erosolar-cli 2.1.244 → 2.1.245

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (15) hide show
  1. package/dist/core/unifiedFraudOrchestrator.d.ts +126 -4
  2. package/dist/core/unifiedFraudOrchestrator.d.ts.map +1 -1
  3. package/dist/core/unifiedFraudOrchestrator.js +850 -0
  4. package/dist/core/unifiedFraudOrchestrator.js.map +1 -1
  5. package/dist/shell/interactiveShell.d.ts +51 -0
  6. package/dist/shell/interactiveShell.d.ts.map +1 -1
  7. package/dist/shell/interactiveShell.js +361 -1
  8. package/dist/shell/interactiveShell.js.map +1 -1
  9. package/dist/tools/taoTools.d.ts.map +1 -1
  10. package/dist/tools/taoTools.js +611 -0
  11. package/dist/tools/taoTools.js.map +1 -1
  12. package/dist/tools/unifiedInvestigationTools.d.ts.map +1 -1
  13. package/dist/tools/unifiedInvestigationTools.js +313 -1
  14. package/dist/tools/unifiedInvestigationTools.js.map +1 -1
  15. package/package.json +1 -1
package/dist/tools/taoTools.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"taoTools.d.ts","sourceRoot":"","sources":["../../src/tools/taoTools.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AAqExD,wBAAgB,cAAc,CAAC,UAAU,GAAE,MAAsB,GAAG,SAAS,CAg9hB5E"}
1
+ {"version":3,"file":"taoTools.d.ts","sourceRoot":"","sources":["../../src/tools/taoTools.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AAqExD,wBAAgB,cAAc,CAAC,UAAU,GAAE,MAAsB,GAAG,SAAS,CAoljB5E"}
package/dist/tools/taoTools.js CHANGED
@@ -16640,6 +16640,617 @@ For authorized penetration testing and red team exercises.`,
16640
16640
  }, null, 2);
16641
16641
  },
16642
16642
  },
16643
+ // ═══════════════════════════════════════════════════════════════════════════
16644
+ // UNIFIED ATTACK CHAIN ORCHESTRATOR
16645
+ // Full kill-chain integration: Recon → Exploit → Persist → Collect → Exfil
16646
+ // ═══════════════════════════════════════════════════════════════════════════
16647
+ {
16648
+ name: 'UnifiedAttackChain',
16649
+ description: `Full attack chain orchestrator integrating all kill-chain phases.
16650
+
16651
+ Executes coordinated multi-phase operations:
16652
+ 1. RECONNAISSANCE: Target discovery, enumeration, vulnerability mapping
16653
+ 2. INITIAL ACCESS: Exploitation, credential attacks, social engineering
16654
+ 3. PERSISTENCE: Multiple redundant persistence mechanisms
16655
+ 4. PRIVILEGE ESCALATION: Kernel, service, credential-based escalation
16656
+ 5. DEFENSE EVASION: AV bypass, EDR evasion, log manipulation
16657
+ 6. CREDENTIAL ACCESS: Password dumping, token manipulation, keylogging
16658
+ 7. DISCOVERY: Network mapping, system enumeration, data identification
16659
+ 8. LATERAL MOVEMENT: Remote services, pass-the-hash, internal pivoting
16660
+ 9. COLLECTION: Data staging, archival, targeted collection
16661
+ 10. COMMAND & CONTROL: C2 establishment, channel management
16662
+ 11. EXFILTRATION: Data extraction via multiple covert channels
16663
+ 12. IMPACT: Optional disruption/destruction operations
16664
+
16665
+ For authorized red team exercises and security research only.`,
16666
+ parameters: {
16667
+ type: 'object',
16668
+ required: ['operation'],
16669
+ properties: {
16670
+ operation: {
16671
+ type: 'string',
16672
+ enum: [
16673
+ 'plan_chain',
16674
+ 'execute_phase',
16675
+ 'execute_full_chain',
16676
+ 'get_chain_status',
16677
+ 'abort_chain',
16678
+ 'list_techniques',
16679
+ 'get_phase_techniques',
16680
+ 'optimize_chain',
16681
+ 'stealth_assessment',
16682
+ 'generate_report',
16683
+ ],
16684
+ },
16685
+ target: { type: 'string', description: 'Primary target (IP, domain, or range)' },
16686
+ targets: { type: 'array', items: { type: 'string' }, description: 'Multiple targets' },
16687
+ phase: {
16688
+ type: 'string',
16689
+ enum: [
16690
+ 'reconnaissance', 'initial_access', 'persistence', 'privilege_escalation',
16691
+ 'defense_evasion', 'credential_access', 'discovery', 'lateral_movement',
16692
+ 'collection', 'command_control', 'exfiltration', 'impact',
16693
+ ],
16694
+ },
16695
+ chain_id: { type: 'string', description: 'Attack chain identifier' },
16696
+ depth: { type: 'string', enum: ['quick', 'standard', 'deep', 'comprehensive'] },
