erosolar-cli 2.1.244 → 2.1.246

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (21) hide show
  1. package/dist/capabilities/index.js +1 -0
  2. package/dist/capabilities/index.js.map +1 -1
  3. package/dist/core/agentOrchestrator.d.ts +115 -0
  4. package/dist/core/agentOrchestrator.d.ts.map +1 -1
  5. package/dist/core/agentOrchestrator.js +360 -0
  6. package/dist/core/agentOrchestrator.js.map +1 -1
  7. package/dist/core/unifiedFraudOrchestrator.d.ts +200 -4
  8. package/dist/core/unifiedFraudOrchestrator.d.ts.map +1 -1
  9. package/dist/core/unifiedFraudOrchestrator.js +1863 -0
  10. package/dist/core/unifiedFraudOrchestrator.js.map +1 -1
  11. package/dist/shell/interactiveShell.d.ts +51 -0
  12. package/dist/shell/interactiveShell.d.ts.map +1 -1
  13. package/dist/shell/interactiveShell.js +361 -1
  14. package/dist/shell/interactiveShell.js.map +1 -1
  15. package/dist/tools/taoTools.d.ts.map +1 -1
  16. package/dist/tools/taoTools.js +1466 -0
  17. package/dist/tools/taoTools.js.map +1 -1
  18. package/dist/tools/unifiedInvestigationTools.d.ts.map +1 -1
  19. package/dist/tools/unifiedInvestigationTools.js +313 -1
  20. package/dist/tools/unifiedInvestigationTools.js.map +1 -1
  21. package/package.json +1 -1
package/dist/tools/taoTools.js CHANGED
@@ -16640,6 +16640,1472 @@ For authorized penetration testing and red team exercises.`,
16640
16640
  }, null, 2);
16641
16641
  },
16642
16642
  },
16643
+ // ═══════════════════════════════════════════════════════════════════════════
16644
+ // UNIFIED ATTACK CHAIN ORCHESTRATOR
16645
+ // Full kill-chain integration: Recon → Exploit → Persist → Collect → Exfil
16646
+ // ═══════════════════════════════════════════════════════════════════════════
16647
+ {
16648
+ name: 'UnifiedAttackChain',
16649
+ description: `Full attack chain orchestrator integrating all kill-chain phases.
16650
+
16651
+ Executes coordinated multi-phase operations:
16652
+ 1. RECONNAISSANCE: Target discovery, enumeration, vulnerability mapping
16653
+ 2. INITIAL ACCESS: Exploitation, credential attacks, social engineering
16654
+ 3. PERSISTENCE: Multiple redundant persistence mechanisms
16655
+ 4. PRIVILEGE ESCALATION: Kernel, service, credential-based escalation
16656
+ 5. DEFENSE EVASION: AV bypass, EDR evasion, log manipulation
16657
+ 6. CREDENTIAL ACCESS: Password dumping, token manipulation, keylogging
16658
+ 7. DISCOVERY: Network mapping, system enumeration, data identification
16659
+ 8. LATERAL MOVEMENT: Remote services, pass-the-hash, internal pivoting
16660
+ 9. COLLECTION: Data staging, archival, targeted collection
16661
+ 10. COMMAND & CONTROL: C2 establishment, channel management
16662
+ 11. EXFILTRATION: Data extraction via multiple covert channels
16663
+ 12. IMPACT: Optional disruption/destruction operations
16664
+
16665
+ For authorized red team exercises and security research only.`,
16666
+ parameters: {
16667
+ type: 'object',
16668
+ required: ['operation'],
16669
+ properties: {
16670
+ operation: {
16671
+ type: 'string',
16672
+ enum: [
16673
+ 'plan_chain',
16674
+ 'execute_phase',
16675
+ 'execute_full_chain',
16676
+ 'get_chain_status',
16677
+ 'abort_chain',
16678
+ 'list_techniques',
16679
+ 'get_phase_techniques',
16680
+ 'optimize_chain',
16681
+ 'stealth_assessment',
16682
+ 'generate_report',
16683
+ ],
16684
+ },
16685
+ target: { type: 'string', description: 'Primary target (IP, domain, or range)' },
16686
+ targets: { type: 'array', items: { type: 'string' }, description: 'Multiple targets' },
16687
+ phase: {
16688
+ type: 'string',
16689
+ enum: [
16690
+ 'reconnaissance', 'initial_access', 'persistence', 'privilege_escalation',
16691
+ 'defense_evasion', 'credential_access', 'discovery', 'lateral_movement',
16692
+ 'collection', 'command_control', 'exfiltration', 'impact',
16693
+ ],
16694
+ },
16695
+ chain_id: { type: 'string', description: 'Attack chain identifier' },
16696
+ depth: { type: 'string', enum: ['quick', 'standard', 'deep', 'comprehensive'] },
16697
+ stealth_level: { type: 'string', enum: ['loud', 'moderate', 'quiet', 'ghost'] },
16698
+ objectives: { type: 'array', items: { type: 'string' }, description: 'Specific objectives' },
16699
+ constraints: { type: 'array', items: { type: 'string' }, description: 'Operational constraints' },
16700
+ c2_config: { type: 'object', description: 'C2 configuration' },
16701
+ exfil_config: { type: 'object', description: 'Exfiltration configuration' },
16702
+ time_limit: { type: 'number', description: 'Max execution time in seconds' },
16703
+ },
16704
+ },
16705
+ handler: async (args) => {
16706
+ const operation = args['operation'];
16707
+ const target = args['target'];
16708
+ const targets = args['targets'] || (target ? [target] : []);
16709
+ const phase = args['phase'];
16710
+ const chainId = args['chain_id'];
16711
+ const depth = args['depth'] || 'standard';
16712
+ const stealthLevel = args['stealth_level'] || 'moderate';
16713
+ const objectives = args['objectives'] || [];
16714
+ const constraints = args['constraints'] || [];
16715
+ // Kill-chain phase definitions with techniques
16716
+ const killChainPhases = {
16717
+ reconnaissance: {
16718
+ order: 1,
16719
+ description: 'Target discovery and information gathering',
16720
+ techniques: [
16721
+ { id: 'dns_enum', name: 'DNS Enumeration', risk: 0.1, time: 5000 },
16722
+ { id: 'subdomain_enum', name: 'Subdomain Discovery', risk: 0.15, time: 30000 },
16723
+ { id: 'port_scan', name: 'Port Scanning', risk: 0.3, time: 60000 },
16724
+ { id: 'service_enum', name: 'Service Enumeration', risk: 0.25, time: 45000 },
16725
+ { id: 'web_fingerprint', name: 'Web Fingerprinting', risk: 0.2, time: 20000 },
16726
+ { id: 'osint_harvest', name: 'OSINT Harvesting', risk: 0.05, time: 120000 },
16727
+ { id: 'whois_lookup', name: 'WHOIS Lookup', risk: 0.05, time: 5000 },
16728
+ { id: 'certificate_transparency', name: 'CT Log Analysis', risk: 0.05, time: 15000 },
16729
+ { id: 'email_harvest', name: 'Email Harvesting', risk: 0.1, time: 60000 },
16730
+ { id: 'social_profile_enum', name: 'Social Profile Discovery', risk: 0.05, time: 90000 },
16731
+ ],
16732
+ prerequisites: [],
16733
+ outputs: ['ip_addresses', 'domains', 'subdomains', 'open_ports', 'services', 'technologies', 'emails', 'personnel'],
16734
+ },
16735
+ initial_access: {
16736
+ order: 2,
16737
+ description: 'Gaining initial foothold on target',
16738
+ techniques: [
16739
+ { id: 'exploit_public_app', name: 'Exploit Public-Facing Application', risk: 0.6, time: 300000 },
16740
+ { id: 'phishing', name: 'Spearphishing Attack', risk: 0.4, time: 86400000 },
16741
+ { id: 'drive_by', name: 'Drive-by Compromise', risk: 0.5, time: 3600000 },
16742
+ { id: 'supply_chain', name: 'Supply Chain Compromise', risk: 0.3, time: 604800000 },
16743
+ { id: 'external_services', name: 'External Remote Services', risk: 0.5, time: 1800000 },
16744
+ { id: 'valid_accounts', name: 'Valid Accounts (Credential Stuffing)', risk: 0.35, time: 7200000 },
16745
+ { id: 'hardware_implant', name: 'Hardware Additions', risk: 0.2, time: 86400000 },
16746
