fakecompany[.]com → 目标: victim@corp.com | 包含恶意附件哈希(SHA256: a1b2c3...) | 判定为Emotet钓鱼模板 步骤2:木马执行 ● 攻击行为:受害者下载木马文件后触发PowerShell脚本,下载Cobalt Strike DLL并注入到合法进程 ● 触发防护:终端检测与响应(EDR) ● 告警信息:[高危] 可疑进程注入行为 | 进程: C:\Windows\System32\explorer.exe → 加载内存模块: a09xdf.dll | DLL签名无效且匹配已知Cobalt Strike特征码 步骤3:C2通道建立与横向移动 ● 攻击行为:通过CDN域名的HTTPS心跳通信(如api.cloudfront[.]com),部署反向SSH隧道至内网跳板机 ● 触发防护:网络流量分析(NTA) ● 告警信息:[紧急] 异常外联行为 | 目标IP: 54.231.1.1(归属AWS新加坡) | 协议: HTTPS | 证书指纹异常(CN=*.cloudfront[.]com但签发者匹配Let's Encrypt野生证书) 步骤4:凭据窃取与浏览器模拟 ● 攻击行为:利用Mimikatz提取Chrome浏览器Cookie并伪造User-Agent(同步受害者浏览器指纹) ● 触发防护:身份认证异常检测(UEBA) ● 告警信息:[高危] 异常浏览器会话 | 用户: Victim_Account | IP来源: 172.16.1.23 → 登录设备指纹突变(新增虚拟机特征/QEMU虚拟显卡) 步骤5:云文档渗透 ● 攻击行为:通过劫持的语雀API Token访问《生产环境运维手册》,提取内嵌的SSH私钥(Base64编码) ● 触发防护:DLP(数据防泄漏) ● 告警信息:[严重] 敏感数据访问行为 | 用户: Victim_Account | 操作: 下载文档ID: YUQUE-1234 | 内容匹配关键字: "prod_ssh_private_key" 步骤6:生产网络入侵 ● 攻击行为:通过跳板机使用SSH证书登陆MySQL数据库服务器(IP: 10.8.8.88,账号: dba_admin) ● 触发防护:HIDS(主机入侵检测) ● 告警信息:[紧急] 非常规时间SSH登录 | 账号: dba_admin | 来源IP: 10.8.8.12(测试环境跳板机) | 操作: 执行SHOW DATABASES 步骤7:数据外泄 ● 攻击行为:将压缩加密后的客户数据(文件名: taobaodata.tar.gz.enc)通过DNS隧道传输到alibaba-bas.com ● 触发防护:全流量威胁回溯 ● 告警信息:[严重] 异常数据传输 | 协议: DNS TXT记录 | 目标域: xyz.attacker[.]com | 数据量: 142MB(超阈值500%)
 
 
1
+ 将以下攻击步骤转化为攻击拓扑图表的形式进行展示,在一个图表中完整按顺序展示攻击步骤,以攻击者为起点,每个节点为一个攻击行为,每个攻击节点之间按顺序用箭头进行连接,每个攻击节点点开后在图表侧边弹窗展示具体的攻击行为内容,图表下方展示每个步骤触发的防护产品名称和告警信息内容。 图表设计要求 1. 图表中的连线和节点不要重叠 2. 缩小每个节点的大小确保图表可以完整清晰的展示全部攻击节点和节点之间的执行顺序 3. 节点和连线在图表上可以自由拖拽 步骤1:钓鱼邮件投递 ● 攻击行为:伪造"拥抱AI变革"通知邮件,内含带恶意木马的文件(伪造成files.zip文件) ● 触发防护:邮件安全网关 ● 告警信息:[严重] 检测到仿冒发件人邮件 | 发件人: itsupport@fakecompany[.]com → 目标: victim@corp.com | 包含恶意附件哈希(SHA256: a1b2c3...) | 判定为Emotet钓鱼模板 步骤2:木马执行 ● 攻击行为:受害者下载木马文件后触发PowerShell脚本,下载Cobalt Strike DLL并注入到合法进程 ● 触发防护:终端检测与响应(EDR) ● 告警信息:[高危] 可疑进程注入行为 | 进程: C:\Windows\System32\explorer.exe → 加载内存模块: a09xdf.dll | DLL签名无效且匹配已知Cobalt Strike特征码 步骤3:C2通道建立与横向移动 ● 攻击行为:通过CDN域名的HTTPS心跳通信(如api.cloudfront[.]com),部署反向SSH隧道至内网跳板机 ● 触发防护:网络流量分析(NTA) ● 告警信息:[紧急] 异常外联行为 | 目标IP: 54.231.1.1(归属AWS新加坡) | 协议: HTTPS | 证书指纹异常(CN=*.cloudfront[.]com但签发者匹配Let's Encrypt野生证书) 步��4:凭据窃取与浏览器模拟 ● 攻击行为:利用Mimikatz提取Chrome浏览器Cookie并伪造User-Agent(同步受害者浏览器指纹) ● 触发防护:身份认证异常检测(UEBA) ● 告警信息:[高危] 异常浏览器会话 | 用户: Victim_Account | IP来源: 172.16.1.23 → 登录设备指纹突变(新增虚拟机特征/QEMU虚拟显卡) 步骤5:云文档渗透 ● 攻击行为:通过劫持的语雀API Token访问《生产环境运维手册》,提取内嵌的SSH私钥(Base64编码) ● 触发防护:DLP(数据防泄漏) ● 告警信息:[严重] 敏感数据访问行为 | 用户: Victim_Account | 操作: 下载文档ID: YUQUE-1234 | 内容匹配关键字: "prod_ssh_private_key" 步骤6:生产网络入侵 ● 攻击行为:通过跳板机使用SSH证书登陆MySQL数据库服务器(IP: 10.8.8.88,账号: dba_admin) ● 触发防护:HIDS(主机入侵检测) ● 告警信息:[紧急] 非常规时间SSH登录 | 账号: dba_admin | 来源IP: 10.8.8.12(测试环境跳板机) | 操作: 执行SHOW DATABASES 步骤7:数据外泄 ● 攻击行为:将压缩加密后的客户数据(文件名: taobaodata.tar.gz.enc)通过DNS隧道传输到alibaba-bas.com ● 触发防护:全流量威胁回溯 ● 告警信息:[严重] 异常数据传输 | 协议: DNS TXT记录 | 目标域: xyz.attacker[.]com | 数据量: 142MB(超阈值500%)
2
+ 换一种图表的表示形式