16697
+ stealth_level: { type: 'string', enum: ['loud', 'moderate', 'quiet', 'ghost'] },
16698
+ objectives: { type: 'array', items: { type: 'string' }, description: 'Specific objectives' },
16699
+ constraints: { type: 'array', items: { type: 'string' }, description: 'Operational constraints' },
16700
+ c2_config: { type: 'object', description: 'C2 configuration' },
16701
+ exfil_config: { type: 'object', description: 'Exfiltration configuration' },
16702
+ time_limit: { type: 'number', description: 'Max execution time in seconds' },
16703
+ },
16704
+ },
16705
+ handler: async (args) => {
16706
+ const operation = args['operation'];
16707
+ const target = args['target'];
16708
+ const targets = args['targets'] || (target ? [target] : []);
16709
+ const phase = args['phase'];
16710
+ const chainId = args['chain_id'];
16711
+ const depth = args['depth'] || 'standard';
16712
+ const stealthLevel = args['stealth_level'] || 'moderate';
16713
+ const objectives = args['objectives'] || [];
16714
+ const constraints = args['constraints'] || [];
16715
+ // Kill-chain phase definitions with techniques
16716
+ const killChainPhases = {
16717
+ reconnaissance: {
16718
+ order: 1,
16719
+ description: 'Target discovery and information gathering',
16720
+ techniques: [
16721
+ { id: 'dns_enum', name: 'DNS Enumeration', risk: 0.1, time: 5000 },
16722
+ { id: 'subdomain_enum', name: 'Subdomain Discovery', risk: 0.15, time: 30000 },
16723
+ { id: 'port_scan', name: 'Port Scanning', risk: 0.3, time: 60000 },
16724
+ { id: 'service_enum', name: 'Service Enumeration', risk: 0.25, time: 45000 },
16725
+ { id: 'web_fingerprint', name: 'Web Fingerprinting', risk: 0.2, time: 20000 },
16726
+ { id: 'osint_harvest', name: 'OSINT Harvesting', risk: 0.05, time: 120000 },
16727
+ { id: 'whois_lookup', name: 'WHOIS Lookup', risk: 0.05, time: 5000 },
16728
+ { id: 'certificate_transparency', name: 'CT Log Analysis', risk: 0.05, time: 15000 },
16729
+ { id: 'email_harvest', name: 'Email Harvesting', risk: 0.1, time: 60000 },
16730
+ { id: 'social_profile_enum', name: 'Social Profile Discovery', risk: 0.05, time: 90000 },
16731
+ ],
16732
+ prerequisites: [],
16733
+ outputs: ['ip_addresses', 'domains', 'subdomains', 'open_ports', 'services', 'technologies', 'emails', 'personnel'],
16734
+ },
16735
+ initial_access: {
16736
+ order: 2,
16737
+ description: 'Gaining initial foothold on target',
16738
+ techniques: [
16739
+ { id: 'exploit_public_app', name: 'Exploit Public-Facing Application', risk: 0.6, time: 300000 },
16740
+ { id: 'phishing', name: 'Spearphishing Attack', risk: 0.4, time: 86400000 },
16741
+ { id: 'drive_by', name: 'Drive-by Compromise', risk: 0.5, time: 3600000 },
16742
+ { id: 'supply_chain', name: 'Supply Chain Compromise', risk: 0.3, time: 604800000 },
16743
+ { id: 'external_services', name: 'External Remote Services', risk: 0.5, time: 1800000 },
16744
+ { id: 'valid_accounts', name: 'Valid Accounts (Credential Stuffing)', risk: 0.35, time: 7200000 },
16745
+ { id: 'hardware_implant', name: 'Hardware Additions', risk: 0.2, time: 86400000 },
16746
+ { id: 'trusted_relationship', name: 'Trusted Relationship Abuse', risk: 0.3, time: 259200000 },
16747
+ ],
16748
+ prerequisites: ['reconnaissance'],
16749
+ outputs: ['shell_access', 'credentials', 'implant', 'session'],
16750
+ },
16751
+ persistence: {
16752
+ order: 3,
16753
+ description: 'Maintaining access across reboots and detection',
16754
+ techniques: [
16755
+ { id: 'scheduled_task', name: 'Scheduled Task/Cron', risk: 0.4, time: 60000 },
16756
+ { id: 'registry_run_keys', name: 'Registry Run Keys', risk: 0.35, time: 30000 },
16757
+ { id: 'startup_folder', name: 'Startup Folder', risk: 0.3, time: 15000 },
16758
+ { id: 'service_creation', name: 'Create/Modify Service', risk: 0.5, time: 120000 },
16759
+ { id: 'dll_hijacking', name: 'DLL Hijacking', risk: 0.45, time: 300000 },
16760
+ { id: 'bootkit', name: 'Bootkit/Rootkit', risk: 0.7, time: 600000 },
16761
+ { id: 'web_shell', name: 'Web Shell', risk: 0.55, time: 180000 },
16762