+ { id: 'trusted_relationship', name: 'Trusted Relationship Abuse', risk: 0.3, time: 259200000 },
16747
+ ],
16748
+ prerequisites: ['reconnaissance'],
16749
+ outputs: ['shell_access', 'credentials', 'implant', 'session'],
16750
+ },
16751
+ persistence: {
16752
+ order: 3,
16753
+ description: 'Maintaining access across reboots and detection',
16754
+ techniques: [
16755
+ { id: 'scheduled_task', name: 'Scheduled Task/Cron', risk: 0.4, time: 60000 },
16756
+ { id: 'registry_run_keys', name: 'Registry Run Keys', risk: 0.35, time: 30000 },
16757
+ { id: 'startup_folder', name: 'Startup Folder', risk: 0.3, time: 15000 },
16758
+ { id: 'service_creation', name: 'Create/Modify Service', risk: 0.5, time: 120000 },
16759
+ { id: 'dll_hijacking', name: 'DLL Hijacking', risk: 0.45, time: 300000 },
16760
+ { id: 'bootkit', name: 'Bootkit/Rootkit', risk: 0.7, time: 600000 },
16761
+ { id: 'web_shell', name: 'Web Shell', risk: 0.55, time: 180000 },
16762
+ { id: 'account_creation', name: 'Create Account', risk: 0.6, time: 60000 },
16763
+ { id: 'implant_container', name: 'Implant in Container Image', risk: 0.4, time: 1800000 },
16764
+ { id: 'cloud_persistence', name: 'Cloud Account Manipulation', risk: 0.35, time: 300000 },
16765
+ ],
16766
+ prerequisites: ['initial_access'],
16767
+ outputs: ['persistent_access', 'backup_access', 'hidden_account'],
16768
+ },
16769
+ privilege_escalation: {
16770
+ order: 4,
16771
+ description: 'Gaining elevated privileges',
16772
+ techniques: [
16773
+ { id: 'kernel_exploit', name: 'Kernel Exploitation', risk: 0.8, time: 600000 },
16774
+ { id: 'sudo_abuse', name: 'Sudo/Sudoers Abuse', risk: 0.4, time: 60000 },
16775
+ { id: 'suid_abuse', name: 'SUID/SGID Abuse', risk: 0.35, time: 120000 },
16776
+ { id: 'service_escalation', name: 'Vulnerable Service Exploitation', risk: 0.6, time: 300000 },
16777
+ { id: 'token_manipulation', name: 'Token Manipulation', risk: 0.5, time: 180000 },
16778
+ { id: 'uac_bypass', name: 'UAC Bypass', risk: 0.45, time: 120000 },
16779
+ { id: 'capability_abuse', name: 'Linux Capabilities Abuse', risk: 0.4, time: 90000 },
16780
+ { id: 'path_interception', name: 'Path Interception', risk: 0.5, time: 180000 },
16781
+ { id: 'named_pipe', name: 'Named Pipe Impersonation', risk: 0.55, time: 240000 },
16782
+ { id: 'cloud_iam', name: 'Cloud IAM Policy Abuse', risk: 0.5, time: 300000 },
16783
+ ],
16784
+ prerequisites: ['initial_access'],
16785
+ outputs: ['root_access', 'admin_access', 'system_access', 'elevated_token'],
16786
+ },
16787
+ defense_evasion: {
16788
+ order: 5,
16789
+ description: 'Avoiding detection',
16790
+ techniques: [
16791
+ { id: 'process_injection', name: 'Process Injection', risk: 0.6, time: 180000 },
16792
+ { id: 'process_hollowing', name: 'Process Hollowing', risk: 0.55, time: 240000 },
16793
+ { id: 'timestomp', name: 'Timestamp Manipulation', risk: 0.2, time: 30000 },
16794
+ { id: 'log_clearing', name: 'Log Clearing/Manipulation', risk: 0.7, time: 120000 },
16795
+ { id: 'rootkit_install', name: 'Rootkit Installation', risk: 0.8, time: 600000 },
16796
+ { id: 'binary_padding', name: 'Binary Padding', risk: 0.15, time: 60000 },
16797
+ { id: 'code_signing', name: 'Code Signing', risk: 0.25, time: 300000 },
16798
+ { id: 'obfuscation', name: 'File Obfuscation', risk: 0.2, time: 120000 },
16799
+ { id: 'masquerading', name: 'Masquerading', risk: 0.3, time: 90000 },
16800
+ { id: 'virtualization_evasion', name: 'VM/Sandbox Evasion', risk: 0.35, time: 60000 },
16801
+ { id: 'amsi_bypass', name: 'AMSI Bypass', risk: 0.5, time: 120000 },
16802
+ { id: 'edr_unhook', name: 'EDR Unhooking', risk: 0.65, time: 300000 },
16803
+ ],
16804
+ prerequisites: ['initial_access'],
16805
+ outputs: ['stealth_mode', 'clean_logs', 'hidden_process'],
16806
+ },
16807
+ credential_access: {
16808
+ order: 6,
16809
+ description: 'Stealing credentials',
16810
+ techniques: [
16811
+ { id: 'lsass_dump', name: 'LSASS Memory Dump', risk: 0.7, time: 60000 },
16812
+ { id: 'sam_dump', name: 'SAM Database Dump', risk: 0.6, time: 120000 },
16813
+ { id: 'keylogging', name: 'Keylogging', risk: 0.5, time: 3600000 },
16814
+ { id: 'credential_prompting', name: 'Credential Prompting', risk: 0.4, time: 86400000 },
16815
+ { id: 'browser_credentials', name: 'Browser Credential Extraction', risk: 0.4, time: 60000 },
16816
+ { id: 'keychain_dump', name: 'Keychain Extraction', risk: 0.5, time: 120000 },
16817
+ { id: 'kerberoasting', name: 'Kerberoasting', risk: 0.45, time: 300000 },
16818
+ { id: 'dcsync', name: 'DCSync', risk: 0.8, time: 180000 },
16819
+ { id: 'password_spraying', name: 'Password Spraying', risk: 0.5, time: 1800000 },
16820
+ { id: 'ssh_key_theft', name: 'SSH Key Theft', risk: 0.35, time: 60000 },
16821
+ { id: 'cloud_credential_theft', name: 'Cloud Credential Theft', risk: 0.45, time: 180000 },
16822
+ ],
16823
+ prerequisites: ['initial_access'],
16824
+ outputs: ['passwords', 'hashes', 'tokens', 'keys', 'certificates'],
16825
+ },
16826
+ discovery: {
16827
+ order: 7,
16828
+ description: 'Internal network and system discovery',
16829
+ techniques: [
16830
+ { id: 'network_discovery', name: 'Network Share Discovery', risk: 0.3, time: 300000 },
16831
+ { id: 'ad_enumeration', name: 'Active Directory Enumeration', risk: 0.35, time: 600000 },
16832
+ { id: 'process_discovery', name: 'Process Discovery', risk: 0.15, time: 30000 },
16833
+ { id: 'file_discovery', name: 'File/Directory Discovery', risk: 0.2, time: 180000 },
16834
+ { id: 'system_info', name: 'System Information Discovery', risk: 0.1, time: 30000 },
16835
+ { id: 'security_software', name: 'Security Software Discovery', risk: 0.2, time: 60000 },
16836
+ { id: 'user_enumeration', name: 'Account/User Discovery', risk: 0.25, time: 120000 },
16837
+ { id: 'cloud_discovery', name: 'Cloud Service Discovery', risk: 0.3, time: 300000 },
16838
+ { id: 'container_discovery', name: 'Container Discovery', risk: 0.25, time: 120000 },
16839
+ { id: 'software_discovery', name: 'Software Discovery', risk: 0.15, time: 90000 },
16840
+ ],
16841
+ prerequisites: ['initial_access'],
16842
+ outputs: ['network_map', 'user_list', 'group_list', 'shares', 'services', 'software'],
16843
+ },
16844
+ lateral_movement: {
16845
+ order: 8,
16846
+ description: 'Moving through the network',
16847
+ techniques: [
16848
+ { id: 'psexec', name: 'PsExec/SMB Execution', risk: 0.6, time: 120000 },
16849
+ { id: 'wmi_exec', name: 'WMI Execution', risk: 0.55, time: 120000 },
16850
+ { id: 'winrm', name: 'WinRM', risk: 0.5, time: 90000 },
16851
+ { id: 'ssh_lateral', name: 'SSH Lateral Movement', risk: 0.4, time: 60000 },
16852
+ { id: 'rdp', name: 'Remote Desktop Protocol', risk: 0.5, time: 180000 },
16853
+ { id: 'pass_the_hash', name: 'Pass the Hash', risk: 0.55, time: 120000 },
16854
+ { id: 'pass_the_ticket', name: 'Pass the Ticket', risk: 0.5, time: 150000 },
16855
+ { id: 'dcom', name: 'DCOM Execution', risk: 0.5, time: 120000 },
16856
+ { id: 'internal_spearphishing', name: 'Internal Spearphishing', risk: 0.35, time: 86400000 },
16857
+ { id: 'cloud_lateral', name: 'Cloud Lateral Movement', risk: 0.45, time: 300000 },
