بنقرة واحدة
analyzing-cyber-kill-chain
">"
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
القائمة
">"
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
استنادا إلى تصنيف SOC المهني
Command injection testing methodology covering OS command injection, code injection, filter evasion, blind command injection, and shell-specific techniques for bash, PowerShell, and cmd.exe.
Multi-step exploit chaining methodology for combining low-severity findings into full compromise paths. Covers attack chain scoring, approval gates, and systematic approach to turning individual findings into complete attack paths.
Comprehensive privilege escalation methodology for Linux and Windows. Covers kernel exploits, SUID binaries, service misconfigurations, credential harvesting, and both local privilege escalation paths.
Comprehensive reconnaissance methodology covering OSINT, subdomain enumeration, technology fingerprinting, DNS reconnaissance, and attack surface mapping. Includes passive and active recon techniques with OPSEC considerations.
Comprehensive SQL injection testing methodology covering Union-based, Error-based, Blind (Boolean/Time-based), Stacked queries, and WAF bypass techniques. Includes database-specific payloads for MySQL, PostgreSQL, MSSQL, Oracle, SQLite, and NoSQL injection.
Comprehensive Server-Side Request Forgery (SSRF) testing methodology covering basic SSRF, blind SSRF, DNS rebinding, cloud metadata exploitation, and gopher/redis attacks. Includes bypass techniques and automation.
| name | analyzing-cyber-kill-chain |
| description | > |
Use this skill when:
Do not use this skill as a standalone framework — combine with MITRE ATT&CK for technique-level granularity beyond what the 7-phase kill chain provides.
The Lockheed Martin Cyber Kill Chain consists of seven phases. Map all observed adversary actions:
Phase 1 - Reconnaissance: Adversary gathers target information before attack.
Phase 2 - Weaponization: Adversary creates attack tool (malware + exploit).
Phase 3 - Delivery: Adversary transmits weapon to target.
Phase 4 - Exploitation: Adversary exploits vulnerability to execute code.
Phase 5 - Installation: Adversary establishes persistence on target.
Phase 6 - Command & Control (C2): Adversary communicates with compromised system.
Phase 7 - Actions on Objectives: Adversary achieves goals.
Create a phase matrix for the incident:
Phase 1: Recon → Completed (undetected)
Phase 2: Weaponize → Completed (undetected — pre-attack)
Phase 3: Delivery → Completed; phishing email bypassed SEG
Phase 4: Exploit → Completed; CVE-2023-23397 exploited
Phase 5: Install → DETECTED: EDR flagged scheduled task creation (attack stalled here)
Phase 6: C2 → Not achieved (installation blocked)
Phase 7: Objectives → Not achieved
For each phase completed without detection, document the defensive control gap.
Each kill chain phase maps to multiple ATT&CK tactics:
Within each phase, enumerate specific ATT&CK techniques observed and map to existing detections.
For each phase, document applicable defensive courses of action (COAs):
Structure findings as:
| Term | Definition |
|---|---|
| Kill Chain | Sequential model of adversary intrusion phases; breaking any link theoretically stops the attack |
| Courses of Action (COA) | Defensive responses mapped to each kill chain phase: detect, deny, disrupt, degrade, deceive, destroy |
| Beaconing | Regular, periodic C2 check-in pattern from compromised host to adversary server; detectable by frequency analysis |
| Phase Completion | Adversary successfully finishes a kill chain phase and progresses to the next; defense-in-depth aims to prevent this |
| Intelligence Gain/Loss | Analysis of whether detecting at Phase 5 (vs. Phase 3) reduced intelligence about adversary capabilities or intent |