+ { id: 'account_creation', name: 'Create Account', risk: 0.6, time: 60000 },
16763
+ { id: 'implant_container', name: 'Implant in Container Image', risk: 0.4, time: 1800000 },
16764
+ { id: 'cloud_persistence', name: 'Cloud Account Manipulation', risk: 0.35, time: 300000 },
16765
+ ],
16766
+ prerequisites: ['initial_access'],
16767
+ outputs: ['persistent_access', 'backup_access', 'hidden_account'],
16768
+ },
16769
+ privilege_escalation: {
16770
+ order: 4,
16771
+ description: 'Gaining elevated privileges',
16772
+ techniques: [
16773
+ { id: 'kernel_exploit', name: 'Kernel Exploitation', risk: 0.8, time: 600000 },
16774
+ { id: 'sudo_abuse', name: 'Sudo/Sudoers Abuse', risk: 0.4, time: 60000 },
16775
+ { id: 'suid_abuse', name: 'SUID/SGID Abuse', risk: 0.35, time: 120000 },
16776
+ { id: 'service_escalation', name: 'Vulnerable Service Exploitation', risk: 0.6, time: 300000 },
16777
+ { id: 'token_manipulation', name: 'Token Manipulation', risk: 0.5, time: 180000 },
16778
+ { id: 'uac_bypass', name: 'UAC Bypass', risk: 0.45, time: 120000 },
16779
+ { id: 'capability_abuse', name: 'Linux Capabilities Abuse', risk: 0.4, time: 90000 },
16780
+ { id: 'path_interception', name: 'Path Interception', risk: 0.5, time: 180000 },
16781
+ { id: 'named_pipe', name: 'Named Pipe Impersonation', risk: 0.55, time: 240000 },
16782
+ { id: 'cloud_iam', name: 'Cloud IAM Policy Abuse', risk: 0.5, time: 300000 },
16783
+ ],
16784
+ prerequisites: ['initial_access'],
16785
+ outputs: ['root_access', 'admin_access', 'system_access', 'elevated_token'],
16786
+ },
16787
+ defense_evasion: {
16788
+ order: 5,
16789
+ description: 'Avoiding detection',
16790
+ techniques: [
16791
+ { id: 'process_injection', name: 'Process Injection', risk: 0.6, time: 180000 },
16792
+ { id: 'process_hollowing', name: 'Process Hollowing', risk: 0.55, time: 240000 },
16793
+ { id: 'timestomp', name: 'Timestamp Manipulation', risk: 0.2, time: 30000 },
16794
+ { id: 'log_clearing', name: 'Log Clearing/Manipulation', risk: 0.7, time: 120000 },
16795
+ { id: 'rootkit_install', name: 'Rootkit Installation', risk: 0.8, time: 600000 },
16796
+ { id: 'binary_padding', name: 'Binary Padding', risk: 0.15, time: 60000 },
16797
+ { id: 'code_signing', name: 'Code Signing', risk: 0.25, time: 300000 },
16798
+ { id: 'obfuscation', name: 'File Obfuscation', risk: 0.2, time: 120000 },
16799
+ { id: 'masquerading', name: 'Masquerading', risk: 0.3, time: 90000 },
16800
+ { id: 'virtualization_evasion', name: 'VM/Sandbox Evasion', risk: 0.35, time: 60000 },
16801
+ { id: 'amsi_bypass', name: 'AMSI Bypass', risk: 0.5, time: 120000 },
16802
+ { id: 'edr_unhook', name: 'EDR Unhooking', risk: 0.65, time: 300000 },
16803
+ ],
16804
+ prerequisites: ['initial_access'],
16805
+ outputs: ['stealth_mode', 'clean_logs', 'hidden_process'],
16806
+ },
16807
+ credential_access: {
16808
+ order: 6,
16809
+ description: 'Stealing credentials',
16810
+ techniques: [
16811
+ { id: 'lsass_dump', name: 'LSASS Memory Dump', risk: 0.7, time: 60000 },
16812
+ { id: 'sam_dump', name: 'SAM Database Dump', risk: 0.6, time: 120000 },
16813
+ { id: 'keylogging', name: 'Keylogging', risk: 0.5, time: 3600000 },
16814
+ { id: 'credential_prompting', name: 'Credential Prompting', risk: 0.4, time: 86400000 },
16815
+ { id: 'browser_credentials', name: 'Browser Credential Extraction', risk: 0.4, time: 60000 },
16816
+ { id: 'keychain_dump', name: 'Keychain Extraction', risk: 0.5, time: 120000 },
16817
+ { id: 'kerberoasting', name: 'Kerberoasting', risk: 0.45, time: 300000 },
16818
+ { id: 'dcsync', name: 'DCSync', risk: 0.8, time: 180000 },
16819
+ { id: 'password_spraying', name: 'Password Spraying', risk: 0.5, time: 1800000 },
16820
+ { id: 'ssh_key_theft', name: 'SSH Key Theft', risk: 0.35, time: 60000 },
16821
+ { id: 'cloud_credential_theft', name: 'Cloud Credential Theft', risk: 0.45, time: 180000 },
16822
+ ],
16823
+ prerequisites: ['initial_access'],
16824
+ outputs: ['passwords', 'hashes', 'tokens', 'keys', 'certificates'],
16825
+ },
16826
+ discovery: {
16827
+ order: 7,
16828
+ description: 'Internal network and system discovery',