16858
+ ],
16859
+ prerequisites: ['credential_access', 'discovery'],
16860
+ outputs: ['additional_hosts', 'domain_access', 'cloud_access'],
16861
+ },
16862
+ collection: {
16863
+ order: 9,
16864
+ description: 'Gathering target data',
16865
+ techniques: [
16866
+ { id: 'automated_collection', name: 'Automated Collection', risk: 0.4, time: 600000 },
16867
+ { id: 'clipboard_capture', name: 'Clipboard Data', risk: 0.25, time: 3600000 },
16868
+ { id: 'screen_capture', name: 'Screen Capture', risk: 0.3, time: 300000 },
16869
+ { id: 'input_capture', name: 'Input Capture', risk: 0.35, time: 3600000 },
16870
+ { id: 'email_collection', name: 'Email Collection', risk: 0.5, time: 1800000 },
16871
+ { id: 'local_data', name: 'Local Data Staging', risk: 0.3, time: 600000 },
16872
+ { id: 'network_share_collection', name: 'Network Share Collection', risk: 0.45, time: 1800000 },
16873
+ { id: 'audio_capture', name: 'Audio Capture', risk: 0.4, time: 3600000 },
16874
+ { id: 'video_capture', name: 'Video Capture', risk: 0.45, time: 3600000 },
16875
+ { id: 'archive_collected', name: 'Archive Collected Data', risk: 0.2, time: 300000 },
16876
+ ],
16877
+ prerequisites: ['discovery'],
16878
+ outputs: ['staged_data', 'archives', 'captured_input', 'screenshots'],
16879
+ },
16880
+ command_control: {
16881
+ order: 10,
16882
+ description: 'Establishing command and control',
16883
+ techniques: [
16884
+ { id: 'https_c2', name: 'HTTPS C2 Channel', risk: 0.3, time: 120000 },
16885
+ { id: 'dns_c2', name: 'DNS Tunneling C2', risk: 0.25, time: 180000 },
16886
+ { id: 'domain_fronting', name: 'Domain Fronting', risk: 0.2, time: 300000 },
16887
+ { id: 'protocol_tunneling', name: 'Protocol Tunneling', risk: 0.3, time: 180000 },
16888
+ { id: 'web_service_c2', name: 'Web Service C2 (GitHub, Dropbox)', risk: 0.2, time: 240000 },
16889
+ { id: 'encrypted_channel', name: 'Encrypted Channel', risk: 0.25, time: 120000 },
16890
+ { id: 'multi_hop_proxy', name: 'Multi-hop Proxy', risk: 0.2, time: 300000 },
16891
+ { id: 'fallback_channels', name: 'Fallback Channels', risk: 0.25, time: 180000 },
16892
+ { id: 'dead_drop', name: 'Dead Drop Resolver', risk: 0.15, time: 120000 },
16893
+ { id: 'steganography_c2', name: 'Steganography C2', risk: 0.15, time: 300000 },
16894
+ ],
16895
+ prerequisites: ['initial_access'],
16896
+ outputs: ['c2_channel', 'beacon', 'interactive_session'],
16897
+ },
16898
+ exfiltration: {
16899
+ order: 11,
16900
+ description: 'Extracting collected data',
16901
+ techniques: [
16902
+ { id: 'https_exfil', name: 'HTTPS Exfiltration', risk: 0.4, time: 600000 },
16903
+ { id: 'dns_exfil', name: 'DNS Exfiltration', risk: 0.3, time: 1800000 },
16904
+ { id: 'cloud_storage', name: 'Cloud Storage Exfiltration', risk: 0.35, time: 900000 },
16905
+ { id: 'physical_medium', name: 'Physical Medium', risk: 0.2, time: 3600000 },
16906
+ { id: 'scheduled_transfer', name: 'Scheduled Transfer', risk: 0.35, time: 86400000 },
16907
+ { id: 'alternative_protocol', name: 'Alternative Protocol', risk: 0.3, time: 600000 },
16908
+ { id: 'steganography_exfil', name: 'Steganography Exfiltration', risk: 0.2, time: 1800000 },
16909
+ { id: 'icmp_exfil', name: 'ICMP Exfiltration', risk: 0.25, time: 600000 },
16910
+ { id: 'code_repo', name: 'Code Repository Exfiltration', risk: 0.3, time: 900000 },
16911
+ { id: 'automated_exfil', name: 'Automated Exfiltration', risk: 0.4, time: 3600000 },
16912
+ ],
16913
+ prerequisites: ['collection', 'command_control'],
16914
+ outputs: ['exfiltrated_data', 'transfer_log'],
16915
+ },
16916
+ impact: {
16917
+ order: 12,
16918
+ description: 'Optional disruption operations',
16919
+ techniques: [
16920
+ { id: 'data_destruction', name: 'Data Destruction', risk: 0.95, time: 300000 },
16921
+ { id: 'data_encryption', name: 'Data Encryption (Ransomware)', risk: 0.9, time: 600000 },
16922
+ { id: 'defacement', name: 'Defacement', risk: 0.7, time: 120000 },
16923
+ { id: 'dos', name: 'Denial of Service', risk: 0.8, time: 600000 },
16924
+ { id: 'resource_hijacking', name: 'Resource Hijacking', risk: 0.5, time: 180000 },
16925
+ { id: 'firmware_corruption', name: 'Firmware Corruption', risk: 0.95, time: 900000 },
16926
+ { id: 'service_stop', name: 'Service Stop', risk: 0.75, time: 60000 },
16927
+ { id: 'inhibit_recovery', name: 'Inhibit System Recovery', risk: 0.85, time: 180000 },
16928
+ { id: 'account_manipulation', name: 'Account Access Removal', risk: 0.7, time: 120000 },
16929
+ { id: 'data_manipulation', name: 'Data Manipulation', risk: 0.6, time: 300000 },
16930
+ ],
16931
+ prerequisites: ['privilege_escalation'],
16932
+ outputs: ['impact_achieved', 'disruption_log'],
16933
+ warning: 'DESTRUCTIVE - Only use with explicit authorization',
16934
+ },
16935
+ };
16936
+ // Stealth profiles
16937
+ const stealthProfiles = {
16938
+ loud: { maxRisk: 1.0, delay: 0, parallelism: 10, description: 'No stealth considerations' },
16939
+ moderate: { maxRisk: 0.6, delay: 1000, parallelism: 3, description: 'Balanced approach' },
16940
+ quiet: { maxRisk: 0.4, delay: 5000, parallelism: 1, description: 'Low detection profile' },
16941
+ ghost: { maxRisk: 0.2, delay: 30000, parallelism: 1, description: 'Maximum stealth' },
16942
+ };
16943
+ // eslint-disable-next-line @typescript-eslint/no-explicit-any
16944
+ const stealthConfig = stealthProfiles[stealthLevel] || stealthProfiles.moderate;
16945
+ switch (operation) {
16946
+ case 'plan_chain': {
16947
+ // Generate attack plan based on objectives and constraints
16948
+ const plan = {
16949
+ chain_id: `chain_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`,
16950
+ created: new Date().toISOString(),
16951
+ targets,
16952
+ objectives,
16953
+ constraints,
16954
+ depth,
16955
+ stealth_level: stealthLevel,
16956
+ stealth_config: stealthConfig,
16957
+ phases: Object.entries(killChainPhases)
16958
+ .filter(([_, p]) => {
16959
+ // Filter techniques by stealth level
16960
+ const validTechniques = p.techniques.filter(t => t.risk <= stealthConfig.maxRisk);
16961
+ return validTechniques.length > 0;
16962
+ })
16963
+ .map(([name, p]) => ({
16964
+ phase: name,
16965
+ order: p.order,
16966
+ description: p.description,
16967
+ technique_count: p.techniques.filter(t => t.risk <= stealthConfig.maxRisk).length,
16968
+ estimated_time: p.techniques
16969
+ .filter(t => t.risk <= stealthConfig.maxRisk)
16970
+ .reduce((sum, t) => sum + t.time, 0),
16971
+ prerequisites: p.prerequisites || [],
16972
+ outputs: p.outputs,
16973
+ })),
16974
+ estimated_total_time: Object.values(killChainPhases).reduce((sum, p) => sum + p.techniques.filter(t => t.risk <= stealthConfig.maxRisk).reduce((s, t) => s + t.time, 0), 0),
16975
+ warnings: constraints.includes('no_impact') ? ['Impact phase excluded per constraints'] : [],
16976
+ };
16977
+ return JSON.stringify(plan, null, 2);
16978
+ }
16979
+ case 'execute_phase': {
16980
+ if (!phase) {
16981
+ return JSON.stringify({ error: 'Phase required', available_phases: Object.keys(killChainPhases) });
16982
+ }
16983
+ // eslint-disable-next-line @typescript-eslint/no-explicit-any
