Attack Scenario Builder
Model threats using the Cyber Kill Chain framework
Cyber Kill Chain
1
Reconnaissance
T1595
Active Scanning
T1592
Gather Victim Host Info
T1589
Gather Victim Identity Info
T1590
Gather Victim Network Info
T1593
Search Open Websites/Domains
2
Weaponization
T1587.001
Develop Malware
T1587.003
Develop Digital Certificates
T1588.002
Obtain Tool
T1585
Establish Accounts
3
Delivery
T1566.001
Spearphishing Attachment
T1566.002
Spearphishing Link
T1189
Drive-by Compromise
T1195
Supply Chain Compromise
T1091
Removable Media
4
Exploitation
T1203
Exploitation for Client Execution
T1068
Exploitation for Privilege Escalation
T1190
Exploit Public-Facing Application
T1210
Exploitation of Remote Services
5
Installation
T1543
Create System Service
T1547
Boot/Logon Autostart
T1053
Scheduled Task/Job
T1136
Create Account
T1505
Server Software Component
6
Command & Control
T1071
Application Layer Protocol
T1573
Encrypted Channel
T1572
Protocol Tunneling
T1090
Proxy
T1102
Web Service
7
Actions on Objectives
T1041
Exfiltration Over C2 Channel
T1486
Data Encrypted for Impact
T1565
Data Manipulation
T1499
Endpoint Denial of Service
T1529
System Shutdown/Reboot
Create Scenario
Attack Simulation
Existing Scenarios (5)
| Name | Kill Chain Stage | Technique | MITRE ID | Severity | Status | Actions |
|---|---|---|---|---|---|---|
| Log4Shell Exploitation Chain | Exploitation | Exploit Public-Facing Application | T1190 | CRITICAL | Active | |
| Spearphishing to Ransomware Deployment | Delivery | Spearphishing Attachment | T1566.001 | HIGH | Active | |
| Supply Chain Backdoor via XZ Utils | Installation | Supply Chain Compromise | T1195 | CRITICAL | Draft | |
| Credential Harvesting via Outlook Exploit | Exploitation | Exploitation for Credential Access | T1212 | CRITICAL | Active | |
| VPN Gateway Compromise for Persistence | Command & Control | Encrypted Channel | T1573 | CRITICAL | Draft |