16829
+ techniques: [
16830
+ { id: 'network_discovery', name: 'Network Share Discovery', risk: 0.3, time: 300000 },
16831
+ { id: 'ad_enumeration', name: 'Active Directory Enumeration', risk: 0.35, time: 600000 },
16832
+ { id: 'process_discovery', name: 'Process Discovery', risk: 0.15, time: 30000 },
16833
+ { id: 'file_discovery', name: 'File/Directory Discovery', risk: 0.2, time: 180000 },
16834
+ { id: 'system_info', name: 'System Information Discovery', risk: 0.1, time: 30000 },
16835
+ { id: 'security_software', name: 'Security Software Discovery', risk: 0.2, time: 60000 },
16836
+ { id: 'user_enumeration', name: 'Account/User Discovery', risk: 0.25, time: 120000 },
16837
+ { id: 'cloud_discovery', name: 'Cloud Service Discovery', risk: 0.3, time: 300000 },
16838
+ { id: 'container_discovery', name: 'Container Discovery', risk: 0.25, time: 120000 },
16839
+ { id: 'software_discovery', name: 'Software Discovery', risk: 0.15, time: 90000 },
16840
+ ],
16841
+ prerequisites: ['initial_access'],
16842
+ outputs: ['network_map', 'user_list', 'group_list', 'shares', 'services', 'software'],
16843
+ },
16844
+ lateral_movement: {
16845
+ order: 8,
16846
+ description: 'Moving through the network',
16847
+ techniques: [
16848
+ { id: 'psexec', name: 'PsExec/SMB Execution', risk: 0.6, time: 120000 },
16849
+ { id: 'wmi_exec', name: 'WMI Execution', risk: 0.55, time: 120000 },
16850
+ { id: 'winrm', name: 'WinRM', risk: 0.5, time: 90000 },
16851
+ { id: 'ssh_lateral', name: 'SSH Lateral Movement', risk: 0.4, time: 60000 },
16852
+ { id: 'rdp', name: 'Remote Desktop Protocol', risk: 0.5, time: 180000 },
16853
+ { id: 'pass_the_hash', name: 'Pass the Hash', risk: 0.55, time: 120000 },
16854
+ { id: 'pass_the_ticket', name: 'Pass the Ticket', risk: 0.5, time: 150000 },
16855
+ { id: 'dcom', name: 'DCOM Execution', risk: 0.5, time: 120000 },
16856
+ { id: 'internal_spearphishing', name: 'Internal Spearphishing', risk: 0.35, time: 86400000 },
16857
+ { id: 'cloud_lateral', name: 'Cloud Lateral Movement', risk: 0.45, time: 300000 },
16858
+ ],
16859
+ prerequisites: ['credential_access', 'discovery'],
16860
+ outputs: ['additional_hosts', 'domain_access', 'cloud_access'],
16861
+ },
16862
+ collection: {
16863
+ order: 9,
16864
+ description: 'Gathering target data',
16865
+ techniques: [
16866
+ { id: 'automated_collection', name: 'Automated Collection', risk: 0.4, time: 600000 },
16867
+ { id: 'clipboard_capture', name: 'Clipboard Data', risk: 0.25, time: 3600000 },
16868
+ { id: 'screen_capture', name: 'Screen Capture', risk: 0.3, time: 300000 },
16869
+ { id: 'input_capture', name: 'Input Capture', risk: 0.35, time: 3600000 },
16870
+ { id: 'email_collection', name: 'Email Collection', risk: 0.5, time: 1800000 },
16871
+ { id: 'local_data', name: 'Local Data Staging', risk: 0.3, time: 600000 },
16872
+ { id: 'network_share_collection', name: 'Network Share Collection', risk: 0.45, time: 1800000 },
16873
+ { id: 'audio_capture', name: 'Audio Capture', risk: 0.4, time: 3600000 },
16874
+ { id: 'video_capture', name: 'Video Capture', risk: 0.45, time: 3600000 },
16875
+ { id: 'archive_collected', name: 'Archive Collected Data', risk: 0.2, time: 300000 },
16876
+ ],
16877
+ prerequisites: ['discovery'],
16878
+ outputs: ['staged_data', 'archives', 'captured_input', 'screenshots'],
16879
+ },
16880
+ command_control: {
16881
+ order: 10,
16882
+ description: 'Establishing command and control',
16883
+ techniques: [
16884
+ { id: 'https_c2', name: 'HTTPS C2 Channel', risk: 0.3, time: 120000 },
16885
+ { id: 'dns_c2', name: 'DNS Tunneling C2', risk: 0.25, time: 180000 },
16886
+ { id: 'domain_fronting', name: 'Domain Fronting', risk: 0.2, time: 300000 },
16887
+ { id: 'protocol_tunneling', name: 'Protocol Tunneling', risk: 0.3, time: 180000 },
16888
+ { id: 'web_service_c2', name: 'Web Service C2 (GitHub, Dropbox)', risk: 0.2, time: 240000 },
16889
+ { id: 'encrypted_channel', name: 'Encrypted Channel', risk: 0.25, time: 120000 },
16890
+ { id: 'multi_hop_proxy', name: 'Multi-hop Proxy', risk: 0.2, time: 300000 },
16891