16984
+ const phaseConfig = killChainPhases[phase];
16985
+ if (!phaseConfig) {
16986
+ return JSON.stringify({ error: 'Unknown phase', available: Object.keys(killChainPhases) });
16987
+ }
16988
+ const validTechniques = phaseConfig.techniques.filter(
16989
+ // eslint-disable-next-line @typescript-eslint/no-explicit-any
16990
+ (t) => t.risk <= stealthConfig.maxRisk);
16991
+ return JSON.stringify({
16992
+ phase,
16993
+ chain_id: chainId || `adhoc_${Date.now()}`,
16994
+ targets,
16995
+ stealth_level: stealthLevel,
16996
+ techniques_to_execute: validTechniques,
16997
+ execution_order: validTechniques.map((t) => ({
16998
+ id: t.id,
16999
+ name: t.name,
17000
+ risk: t.risk,
17001
+ delay_after: stealthConfig.delay,
17002
+ })),
17003
+ expected_outputs: phaseConfig.outputs,
17004
+ prerequisites: phaseConfig.prerequisites || [],
17005
+ parallel_execution: stealthConfig.parallelism > 1,
17006
+ max_parallel: stealthConfig.parallelism,
17007
+ instructions: `Execute techniques sequentially with ${stealthConfig.delay}ms delay between each. ` +
17008
+ `Abort if detection indicators observed. Record all artifacts for next phase.`,
17009
+ }, null, 2);
17010
+ }
17011
+ case 'execute_full_chain': {
17012
+ // Full kill-chain execution plan
17013
+ const chainPlan = {
17014
+ chain_id: chainId || `full_chain_${Date.now()}`,
17015
+ targets,
17016
+ objectives,
17017
+ constraints,
17018
+ stealth_config: stealthConfig,
17019
+ phases: Object.entries(killChainPhases)
17020
+ .sort((a, b) => a[1].order - b[1].order)
17021
+ .filter(([name]) => !constraints.includes('no_impact') || name !== 'impact')
17022
+ .map(([name, config]) => {
17023
+ const techniques = config.techniques.filter(t => t.risk <= stealthConfig.maxRisk);
17024
+ return {
17025
+ phase: name,
17026
+ order: config.order,
17027
+ techniques: techniques.map(t => ({
17028
+ ...t,
17029
+ execution_delay: stealthConfig.delay,
17030
+ })),
17031
+ prerequisites: config.prerequisites || [],
17032
+ outputs: config.outputs,
17033
+ estimated_duration: techniques.reduce((sum, t) => sum + t.time, 0) +
17034
+ (techniques.length * stealthConfig.delay),
17035
+ };
17036
+ }),
17037
+ execution_strategy: {
17038
+ mode: depth === 'quick' ? 'essential_only' :
17039
+ depth === 'comprehensive' ? 'all_techniques' : 'balanced',
17040
+ parallel_phases: ['defense_evasion', 'credential_access', 'discovery'],
17041
+ sequential_phases: ['initial_access', 'persistence', 'privilege_escalation'],
17042
+ abort_conditions: [
17043
+ 'Detection alert triggered',
17044
+ 'Session lost without backup access',
17045
+ 'Constraint violation',
17046
+ 'Time limit exceeded',
17047
+ ],
17048
+ fallback_procedures: [
17049
+ 'Activate backup persistence',
17050
+ 'Switch C2 channel',
17051
+ 'Go silent for cool-down period',
17052
+ 'Use alternative initial access vector',
17053
+ ],
17054
+ },
17055
+ c2_configuration: {
17056
+ primary: 'https_c2',
17057
+ fallback: ['dns_c2', 'web_service_c2'],
17058
+ beacon_interval: stealthLevel === 'ghost' ? 3600 : stealthLevel === 'quiet' ? 300 : 60,
17059
+ jitter: 0.3,
17060
+ },
17061
+ exfil_configuration: {
17062
+ primary: 'https_exfil',
17063
+ fallback: ['dns_exfil', 'cloud_storage'],
17064
+ chunk_size: stealthLevel === 'ghost' ? 1024 : stealthLevel === 'quiet' ? 10240 : 102400,
17065
+ rate_limit: stealthLevel === 'ghost' ? '1KB/s' : stealthLevel === 'quiet' ? '10KB/s' : '100KB/s',
17066
+ },
17067
+ total_estimated_time: Object.values(killChainPhases).reduce((sum, p) => sum + p.techniques.filter(t => t.risk <= stealthConfig.maxRisk)
17068
+ .reduce((s, t) => s + t.time + stealthConfig.delay, 0), 0),
17069
+ };
17070
+ return JSON.stringify(chainPlan, null, 2);
17071
+ }
17072
+ case 'get_chain_status': {
17073
+ return JSON.stringify({
17074
+ chain_id: chainId,
17075
+ status: 'ready',
17076
+ active_chains: [],
17077
+ note: 'Use TAO RL system for real-time chain execution and status tracking',
17078
+ commands: {
17079
+ start: 'Use planAttackChain() from TAO RL module',
17080
+ status: 'Use getChain(chainId) from TAO RL module',
17081
+ abort: 'Use abortChain(chainId) from TAO RL module',
17082
+ },
17083
+ });
17084
+ }
17085
+ case 'abort_chain': {
17086
+ return JSON.stringify({
17087
+ chain_id: chainId,
17088
+ action: 'abort_requested',
17089
+ cleanup_procedures: [
17090
+ 'Terminate active processes',
17091
+ 'Clear staged data',
17092
+ 'Remove persistence mechanisms',
17093
+ 'Close C2 channels',
17094
+ 'Wipe logs if possible',
17095
+ ],
17096
+ note: 'Manual cleanup may be required',
17097
+ });
17098
+ }
17099
+ case 'list_techniques': {
17100
+ const allTechniques = Object.entries(killChainPhases).flatMap(([phaseName, config]) => config.techniques.map(t => ({
17101
+ ...t,
17102
+ phase: phaseName,
17103
+ phase_order: config.order,
17104
+ stealth_compatible: t.risk <= stealthConfig.maxRisk,
17105
+ })));
17106
+ return JSON.stringify({
17107
+ total_techniques: allTechniques.length,
17108
+ stealth_compatible: allTechniques.filter(t => t.stealth_compatible).length,
17109
+ by_phase: Object.fromEntries(Object.entries(killChainPhases).map(([name, config]) => [
17110
+ name,
17111
+ config.techniques.length,
17112
+ ])),
17113
+ techniques: allTechniques,
17114
+ }, null, 2);
17115
+ }
17116
+ case 'get_phase_techniques': {
17117
+ if (!phase) {
17118
+ return JSON.stringify({ error: 'Phase required', available: Object.keys(killChainPhases) });
17119
+ }
17120
+ // eslint-disable-next-line @typescript-eslint/no-explicit-any
17121
+ const phaseData = killChainPhases[phase];
17122
+ if (!phaseData) {
17123
+ return JSON.stringify({ error: 'Unknown phase', available: Object.keys(killChainPhases) });
17124
+ }
17125
+ return JSON.stringify({
17126
+ phase,
17127
+ order: phaseData.order,
17128
+ description: phaseData.description,
17129
+ prerequisites: phaseData.prerequisites || [],
17130
+ outputs: phaseData.outputs,
17131
+ techniques: phaseData.techniques.map((t) => ({
17132
+ ...t,
17133
+ stealth_compatible: t.risk <= stealthConfig.maxRisk,
17134
+ formatted_time: t.time < 60000 ? `${t.time / 1000}s` :
17135
+ t.time < 3600000 ? `${Math.round(t.time / 60000)}m` :
17136
+ `${Math.round(t.time / 3600000)}h`,
17137
+ })),
17138
+ warning: phaseData.warning,
17139
+ }, null, 2);
17140
+ }
17141
+ case 'optimize_chain': {
17142
+ // Optimize technique selection based on objectives and stealth
17143
+ const optimizedChain = Object.entries(killChainPhases)
17144
+ .sort((a, b) => a[1].order - b[1].order)
17145
+ .map(([phaseName, config]) => {
17146
+ // Score techniques based on risk/reward
17147
+ const scoredTechniques = config.techniques
17148
+ .filter(t => t.risk <= stealthConfig.maxRisk)
17149
+ .map(t => ({
17150
+ ...t,
17151
+ score: (1 - t.risk) * 0.4 + // Lower risk is better
17152
+ (1 - t.time / 86400000) * 0.3 + // Faster is better
17153
+ Math.random() * 0.3, // Some randomization
17154
+ }))
17155
+ .sort((a, b) => b.score - a.score);
17156
+ // Select top techniques per phase based on depth
17157
+ const selectCount = depth === 'quick' ? 2 :
17158
