--- name: pentest-exploit-chain description: Multi-step exploit zinciri analizi — low/medium severity bulgulari critical chain'e baglama, stealth+impact scoring advisory. Triggers on exploit chain, attack chain, chain analysis, multi-step attack, kill chain, attack path, stealth scoring, impact analysis. license: MIT compatibility: Works with Claude Code allowed-tools: Read Write Edit Grep metadata: author: badi badi-version: ">=1.24.0" category: pentest scope: advisory inspired-by: 0xSteph/pentest-ai-agents exploit-chainer + attack-planner --- # pentest-exploit-chain Tek tek dusuk-orta severity bulgulari **tam compromise zincire** birlestirme. Engagement zekasinin en yuksek katma degeri — yalnizca insan analizi. ## Triggers - "bulgular chain edilebilir mi" - "kill chain ciz" - "low + medium = critical" - "attack path simulation" - "stealth + impact score" ## Lockheed Cyber Kill Chain (7 step) ``` 1. Reconnaissance — OSINT, port scan 2. Weaponization — exploit + payload combine 3. Delivery — phishing, drive-by, USB 4. Exploitation — vulnerability trigger 5. Installation — persistent foothold 6. Command & Control — beacon 7. Actions on Objectives — data exfil, destruction, ransom ``` ## MITRE ATT&CK Tactic Chain ``` TA0043 Reconnaissance -> TA0001 Initial Access -> TA0002 Execution -> TA0003 Persistence -> TA0004 Privilege Escalation -> TA0005 Defense Evasion -> TA0006 Credential Access -> TA0007 Discovery -> TA0008 Lateral Movement -> TA0009 Collection -> TA0011 Command and Control -> TA0010 Exfiltration -> TA0040 Impact ``` ## Chain Analizi Methodology ``` 1. Tum bulgulari listele (low + medium + high) 2. Her bulguya: input gereksinim, output yetki/erisim 3. Esle: bulgu A'nin output'u, bulgu B'nin input'u 4. Adimlar yolu ciz (DAG) 5. En kisa yol -> max impact 6. Her adim icin stealth puani (1-5) 7. Toplam stealth + impact -> chain rank ``` ## Stealth Scoring (1-5) | Score | Tip | Detection Likelihood | |-------|-----|---------------------| | 1 | Loud | EDR/SIEM otomatik blok/alert | | 2 | Noisy | SOC analist 5dk inceleyince yakalanir | | 3 | Moderate | Default rule yetersiz, hunt query gerek | | 4 | Quiet | Sadece sofistike hunt + threat intel | | 5 | Stealth | Tespit edilmez (zero-day, signed bin) | ## Impact Scoring (1-5) | Score | Tip | Etki | |-------|-----|------| | 1 | Recon | Bilgi alma (data ifsa yok) | | 2 | Limited | Tek hesap compromise | | 3 | Local | Tek sistem compromise | | 4 | Lateral | Cok sistem / DB erisim | | 5 | Catastrophic | DA, ransomware, mass exfil | ## Chain Example ```markdown # Chain — "User to Domain Admin" Total: 6 step, Stealth: 18/30, Impact: 5/5 (DA) ## Step 1: Phishing (Initial Access) - Bulgu: User awareness training eksik (engagement OSINT) - Action: Spear phish IT employee - Stealth: 3 (email gateway yakalayabilir, %20) - Impact: 2 (single user cred) - Output: domain\jdoe / Spring2026! ## Step 2: Initial Foothold (Execution) - Bulgu: VPN portal MFA eksik - Action: VPN login -> domain join sirasinda - Stealth: 4 (MFA log siginal kuvvetli ama eksik) - Impact: 2 - Output: Internal network access ## Step 3: Recon (Discovery) - Bulgu: SMB anonymous null session AD'de - Action: enum4linux + RPC - Stealth: 2 (event 4624 type 3 fires) - Impact: 2 - Output: Domain user list + group list ## Step 4: Cred Access (Credential Access) - Bulgu: Kerberoastable service account weak password - Action: GetUserSPNs.py + hashcat 4 hr crack - Stealth: 3 (event 4769 with 0x17 encryption) - Impact: 3 - Output: svc-mssql / Mssql2024 ## Step 5: Privesc (Privilege Escalation) - Bulgu: svc-mssql member of "DB Admins" - Action: Already privileged service acct - Stealth: 5 (no abnormal event) - Impact: 4 - Output: Local admin on DB-PROD ## Step 6: DA (Privilege Escalation) - Bulgu: DB-PROD has unconstrained delegation - Action: TGT capture via printer bug - Stealth: 3 (anomalous service ticket request) - Impact: 5 - Output: Domain Admin TGT ``` ## Compensating Controls Her chain step'i icin **iki tarafli** kontrol yaz: ```yaml step: 4 - Kerberoast attack: technique: T1558.003 noise: Event 4769 with encryption 0x17 (RC4) controls: preventive: - Service account: long random password (30+ char) - Use AES-256 only (set msDS-SupportedEncryptionTypes) - Microsoft Managed Service Accounts (gMSA) detective: - Sigma rule: kerberoast_rc4_encryption.yml - Alert threshold: > 5 TGS-REQ in 1 hr from single user responsive: - Auto-disable account on alert - 24/7 SOC triage SLA ``` ## Output Sablonu ```markdown ## Exploit Chain Report — ### Top 3 Chains (ranked by Impact / Stealth) | # | Title | Steps | Stealth | Impact | Time | |---|-------|-------|---------|--------|------| | 1 | User -> DA via Kerberoast | 6 | 18 | 5 | 6 hours | | 2 | Web SSRF -> Cloud Metadata -> RDS | 4 | 12 | 5 | 3 hours | | 3 | Phish -> Lateral -> Ransom Sim | 5 | 10 | 5 | 8 hours | ### Recommended Defense Priority 1. Add Kerberoast detection (Sigma rule attached) 2. MFA on VPN (chain step 2 break) 3. Service account password complexity (chain step 4 break) 4. Disable unconstrained delegation (chain step 6 break) ``` ## Out-of-Scope - Live chain execution (sadece advisory + writeup) - 0-day discovery (n-day exploit kullanilir)