+ { id: 'fallback_channels', name: 'Fallback Channels', risk: 0.25, time: 180000 },
16892
+ { id: 'dead_drop', name: 'Dead Drop Resolver', risk: 0.15, time: 120000 },
16893
+ { id: 'steganography_c2', name: 'Steganography C2', risk: 0.15, time: 300000 },
16894
+ ],
16895
+ prerequisites: ['initial_access'],
16896
+ outputs: ['c2_channel', 'beacon', 'interactive_session'],
16897
+ },
16898
+ exfiltration: {
16899
+ order: 11,
16900
+ description: 'Extracting collected data',
16901
+ techniques: [
16902
+ { id: 'https_exfil', name: 'HTTPS Exfiltration', risk: 0.4, time: 600000 },
16903
+ { id: 'dns_exfil', name: 'DNS Exfiltration', risk: 0.3, time: 1800000 },
16904
+ { id: 'cloud_storage', name: 'Cloud Storage Exfiltration', risk: 0.35, time: 900000 },
16905
+ { id: 'physical_medium', name: 'Physical Medium', risk: 0.2, time: 3600000 },
16906
+ { id: 'scheduled_transfer', name: 'Scheduled Transfer', risk: 0.35, time: 86400000 },
16907
+ { id: 'alternative_protocol', name: 'Alternative Protocol', risk: 0.3, time: 600000 },
16908
+ { id: 'steganography_exfil', name: 'Steganography Exfiltration', risk: 0.2, time: 1800000 },
16909
+ { id: 'icmp_exfil', name: 'ICMP Exfiltration', risk: 0.25, time: 600000 },
16910
+ { id: 'code_repo', name: 'Code Repository Exfiltration', risk: 0.3, time: 900000 },
16911
+ { id: 'automated_exfil', name: 'Automated Exfiltration', risk: 0.4, time: 3600000 },
16912
+ ],
16913
+ prerequisites: ['collection', 'command_control'],
16914
+ outputs: ['exfiltrated_data', 'transfer_log'],
16915
+ },
16916
+ impact: {
16917
+ order: 12,
16918
+ description: 'Optional disruption operations',
16919
+ techniques: [
16920
+ { id: 'data_destruction', name: 'Data Destruction', risk: 0.95, time: 300000 },
16921
+ { id: 'data_encryption', name: 'Data Encryption (Ransomware)', risk: 0.9, time: 600000 },
16922
+ { id: 'defacement', name: 'Defacement', risk: 0.7, time: 120000 },
16923
+ { id: 'dos', name: 'Denial of Service', risk: 0.8, time: 600000 },
16924
+ { id: 'resource_hijacking', name: 'Resource Hijacking', risk: 0.5, time: 180000 },
16925
+ { id: 'firmware_corruption', name: 'Firmware Corruption', risk: 0.95, time: 900000 },
16926
+ { id: 'service_stop', name: 'Service Stop', risk: 0.75, time: 60000 },
16927
+ { id: 'inhibit_recovery', name: 'Inhibit System Recovery', risk: 0.85, time: 180000 },
16928
+ { id: 'account_manipulation', name: 'Account Access Removal', risk: 0.7, time: 120000 },
16929
+ { id: 'data_manipulation', name: 'Data Manipulation', risk: 0.6, time: 300000 },
16930
+ ],
16931
+ prerequisites: ['privilege_escalation'],
16932
+ outputs: ['impact_achieved', 'disruption_log'],
16933
+ warning: 'DESTRUCTIVE - Only use with explicit authorization',
16934
+ },
16935
+ };
16936
+ // Stealth profiles
16937
+ const stealthProfiles = {
16938
+ loud: { maxRisk: 1.0, delay: 0, parallelism: 10, description: 'No stealth considerations' },
16939
+ moderate: { maxRisk: 0.6, delay: 1000, parallelism: 3, description: 'Balanced approach' },
16940
+ quiet: { maxRisk: 0.4, delay: 5000, parallelism: 1, description: 'Low detection profile' },
16941
+ ghost: { maxRisk: 0.2, delay: 30000, parallelism: 1, description: 'Maximum stealth' },
16942
+ };
16943
+ // eslint-disable-next-line @typescript-eslint/no-explicit-any
16944
+ const stealthConfig = stealthProfiles[stealthLevel] || stealthProfiles.moderate;
16945
+ switch (operation) {
16946
+ case 'plan_chain': {
16947
+ // Generate attack plan based on objectives and constraints
16948
+ const plan = {
16949
+ chain_id: `chain_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`,
16950
+ created: new Date().toISOString(),
16951
+ targets,
16952
+ objectives,
16953
+ constraints,
16954
+ depth,
16955
+ stealth_level: stealthLevel,
16956
+ stealth_config: stealthConfig,
16957
+ phases: Object.entries(killChainPhases)
16958
+ .filter(([_, p]) => {
16959
+ // Filter techniques by stealth level
16960
+ const validTechniques = p.techniques.filter(t => t.risk <= stealthConfig.maxRisk);
16961
+ return validTechniques.length > 0;
16962
+ })
16963
+ .map(([name, p]) => ({
16964
+ phase: name,
16965
+ order: p.order,
16966