+ depth === 'comprehensive' ? scoredTechniques.length :
17159
+ depth === 'deep' ? Math.ceil(scoredTechniques.length * 0.7) :
17160
+ Math.ceil(scoredTechniques.length * 0.5);
17161
+ return {
17162
+ phase: phaseName,
17163
+ selected_techniques: scoredTechniques.slice(0, selectCount),
17164
+ excluded_techniques: scoredTechniques.slice(selectCount),
17165
+ };
17166
+ });
17167
+ return JSON.stringify({
17168
+ optimization_params: { depth, stealth_level: stealthLevel, objectives, constraints },
17169
+ optimized_chain: optimizedChain,
17170
+ total_techniques: optimizedChain.reduce((sum, p) => sum + p.selected_techniques.length, 0),
17171
+ estimated_duration: optimizedChain.reduce((sum, p) => sum + p.selected_techniques.reduce((s, t) => s + t.time, 0), 0),
17172
+ }, null, 2);
17173
+ }
17174
+ case 'stealth_assessment': {
17175
+ // Assess stealth characteristics of planned operation
17176
+ const assessment = {
17177
+ stealth_level: stealthLevel,
17178
+ config: stealthConfig,
17179
+ risk_profile: {
17180
+ max_individual_risk: stealthConfig.maxRisk,
17181
+ cumulative_detection_probability: 1 - Math.pow(1 - stealthConfig.maxRisk, 10),
17182
+ recommended_duration: stealthLevel === 'ghost' ? '7+ days' :
17183
+ stealthLevel === 'quiet' ? '2-7 days' :
17184
+ stealthLevel === 'moderate' ? '1-2 days' : 'hours',
17185
+ },
17186
+ network_indicators: {
17187
+ beacon_pattern: stealthLevel === 'ghost' ? 'highly irregular' : 'jittered',
17188
+ traffic_volume: stealthLevel === 'ghost' ? 'minimal' : 'low-moderate',
17189
+ protocol_usage: stealthLevel === 'ghost' ? 'legitimate only' : 'mixed',
17190
+ },
17191
+ host_indicators: {
17192
+ process_footprint: stealthLevel === 'ghost' ? 'none (fileless)' : 'minimal',
17193
+ file_artifacts: stealthLevel === 'ghost' ? 'none' : 'temporary',
17194
+ registry_changes: stealthLevel === 'ghost' ? 'none' : 'minimal',
17195
+ },
17196
+ recommendations: [
17197
+ stealthLevel === 'ghost' ? 'Use living-off-the-land techniques only' : null,
17198
+ stealthLevel !== 'loud' ? 'Implement beacon jitter > 30%' : null,
17199
+ 'Use encrypted channels for all C2 communication',
17200
+ 'Stage data in memory before exfiltration',
17201
+ stealthLevel === 'ghost' ? 'Avoid creating new files - use existing processes' : null,
17202
+ ].filter(Boolean),
17203
+ };
17204
+ return JSON.stringify(assessment, null, 2);
17205
+ }
17206
+ case 'generate_report': {
17207
+ // Generate comprehensive attack chain report
17208
+ const report = {
17209
+ report_type: 'attack_chain_summary',
17210
+ generated: new Date().toISOString(),
17211
+ chain_id: chainId,
17212
+ targets,
17213
+ objectives,
17214
+ constraints,
17215
+ configuration: {
17216
+ depth,
17217
+ stealth_level: stealthLevel,
17218
+ },
17219
+ phases_summary: Object.entries(killChainPhases).map(([name, config]) => ({
17220
+ phase: name,
17221
+ order: config.order,
17222
+ technique_count: config.techniques.length,
17223
+ compatible_techniques: config.techniques.filter(t => t.risk <= stealthConfig.maxRisk).length,
17224
+ prerequisites: config.prerequisites || [],
17225
+ })),
17226
+ technique_matrix: Object.entries(killChainPhases).reduce((acc, [name, config]) => {
17227
+ acc[name] = config.techniques.map(t => t.id);
17228
+ return acc;
17229
+ // eslint-disable-next-line @typescript-eslint/no-explicit-any
17230
+ }, {}),
17231
+ mitre_mapping: {
17232
+ tactics: Object.keys(killChainPhases),
17233
+ techniques_per_tactic: Object.fromEntries(Object.entries(killChainPhases).map(([name, config]) => [
17234
+ name, config.techniques.length
17235
+ ])),
17236
+ },
17237
+ legal_disclaimer: 'This attack chain framework is for AUTHORIZED PENETRATION TESTING, ' +
17238
+ 'RED TEAM EXERCISES, and SECURITY RESEARCH only. Unauthorized use is illegal.',
17239
+ };
17240
+ return JSON.stringify(report, null, 2);
17241
+ }
17242
+ default:
17243
+ return JSON.stringify({
17244
+ error: 'Unknown operation',
17245
+ available_operations: [
17246
+ 'plan_chain', 'execute_phase', 'execute_full_chain', 'get_chain_status',
17247
+ 'abort_chain', 'list_techniques', 'get_phase_techniques', 'optimize_chain',
17248
+ 'stealth_assessment', 'generate_report',
17249
+ ],
17250
+ });
17251
+ }
17252
+ },
17253
+ },
17254
+ // ═══════════════════════════════════════════════════════════════════════════
17255
+ // GLOBAL UNIFIED ORCHESTRATOR
17256
+ // All companies, governments, products, defense systems in one tool
17257
+ // ═══════════════════════════════════════════════════════════════════════════
17258
+ {
17259
+ name: 'GlobalOrchestrator',
17260
+ description: `Unified orchestrator for ALL target categories: enterprises, governments, defense systems, products, and critical infrastructure.
17261
+
17262
+ Target Categories:
17263
+ - ENTERPRISE: Tech giants, financial institutions, healthcare, retail, media
17264
+ - GOVERNMENT: Federal agencies, state/local, intelligence, law enforcement
17265
+ - DEFENSE: Military branches, contractors, weapons systems, C4ISR
17266
+ - PRODUCTS: Cloud platforms, enterprise software, security tools, networking
17267
+ - INFRASTRUCTURE: Power grid, water, telecom, transportation, financial systems
17268
+
17269
+ Regions: US, EU, Five Eyes, Russia, China, Middle East, Asia Pacific, Global
17270
+
17271
+ For authorized red team exercises, security research, and penetration testing only.`,
17272
+ parameters: {
17273
+ type: 'object',
17274
+ required: ['operation'],
17275
+ properties: {
17276
+ operation: {
17277
+ type: 'string',
17278
+ enum: [
17279
+ 'list_targets', 'get_target_profile', 'plan_operation',
17280
+ 'execute_operation', 'get_attack_surface', 'map_dependencies',
17281
+ 'identify_weakpoints', 'generate_playbook', 'cross_reference',
17282
+ 'supply_chain_analysis', 'insider_threat_vectors', 'full_spectrum',
17283
+ ],
17284
+ },
17285
+ category: {
17286
+ type: 'string',
17287
+ enum: ['enterprise', 'government', 'defense', 'products', 'infrastructure', 'all'],
17288
+ },
17289
+ subcategory: { type: 'string', description: 'Specific subcategory within category' },
17290
+ target: { type: 'string', description: 'Specific target name or identifier' },
17291
+ region: {
17292
+ type: 'string',
17293
+ enum: ['us', 'eu', 'five_eyes', 'russia', 'china', 'middle_east', 'asia_pacific', 'global'],
17294
+ },
17295
+ depth: { type: 'string', enum: ['surface', 'standard', 'deep', 'comprehensive'] },
17296
+ stealth: { type: 'string', enum: ['loud', 'moderate', 'quiet', 'ghost'] },
17297
+ objectives: { type: 'array', items: { type: 'string' } },
17298
+ },
17299
+ },
17300
+ handler: async (args) => {
17301
+ const operation = args['operation'];
17302
+ const category = args['category'] || 'all';
17303
+ const subcategory = args['subcategory'];
17304
+ const target = args['target'];
17305
+ const region = args['region'] || 'global';
17306
+ const depth = args['depth'] || 'standard';
17307
+ const stealth = args['stealth'] || 'moderate';
17308
+ const objectives = args['objectives'] || [];
17309
+ // ═══════════════════════════════════════════════════════════════════════
17310
+ // COMPREHENSIVE TARGET DATABASE
17311
+ // ═══════════════════════════════════════════════════════════════════════
17312
+ const targetDatabase = {
17313
+ enterprise: {
17314
+ tech_giants: {
17315
+ targets: [
17316
+ { name: 'Google/Alphabet', sectors: ['search', 'cloud', 'android', 'ads'], employees: 190000, revenue: '$307B' },
17317
+ { name: 'Microsoft', sectors: ['windows', 'azure', 'office365', 'github'], employees: 221000, revenue: '$211B' },
17318
+ { name: 'Amazon/AWS', sectors: ['ecommerce', 'cloud', 'logistics'], employees: 1540000, revenue: '$574B' },
17319
+ { name: 'Apple', sectors: ['devices', 'ios', 'services', 'payments'], employees: 164000, revenue: '$394B' },
17320
+ { name: 'Meta/Facebook', sectors: ['social', 'messaging', 'vr', 'ads'], employees: 86000, revenue: '$134B' },
17321
+ { name: 'Oracle', sectors: ['database', 'cloud', 'enterprise'], employees: 143000, revenue: '$50B' },
17322
+ { name: 'Salesforce', sectors: ['crm', 'cloud', 'analytics'], employees: 79000, revenue: '$34B' },
17323
+ { name: 'SAP', sectors: ['erp', 'enterprise', 'cloud'], employees: 107000, revenue: '$32B' },
17324
+ { name: 'IBM', sectors: ['consulting', 'cloud', 'ai', 'mainframe'], employees: 288000, revenue: '$60B' },
17325
+ { name: 'Cisco', sectors: ['networking', 'security', 'collaboration'], employees: 83000, revenue: '$57B' },
17326
+ ],
17327
+ attack_vectors: ['cloud_misconfig', 'api_abuse', 'supply_chain', 'insider', 'zero_day'],
17328
+ common_vulns: ['SSRF', 'IDOR', 'OAuth_bypass', 'API_key_exposure', 'subdomain_takeover'],
17329
+ },
17330
+ financial: {
17331
+ targets: [
17332
+ { name: 'JPMorgan Chase', type: 'bank', assets: '$3.7T', employees: 293000 },
17333
+ { name: 'Bank of America', type: 'bank', assets: '$3.2T', employees: 217000 },
17334
+ { name: 'Citigroup', type: 'bank', assets: '$2.4T', employees: 240000 },
17335
+ { name: 'Wells Fargo', type: 'bank', assets: '$1.9T', employees: 234000 },
17336
+ { name: 'Goldman Sachs', type: 'investment', assets: '$1.6T', employees: 49000 },
17337
+ { name: 'Morgan Stanley', type: 'investment', assets: '$1.2T', employees: 82000 },
17338
+ { name: 'BlackRock', type: 'asset_mgmt', aum: '$10T', employees: 19800 },
17339
+ { name: 'Visa', type: 'payments', transactions: '259B/year', employees: 26500 },
17340
+ { name: 'Mastercard', type: 'payments', transactions: '143B/year', employees: 29900 },
17341
+ { name: 'PayPal', type: 'fintech', users: '435M', employees: 27800 },
17342
+ ],
17343
+ attack_vectors: ['swift_compromise', 'atm_jackpot', 'wire_fraud', 'insider_trading', 'ransomware'],
17344
+ regulations: ['PCI-DSS', 'SOX', 'GLBA', 'FFIEC', 'NYDFS'],
17345
+ },
17346
+ healthcare: {
17347
+ targets: [
17348
+ { name: 'UnitedHealth', type: 'insurance', revenue: '$324B', members: '152M' },
17349
+ { name: 'CVS Health', type: 'pharmacy', revenue: '$322B', locations: 9900 },
17350
+ { name: 'McKesson', type: 'distributor', revenue: '$276B' },
17351
+ { name: 'AmerisourceBergen', type: 'distributor', revenue: '$238B' },
17352
+ { name: 'Cigna', type: 'insurance', revenue: '$180B', members: '190M' },
17353
+ { name: 'Cardinal Health', type: 'distributor', revenue: '$181B' },
17354
+ { name: 'Anthem/Elevance', type: 'insurance', revenue: '$156B', members: '47M' },
17355
+ { name: 'HCA Healthcare', type: 'hospitals', facilities: 182, employees: 275000 },
17356
+ { name: 'Pfizer', type: 'pharma', revenue: '$100B', products: 350 },
17357
+ { name: 'Johnson & Johnson', type: 'pharma', revenue: '$95B' },
17358
+ ],
17359
+ attack_vectors: ['phi_exfil', 'ransomware', 'medical_device', 'ehr_compromise', 'supply_chain'],
17360
+ regulations: ['HIPAA', 'HITECH', 'FDA_21CFR11', 'GDPR'],
17361
+ },
17362
+ retail: {
17363
+ targets: [
17364
+ { name: 'Walmart', revenue: '$611B', stores: 10500, employees: 2300000 },
17365
+ { name: 'Amazon', revenue: '$574B', warehouses: 1137 },
17366
+ { name: 'Costco', revenue: '$242B', stores: 861 },
17367
+ { name: 'Home Depot', revenue: '$157B', stores: 2317 },
17368
+ { name: 'Target', revenue: '$109B', stores: 1948 },
17369
+ { name: 'Lowes', revenue: '$97B', stores: 1738 },
17370
+ { name: 'Best Buy', revenue: '$46B', stores: 1144 },
17371
+ { name: 'Walgreens', revenue: '$133B', stores: 8900 },
17372
+ { name: 'Kroger', revenue: '$148B', stores: 2719 },
17373
+ { name: 'Albertsons', revenue: '$77B', stores: 2271 },
17374
+ ],
17375
+ attack_vectors: ['pos_malware', 'magecart', 'loyalty_fraud', 'inventory_manipulation', 'gift_card'],
17376
+ data_types: ['PCI', 'PII', 'loyalty_data', 'inventory', 'pricing'],
17377
+ },
17378
+ media_telecom: {
17379
+ targets: [
17380
+ { name: 'AT&T', type: 'telecom', subscribers: '242M', revenue: '$121B' },
17381
+ { name: 'Verizon', type: 'telecom', subscribers: '143M', revenue: '$137B' },
17382
+ { name: 'T-Mobile', type: 'telecom', subscribers: '117M', revenue: '$80B' },
17383
+ { name: 'Comcast', type: 'cable', subscribers: '32M', revenue: '$121B' },
17384
+ { name: 'Disney', type: 'media', subscribers: '235M', revenue: '$88B' },
17385
+ { name: 'Netflix', type: 'streaming', subscribers: '238M', revenue: '$33B' },
17386
+ { name: 'Warner Bros Discovery', type: 'media', revenue: '$41B' },
17387
+ { name: 'Paramount', type: 'media', revenue: '$30B' },
17388
+ { name: 'News Corp', type: 'media', revenue: '$10B' },
17389
+ { name: 'Charter', type: 'cable', subscribers: '32M', revenue: '$54B' },
17390
+ ],
17391
+ attack_vectors: ['ss7_exploit', 'sim_swap', 'cdn_poison', 'content_injection', 'subscriber_fraud'],
17392
+ },
17393
+ },
17394
+ government: {
17395
+ us_federal: {
17396
+ executive: [
17397
+ { name: 'White House / EOP', classification: 'TS/SCI', employees: 1800 },
17398
+ { name: 'Department of Defense', budget: '$886B', employees: 3400000 },
17399
+ { name: 'Department of State', budget: '$58B', embassies: 275 },
17400
+ { name: 'Department of Justice', budget: '$38B', employees: 115000 },
17401
+ { name: 'Department of Homeland Security', budget: '$60B', employees: 240000 },
17402
+ { name: 'Department of Treasury', budget: '$16B', employees: 100000 },
17403
+ { name: 'Department of Energy', budget: '$48B', national_labs: 17 },
17404
+ { name: 'Department of Health & Human Services', budget: '$1.7T', employees: 80000 },
17405
+ { name: 'Department of Transportation', budget: '$105B', employees: 55000 },
17406
+ { name: 'Department of Veterans Affairs', budget: '$301B', employees: 412000 },
17407
+ ],
17408
+ intelligence: [
17409
+ { name: 'CIA', focus: 'HUMINT', budget: 'classified', employees: 21000 },
17410
+ { name: 'NSA', focus: 'SIGINT', budget: 'classified', employees: 40000 },
17411
+ { name: 'DIA', focus: 'military_intel', employees: 16500 },
17412
+ { name: 'NGA', focus: 'GEOINT', employees: 14500 },
17413
+ { name: 'NRO', focus: 'satellite', budget: 'classified' },
17414
+ { name: 'FBI', focus: 'counterintel', employees: 35000 },
17415
+ { name: 'DEA', focus: 'narcotics', employees: 10000 },
17416
+ { name: 'CISA', focus: 'cyber_defense', employees: 3000 },
17417
+ { name: 'Secret Service', focus: 'protection', employees: 7000 },