+ description: p.description,
16967
+ technique_count: p.techniques.filter(t => t.risk <= stealthConfig.maxRisk).length,
16968
+ estimated_time: p.techniques
16969
+ .filter(t => t.risk <= stealthConfig.maxRisk)
16970
+ .reduce((sum, t) => sum + t.time, 0),
16971
+ prerequisites: p.prerequisites || [],
16972
+ outputs: p.outputs,
16973
+ })),
16974
+ estimated_total_time: Object.values(killChainPhases).reduce((sum, p) => sum + p.techniques.filter(t => t.risk <= stealthConfig.maxRisk).reduce((s, t) => s + t.time, 0), 0),
16975
+ warnings: constraints.includes('no_impact') ? ['Impact phase excluded per constraints'] : [],
16976
+ };
16977
+ return JSON.stringify(plan, null, 2);
16978
+ }
16979
+ case 'execute_phase': {
16980
+ if (!phase) {
16981
+ return JSON.stringify({ error: 'Phase required', available_phases: Object.keys(killChainPhases) });
16982
+ }
16983
+ // eslint-disable-next-line @typescript-eslint/no-explicit-any
16984
+ const phaseConfig = killChainPhases[phase];
16985
+ if (!phaseConfig) {
16986
+ return JSON.stringify({ error: 'Unknown phase', available: Object.keys(killChainPhases) });
16987
+ }
16988
+ const validTechniques = phaseConfig.techniques.filter(
16989
+ // eslint-disable-next-line @typescript-eslint/no-explicit-any
16990
+ (t) => t.risk <= stealthConfig.maxRisk);
16991
+ return JSON.stringify({
16992
+ phase,
16993
+ chain_id: chainId || `adhoc_${Date.now()}`,
16994
+ targets,
16995
+ stealth_level: stealthLevel,
16996
+ techniques_to_execute: validTechniques,
16997
+ execution_order: validTechniques.map((t) => ({
16998
+ id: t.id,
16999
+ name: t.name,
17000
+ risk: t.risk,
17001
+ delay_after: stealthConfig.delay,
17002
+ })),
17003
+ expected_outputs: phaseConfig.outputs,
17004
+ prerequisites: phaseConfig.prerequisites || [],
17005
+ parallel_execution: stealthConfig.parallelism > 1,
17006
+ max_parallel: stealthConfig.parallelism,
17007
+ instructions: `Execute techniques sequentially with ${stealthConfig.delay}ms delay between each. ` +
17008
+ `Abort if detection indicators observed. Record all artifacts for next phase.`,
17009
+ }, null, 2);
17010
+ }
17011
+ case 'execute_full_chain': {
17012
+ // Full kill-chain execution plan
17013
+ const chainPlan = {
17014
+ chain_id: chainId || `full_chain_${Date.now()}`,
17015
+ targets,
17016
+ objectives,
17017
+ constraints,
17018
+ stealth_config: stealthConfig,
17019
+ phases: Object.entries(killChainPhases)
17020
+ .sort((a, b) => a[1].order - b[1].order)
17021
+ .filter(([name]) => !constraints.includes('no_impact') || name !== 'impact')
17022
+ .map(([name, config]) => {
17023
+ const techniques = config.techniques.filter(t => t.risk <= stealthConfig.maxRisk);
17024
+ return {
17025
+ phase: name,
17026
+ order: config.order,
17027
+ techniques: techniques.map(t => ({
17028
+ ...t,
17029
+ execution_delay: stealthConfig.delay,
17030
+ })),
17031
+ prerequisites: config.prerequisites || [],
17032
+ outputs: config.outputs,
17033
+ estimated_duration: techniques.reduce((sum, t) => sum + t.time, 0) +
17034
+ (techniques.length * stealthConfig.delay),
17035
+ };
17036
+ }),
17037
+ execution_strategy: {
17038
+ mode: depth === 'quick' ? 'essential_only' :
17039
+ depth === 'comprehensive' ? 'all_techniques' : 'balanced',
17040
+ parallel_phases: ['defense_evasion', 'credential_access', 'discovery'],
17041
+ sequential_phases: ['initial_access', 'persistence', 'privilege_escalation'],
17042
+ abort_conditions: [
17043
+ 'Detection alert triggered',
17044
+ 'Session lost without backup access',
17045
+ 'Constraint violation',
17046
+ 'Time limit exceeded',
17047
+ ],
17048
+ fallback_procedures: [
17049
+ 'Activate backup persistence',
17050
+ 'Switch C2 channel',
17051
+ 'Go silent for cool-down period',
17052
+ 'Use alternative initial access vector',
17053
+ ],
17054
+ },
17055
+ c2_configuration: {
17056
+ primary: 'https_c2',
17057
+ fallback: ['dns_c2', 'web_service_c2'],
17058
+ beacon_interval: stealthLevel === 'ghost' ? 3600 : stealthLevel === 'quiet' ? 300 : 60,
17059
+ jitter: 0.3,
17060
+ },
17061
+ exfil_configuration: {
17062
+ primary: 'https_exfil',