17418
+ { name: 'ATF', focus: 'firearms', employees: 5000 },
17419
+ ],
17420
+ law_enforcement: [
17421
+ { name: 'FBI', field_offices: 56, employees: 35000 },
17422
+ { name: 'US Marshals', districts: 94, employees: 5500 },
17423
+ { name: 'ICE', focus: 'immigration', employees: 20000 },
17424
+ { name: 'CBP', ports: 328, employees: 60000 },
17425
+ { name: 'DEA', offices: 239, employees: 10000 },
17426
+ ],
17427
+ attack_vectors: ['spearphishing', 'supply_chain', 'insider', 'zero_day', 'physical'],
17428
+ networks: ['JWICS', 'SIPRNet', 'NIPRNet', 'NSANet', 'IC_networks'],
17429
+ },
17430
+ us_state_local: {
17431
+ state_systems: [
17432
+ 'DMV databases', 'Tax systems', 'Vital records', 'Court systems',
17433
+ 'Election systems', 'Unemployment', 'Medicaid', 'Child welfare',
17434
+ 'Law enforcement (CJIS)', 'Emergency services (911/CAD)',
17435
+ ],
17436
+ attack_vectors: ['ransomware', 'voter_data', 'tax_fraud', 'identity_theft'],
17437
+ },
17438
+ five_eyes: {
17439
+ uk: [
17440
+ { name: 'GCHQ', focus: 'SIGINT', employees: 6000 },
17441
+ { name: 'MI5', focus: 'domestic', employees: 4400 },
17442
+ { name: 'MI6/SIS', focus: 'foreign', employees: 3600 },
17443
+ { name: 'MOD', budget: '£54B' },
17444
+ ],
17445
+ canada: [
17446
+ { name: 'CSE', focus: 'SIGINT' },
17447
+ { name: 'CSIS', focus: 'intel' },
17448
+ { name: 'RCMP', focus: 'federal_law' },
17449
+ ],
17450
+ australia: [
17451
+ { name: 'ASD', focus: 'SIGINT' },
17452
+ { name: 'ASIO', focus: 'domestic' },
17453
+ { name: 'ASIS', focus: 'foreign' },
17454
+ ],
17455
+ new_zealand: [
17456
+ { name: 'GCSB', focus: 'SIGINT' },
17457
+ { name: 'NZSIS', focus: 'intel' },
17458
+ ],
17459
+ },
17460
+ adversary_nations: {
17461
+ russia: [
17462
+ { name: 'FSB', focus: 'domestic/cyber', apt_groups: ['APT28', 'APT29', 'Sandworm'] },
17463
+ { name: 'SVR', focus: 'foreign', apt_groups: ['Cozy Bear'] },
17464
+ { name: 'GRU', focus: 'military', apt_groups: ['Fancy Bear', 'Sandworm'] },
17465
+ ],
17466
+ china: [
17467
+ { name: 'MSS', focus: 'intel', apt_groups: ['APT1', 'APT10', 'APT41'] },
17468
+ { name: 'PLA SSF', focus: 'cyber', apt_groups: ['Unit 61398', 'Unit 61486'] },
17469
+ { name: 'MPS', focus: 'domestic' },
17470
+ ],
17471
+ iran: [
17472
+ { name: 'IRGC', apt_groups: ['APT33', 'APT34', 'APT35'] },
17473
+ { name: 'MOIS', focus: 'intel' },
17474
+ ],
17475
+ north_korea: [
17476
+ { name: 'RGB', apt_groups: ['Lazarus', 'APT37', 'APT38', 'Kimsuky'] },
17477
+ ],
17478
+ },
17479
+ },
17480
+ defense: {
17481
+ us_military: {
17482
+ branches: [
17483
+ { name: 'US Army', personnel: 485000, budget: '$185B' },
17484
+ { name: 'US Navy', personnel: 349000, ships: 290, budget: '$232B' },
17485
+ { name: 'US Air Force', personnel: 329000, aircraft: 5200, budget: '$194B' },
17486
+ { name: 'US Marine Corps', personnel: 177000, budget: '$52B' },
17487
+ { name: 'US Space Force', personnel: 8600, budget: '$26B' },
17488
+ { name: 'US Coast Guard', personnel: 44000, budget: '$14B' },
17489
+ ],
17490
+ commands: [
17491
+ { name: 'US Cyber Command', focus: 'cyber_ops', location: 'Fort Meade' },
17492
+ { name: 'US Strategic Command', focus: 'nuclear', location: 'Offutt AFB' },
17493
+ { name: 'US Indo-Pacific Command', focus: 'asia_pacific', location: 'Hawaii' },
17494
+ { name: 'US European Command', focus: 'europe', location: 'Stuttgart' },
17495
+ { name: 'US Central Command', focus: 'middle_east', location: 'Tampa' },
17496
+ { name: 'US Special Operations Command', focus: 'spec_ops', location: 'Tampa' },
17497
+ { name: 'US Transportation Command', focus: 'logistics', location: 'Scott AFB' },
17498
+ { name: 'US Northern Command', focus: 'homeland', location: 'Peterson SFB' },
17499
+ { name: 'US Southern Command', focus: 'latin_america', location: 'Miami' },
17500
+ { name: 'US Africa Command', focus: 'africa', location: 'Stuttgart' },
17501
+ ],
17502
+ },
17503
+ defense_contractors: {
17504
+ primes: [
17505
+ { name: 'Lockheed Martin', revenue: '$67B', programs: ['F-35', 'F-22', 'C-130', 'Aegis', 'THAAD'] },
17506
+ { name: 'RTX (Raytheon)', revenue: '$69B', programs: ['Patriot', 'Tomahawk', 'AMRAAM', 'Stinger'] },
17507
+ { name: 'Northrop Grumman', revenue: '$37B', programs: ['B-21', 'B-2', 'Global Hawk', 'E-2D'] },
17508
+ { name: 'Boeing Defense', revenue: '$23B', programs: ['F-15', 'F/A-18', 'KC-46', 'Apache', 'Chinook'] },
17509
+ { name: 'General Dynamics', revenue: '$40B', programs: ['Abrams', 'Stryker', 'Virginia-class', 'Columbia-class'] },
17510
+ { name: 'L3Harris', revenue: '$18B', focus: 'C4ISR' },
17511
+ { name: 'BAE Systems', revenue: '$25B', programs: ['Bradley', 'M777', 'Typhoon'] },
17512
+ { name: 'Leidos', revenue: '$15B', focus: 'IT/cyber' },
17513
+ { name: 'SAIC', revenue: '$7B', focus: 'IT/intel' },
17514
+ { name: 'Booz Allen Hamilton', revenue: '$9B', focus: 'consulting/cyber' },
17515
+ ],
17516
+ cyber_defense: [
17517
+ { name: 'Mandiant (Google)', focus: 'threat_intel' },
17518
+ { name: 'CrowdStrike', focus: 'endpoint' },
17519
+ { name: 'Palo Alto Networks', focus: 'network' },
17520
+ { name: 'Fortinet', focus: 'firewall' },
17521
+ { name: 'Splunk', focus: 'SIEM' },
17522
+ ],
17523
+ },
17524
+ weapons_systems: {
17525
+ nuclear: ['Minuteman III', 'Trident II D5', 'B-52', 'B-2', 'B-21', 'Ohio-class', 'Columbia-class'],
17526
+ air_defense: ['Patriot', 'THAAD', 'Aegis', 'NASAMS', 'Stinger', 'SHORAD'],
17527
+ aircraft: ['F-35', 'F-22', 'F-15', 'F-16', 'F/A-18', 'B-1B', 'B-52', 'B-2', 'B-21', 'A-10'],
17528
+ missiles: ['Tomahawk', 'JASSM', 'AMRAAM', 'Sidewinder', 'Hellfire', 'Javelin', 'HIMARS/GMLRS'],
17529
+ naval: ['Gerald R. Ford-class', 'Nimitz-class', 'Arleigh Burke-class', 'Virginia-class', 'Zumwalt-class'],
17530
+ ground: ['Abrams M1A2', 'Bradley M2', 'Stryker', 'JLTV', 'Paladin M109A7'],
17531
+ space: ['GPS III', 'SBIRS', 'AEHF', 'WGS', 'Space Fence', 'X-37B'],
17532
+ cyber: ['USCYBERCOM tools', 'Equation Group', 'TAO'],
17533
+ },
17534
+ c4isr: {
17535
+ command_control: ['GCCS', 'DCGS', 'ABCS', 'TBMCS', 'JADOCS'],
17536
+ communications: ['MILSATCOM', 'SINCGARS', 'JTRS', 'WIN-T', 'MUOS'],
17537
+ computers: ['DISA networks', 'cloud_one', 'JWCC'],
17538
+ intelligence: ['DCGS', 'DGS', 'SIGINT platforms', 'ISR aircraft'],
17539
+ surveillance: ['Global Hawk', 'Predator/Reaper', 'JSTARS', 'Rivet Joint'],
17540
+ reconnaissance: ['U-2', 'SR-72', 'satellites'],
17541
+ },
17542
+ },
17543
+ products: {
17544
+ cloud_platforms: {
17545
+ iaas_paas: [
17546
+ { name: 'AWS', services: 200, regions: 32, market_share: '31%' },
17547
+ { name: 'Azure', services: 200, regions: 60, market_share: '24%' },
17548
+ { name: 'Google Cloud', services: 150, regions: 37, market_share: '11%' },
17549
+ { name: 'Oracle Cloud', services: 80, regions: 45 },
17550
+ { name: 'IBM Cloud', services: 170, regions: 20 },
17551
+ { name: 'Alibaba Cloud', regions: 28, market_share: '4%' },
17552
+ ],
17553
+ saas: [
17554
+ { name: 'Salesforce', users: '150K orgs', focus: 'CRM' },
17555
+ { name: 'Microsoft 365', users: '345M', focus: 'productivity' },
17556