17063
+ fallback: ['dns_exfil', 'cloud_storage'],
17064
+ chunk_size: stealthLevel === 'ghost' ? 1024 : stealthLevel === 'quiet' ? 10240 : 102400,
17065
+ rate_limit: stealthLevel === 'ghost' ? '1KB/s' : stealthLevel === 'quiet' ? '10KB/s' : '100KB/s',
17066
+ },
17067
+ total_estimated_time: Object.values(killChainPhases).reduce((sum, p) => sum + p.techniques.filter(t => t.risk <= stealthConfig.maxRisk)
17068
+ .reduce((s, t) => s + t.time + stealthConfig.delay, 0), 0),
17069
+ };
17070
+ return JSON.stringify(chainPlan, null, 2);
17071
+ }
17072
+ case 'get_chain_status': {
17073
+ return JSON.stringify({
17074
+ chain_id: chainId,
17075
+ status: 'ready',
17076
+ active_chains: [],
17077
+ note: 'Use TAO RL system for real-time chain execution and status tracking',
17078
+ commands: {
17079
+ start: 'Use planAttackChain() from TAO RL module',
17080
+ status: 'Use getChain(chainId) from TAO RL module',
17081
+ abort: 'Use abortChain(chainId) from TAO RL module',
17082
+ },
17083
+ });
17084
+ }
17085
+ case 'abort_chain': {
17086
+ return JSON.stringify({
17087
+ chain_id: chainId,
17088
+ action: 'abort_requested',
17089
+ cleanup_procedures: [
17090
+ 'Terminate active processes',
17091
+ 'Clear staged data',
17092
+ 'Remove persistence mechanisms',
17093
+ 'Close C2 channels',
17094
+ 'Wipe logs if possible',
17095
+ ],
17096
+ note: 'Manual cleanup may be required',
17097
+ });
17098
+ }
17099
+ case 'list_techniques': {
17100
+ const allTechniques = Object.entries(killChainPhases).flatMap(([phaseName, config]) => config.techniques.map(t => ({
17101
+ ...t,
17102
+ phase: phaseName,
17103
+ phase_order: config.order,
17104
+ stealth_compatible: t.risk <= stealthConfig.maxRisk,
17105
+ })));
17106
+ return JSON.stringify({
17107
+ total_techniques: allTechniques.length,
17108
+ stealth_compatible: allTechniques.filter(t => t.stealth_compatible).length,
17109
+ by_phase: Object.fromEntries(Object.entries(killChainPhases).map(([name, config]) => [
17110
+ name,
17111
+ config.techniques.length,
17112
+ ])),
17113
+ techniques: allTechniques,
17114
+ }, null, 2);
17115
+ }
17116
+ case 'get_phase_techniques': {
17117
+ if (!phase) {
17118
+ return JSON.stringify({ error: 'Phase required', available: Object.keys(killChainPhases) });
17119
+ }
17120
+ // eslint-disable-next-line @typescript-eslint/no-explicit-any
17121
+ const phaseData = killChainPhases[phase];
17122
+ if (!phaseData) {
17123
+ return JSON.stringify({ error: 'Unknown phase', available: Object.keys(killChainPhases) });
17124
+ }
17125
+ return JSON.stringify({
17126
+ phase,
17127
+ order: phaseData.order,
17128
+ description: phaseData.description,
17129
+ prerequisites: phaseData.prerequisites || [],
17130
+ outputs: phaseData.outputs,
17131
+ techniques: phaseData.techniques.map((t) => ({
17132
+ ...t,
17133
+ stealth_compatible: t.risk <= stealthConfig.maxRisk,
17134
+ formatted_time: t.time < 60000 ? `${t.time / 1000}s` :
17135
+ t.time < 3600000 ? `${Math.round(t.time / 60000)}m` :
17136
+ `${Math.round(t.time / 3600000)}h`,
17137
+ })),
17138
+ warning: phaseData.warning,
17139
+ }, null, 2);
17140
+ }
17141
+ case 'optimize_chain': {
17142
+ // Optimize technique selection based on objectives and stealth
17143
+ const optimizedChain = Object.entries(killChainPhases)
17144
+ .sort((a, b) => a[1].order - b[1].order)
17145
+ .map(([phaseName, config]) => {
17146
+ // Score techniques based on risk/reward
17147
+ const scoredTechniques = config.techniques
17148
+ .filter(t => t.risk <= stealthConfig.maxRisk)
17149
+ .map(t => ({
17150
+ ...t,
17151
+ score: (1 - t.risk) * 0.4 + // Lower risk is better
17152
+ (1 - t.time / 86400000) * 0.3 + // Faster is better
17153
+ Math.random() * 0.3, // Some randomization
17154
+ }))
17155
+ .sort((a, b) => b.score - a.score);
17156
+ // Select top techniques per phase based on depth
17157
+ const selectCount = depth === 'quick' ? 2 :
17158
+ depth === 'comprehensive' ? scoredTechniques.length :
17159
+ depth === 'deep' ? Math.ceil(scoredTechniques.length * 0.7) :
17160
+ Math.ceil(scoredTechniques.length * 0.5);
17161
+ return {
17162
+ phase: phaseName,
17163
+ selected_techniques: scoredTechniques.slice(0, selectCount),
17164
+ excluded_techniques: scoredTechniques.slice(selectCount),
17165
+ };
17166
+ });
17167
+ return JSON.stringify({
17168
+ optimization_params: { depth, stealth_level: stealthLevel, objectives, constraints },
17169
+ optimized_chain: optimizedChain,
17170
+ total_techniques: optimizedChain.reduce((sum, p) => sum + p.selected_techniques.length, 0),
17171
+ estimated_duration: optimizedChain.reduce((sum, p) => sum + p.selected_techniques.reduce((s, t) => s + t.time, 0), 0),
17172
+ }, null, 2);
17173
+ }
17174
+ case 'stealth_assessment': {
17175
+ // Assess stealth characteristics of planned operation
17176
+ const assessment = {
17177
+ stealth_level: stealthLevel,
17178
+ config: stealthConfig,
17179
+ risk_profile: {
17180
+ max_individual_risk: stealthConfig.maxRisk,
17181
+ cumulative_detection_probability: 1 - Math.pow(1 - stealthConfig.maxRisk, 10),
17182
+ recommended_duration: stealthLevel === 'ghost' ? '7+ days' :
17183
+ stealthLevel === 'quiet' ? '2-7 days' :
17184
+ stealthLevel === 'moderate' ? '1-2 days' : 'hours',
17185
+ },
17186
+ network_indicators: {
17187
+ beacon_pattern: stealthLevel === 'ghost' ? 'highly irregular' : 'jittered',
17188
+ traffic_volume: stealthLevel === 'ghost' ? 'minimal' : 'low-moderate',
17189
+ protocol_usage: stealthLevel === 'ghost' ? 'legitimate only' : 'mixed',
17190
+ },
17191
+ host_indicators: {
17192
+ process_footprint: stealthLevel === 'ghost' ? 'none (fileless)' : 'minimal',
17193
+ file_artifacts: stealthLevel === 'ghost' ? 'none' : 'temporary',
17194
+ registry_changes: stealthLevel === 'ghost' ? 'none' : 'minimal',
17195
+ },
17196
+ recommendations: [
17197
+ stealthLevel === 'ghost' ? 'Use living-off-the-land techniques only' : null,
17198
+ stealthLevel !== 'loud' ? 'Implement beacon jitter > 30%' : null,
17199
+ 'Use encrypted channels for all C2 communication',
17200
+ 'Stage data in memory before exfiltration',
17201
+ stealthLevel === 'ghost' ? 'Avoid creating new files - use existing processes' : null,
17202
+ ].filter(Boolean),
17203
+ };
17204
+ return JSON.stringify(assessment, null, 2);
17205
+ }
17206
+ case 'generate_report': {
17207
+ // Generate comprehensive attack chain report
17208
+ const report = {
17209
+ report_type: 'attack_chain_summary',
17210
+ generated: new Date().toISOString(),
17211
+ chain_id: chainId,
17212
+ targets,
17213
+ objectives,
17214
+ constraints,
17215
+ configuration: {
17216
+ depth,
17217
+ stealth_level: stealthLevel,
17218
+ },
17219
+ phases_summary: Object.entries(killChainPhases).map(([name, config]) => ({
17220
+ phase: name,
17221
+ order: config.order,
17222
+ technique_count: config.techniques.length,
17223
+ compatible_techniques: config.techniques.filter(t => t.risk <= stealthConfig.maxRisk).length,
17224
+ prerequisites: config.prerequisites || [],
17225
+ })),
17226
+ technique_matrix: Object.entries(killChainPhases).reduce((acc, [name, config]) => {
17227
+ acc[name] = config.techniques.map(t => t.id);
17228
+ return acc;
17229
+ // eslint-disable-next-line @typescript-eslint/no-explicit-any
17230
+ }, {}),
17231
+ mitre_mapping: {
17232
+ tactics: Object.keys(killChainPhases),
17233
+ techniques_per_tactic: Object.fromEntries(Object.entries(killChainPhases).map(([name, config]) => [
17234
+ name, config.techniques.length
17235
+ ])),
17236
+ },
17237
+ legal_disclaimer: 'This attack chain framework is for AUTHORIZED PENETRATION TESTING, ' +
17238
+ 'RED TEAM EXERCISES, and SECURITY RESEARCH only. Unauthorized use is illegal.',
17239
+ };
17240
+ return JSON.stringify(report, null, 2);
17241
+ }
17242
+ default:
17243
+ return JSON.stringify({
17244
+ error: 'Unknown operation',
17245
+ available_operations: [
17246
+ 'plan_chain', 'execute_phase', 'execute_full_chain', 'get_chain_status',
17247
+ 'abort_chain', 'list_techniques', 'get_phase_techniques', 'optimize_chain',
17248
+ 'stealth_assessment', 'generate_report',
17249
+ ],
17250
+ });
17251
+ }
17252
+ },
17253
+ },
16643
17254
  ],
16644
17255
  };
16645
17256
  }