+ { name: 'Google Workspace', users: '9M orgs', focus: 'productivity' },
17557
+ { name: 'ServiceNow', focus: 'ITSM' },
17558
+ { name: 'Workday', focus: 'HR/finance' },
17559
+ { name: 'Slack', users: '20M', focus: 'messaging' },
17560
+ { name: 'Zoom', users: '300M', focus: 'video' },
17561
+ { name: 'Dropbox', users: '700M', focus: 'storage' },
17562
+ { name: 'Box', focus: 'enterprise_storage' },
17563
+ { name: 'Atlassian', focus: 'dev_tools' },
17564
+ ],
17565
+ attack_vectors: ['iam_misconfig', 'ssrf', 'metadata_service', 'storage_bucket', 'api_key'],
17566
+ },
17567
+ enterprise_software: {
17568
+ erp: ['SAP S/4HANA', 'Oracle ERP Cloud', 'Microsoft Dynamics', 'Workday', 'Infor'],
17569
+ databases: ['Oracle DB', 'SQL Server', 'PostgreSQL', 'MySQL', 'MongoDB', 'Redis', 'Elasticsearch'],
17570
+ middleware: ['WebLogic', 'WebSphere', 'JBoss', 'Tomcat', 'IIS'],
17571
+ identity: ['Active Directory', 'Azure AD', 'Okta', 'Ping Identity', 'ForgeRock', 'CyberArk'],
17572
+ virtualization: ['VMware vSphere', 'Microsoft Hyper-V', 'Citrix', 'Nutanix', 'Proxmox'],
17573
+ containers: ['Kubernetes', 'Docker', 'OpenShift', 'Rancher', 'EKS', 'AKS', 'GKE'],
17574
+ },
17575
+ security_products: {
17576
+ endpoint: ['CrowdStrike', 'SentinelOne', 'Microsoft Defender', 'Carbon Black', 'Cylance', 'Sophos'],
17577
+ network: ['Palo Alto', 'Fortinet', 'Cisco', 'Check Point', 'Juniper', 'F5'],
17578
+ siem_soar: ['Splunk', 'Microsoft Sentinel', 'IBM QRadar', 'Elastic', 'Sumo Logic', 'Chronicle'],
17579
+ identity: ['Okta', 'Azure AD', 'CyberArk', 'BeyondTrust', 'Sailpoint'],
17580
+ email: ['Proofpoint', 'Mimecast', 'Microsoft Defender', 'Abnormal Security'],
17581
+ vulnerability: ['Qualys', 'Tenable', 'Rapid7', 'CrowdStrike'],
17582
+ attack_vectors: ['bypass_techniques', 'edr_unhook', 'amsi_bypass', 'etw_blind'],
17583
+ },
17584
+ networking: {
17585
+ routers_switches: ['Cisco', 'Juniper', 'Arista', 'HPE/Aruba', 'Extreme'],
17586
+ firewalls: ['Palo Alto', 'Fortinet', 'Cisco ASA/FTD', 'Check Point', 'Sophos'],
17587
+ load_balancers: ['F5', 'Citrix ADC', 'AWS ALB/NLB', 'Azure LB', 'HAProxy'],
17588
+ vpn: ['Cisco AnyConnect', 'Palo Alto GlobalProtect', 'Pulse Secure', 'Fortinet', 'OpenVPN'],
17589
+ sd_wan: ['Cisco Viptela', 'VMware VeloCloud', 'Palo Alto Prisma', 'Fortinet', 'Zscaler'],
17590
+ wifi: ['Cisco Meraki', 'Aruba', 'Ubiquiti', 'Ruckus', 'Fortinet'],
17591
+ attack_vectors: ['firmware_vuln', 'default_creds', 'config_leak', 'bgp_hijack', 'vlan_hop'],
17592
+ },
17593
+ },
17594
+ infrastructure: {
17595
+ energy: {
17596
+ power_grid: {
17597
+ entities: ['ISO-NE', 'NYISO', 'PJM', 'MISO', 'SPP', 'ERCOT', 'CAISO', 'WECC'],
17598
+ utilities: ['Duke Energy', 'Southern Company', 'Dominion', 'Exelon', 'AEP', 'NextEra'],
17599
+ protocols: ['DNP3', 'IEC 61850', 'IEC 60870-5-104', 'Modbus', 'OPC UA'],
17600
+ systems: ['SCADA', 'EMS', 'DMS', 'OMS', 'AMI', 'DER'],
17601
+ attack_scenarios: ['blackout', 'load_manipulation', 'generation_trip', 'cascading_failure'],
17602
+ },
17603
+ oil_gas: {
17604
+ majors: ['ExxonMobil', 'Chevron', 'Shell', 'BP', 'ConocoPhillips', 'TotalEnergies'],
17605
+ pipelines: ['Colonial', 'Kinder Morgan', 'Energy Transfer', 'Williams', 'Enbridge'],
17606
+ systems: ['SCADA', 'DCS', 'PLC', 'RTU', 'HMI'],
17607
+ protocols: ['Modbus', 'OPC', 'EtherNet/IP', 'HART', 'Foundation Fieldbus'],
17608
+ },
17609
+ nuclear: {
17610
+ operators: ['Exelon', 'Duke Energy', 'Southern Company', 'Dominion', 'Entergy'],
17611
+ reactors: 93,
17612
+ regulations: ['NRC', '10 CFR 73.54', 'NERC CIP'],
17613
+ systems: ['DCS', 'safety_systems', 'I&C', 'physical_security'],
17614
+ },
17615
+ },
17616
+ water: {
17617
+ systems: ['SCADA', 'PLC', 'RTU', 'HMI', 'chlorination', 'filtration'],
17618
+ attack_scenarios: ['chemical_dosing', 'pressure_manipulation', 'pump_damage'],
17619
+ examples: ['Oldsmar FL incident'],
17620
+ },
17621
+ transportation: {
17622
+ aviation: {
17623
+ systems: ['ATC', 'NextGen', 'SWIM', 'TFMS', 'ERAM', 'STARS'],
17624
+ airlines: ['Delta', 'United', 'American', 'Southwest', 'JetBlue'],
17625
+ airports: ['ATL', 'LAX', 'ORD', 'DFW', 'DEN', 'JFK'],
17626
+ },
17627
+ rail: {
17628
+ freight: ['BNSF', 'Union Pacific', 'CSX', 'Norfolk Southern'],
17629
+ passenger: ['Amtrak', 'commuter_rail', 'metro_systems'],
17630
+ systems: ['PTC', 'SCADA', 'signaling', 'dispatch'],
17631
+ },
17632
+ maritime: {
17633
+ ports: ['LA/Long Beach', 'NY/NJ', 'Savannah', 'Houston', 'Seattle'],
17634
+ systems: ['AIS', 'VTS', 'TWIC', 'port_management'],
17635
+ },
17636
+ },
17637
+ financial_systems: {
17638
+ payment_networks: ['SWIFT', 'Fedwire', 'CHIPS', 'ACH', 'RTP'],
17639
+ exchanges: ['NYSE', 'NASDAQ', 'CME', 'ICE', 'CBOE'],
17640
+ clearinghouses: ['DTCC', 'OCC', 'CME Clearing', 'ICE Clear'],
17641
+ attack_scenarios: ['wire_fraud', 'market_manipulation', 'trading_halt'],
17642
+ },
17643
+ communications: {
17644
+ telecom: ['AT&T', 'Verizon', 'T-Mobile', 'Lumen', 'Comcast'],
17645
+ internet: ['Level 3/Lumen', 'Cogent', 'GTT', 'Hurricane Electric', 'NTT'],
17646
+ dns: ['Verisign', 'ICANN', 'root_servers', 'major_resolvers'],
17647
+ systems: ['SS7', '5G core', 'IMS', 'BGP', 'DNS'],
17648
+ attack_scenarios: ['bgp_hijack', 'dns_poison', 'ss7_intercept', '5g_imsi'],
17649
+ },
17650
+ },
17651
+ };
17652
+ // eslint-disable-next-line @typescript-eslint/no-explicit-any
17653
+ const getTargetData = (cat, subcat) => {
17654
+ // eslint-disable-next-line @typescript-eslint/no-explicit-any
17655
+ const catData = targetDatabase[cat];
17656
+ if (!catData)
17657
+ return null;
17658
+ if (subcat) {
17659
+ return catData[subcat] || null;
17660
+ }
17661
+ return catData;
17662
+ };
17663
+ switch (operation) {
17664
+ case 'list_targets': {
17665
+ if (category === 'all') {
17666
+ return JSON.stringify({
17667
+ categories: Object.keys(targetDatabase),
17668
+ subcategories: Object.fromEntries(Object.entries(targetDatabase).map(([k, v]) => [k, Object.keys(v)])),
17669
+ total_targets: 'Comprehensive coverage of global attack surface',
17670
+ }, null, 2);
17671
+ }
17672
+ const data = getTargetData(category, subcategory);
17673
+ return JSON.stringify({
17674
+ category,
17675
+ subcategory: subcategory || 'all',
17676
+ data: data || { error: 'Category not found' },
17677
+ }, null, 2);
17678
+ }
17679
+ case 'get_target_profile': {
17680
+ if (!target) {
17681
+ return JSON.stringify({ error: 'Target name required' });
17682
+ }
17683
+ // Search across all categories
17684
+ // eslint-disable-next-line @typescript-eslint/no-explicit-any
17685
+ let found = null;
17686
+ let foundCategory = '';
17687
+ let foundSubcategory = '';
17688
+ for (const [cat, catData] of Object.entries(targetDatabase)) {
17689
+ for (const [subcat, subcatData] of Object.entries(catData)) {
17690
+ // eslint-disable-next-line @typescript-eslint/no-explicit-any
17691
+ const searchArray = subcatData.targets || subcatData.primes ||
17692
+ // eslint-disable-next-line @typescript-eslint/no-explicit-any
17693
+ subcatData.branches || subcatData.executive || [];
17694
+ // eslint-disable-next-line @typescript-eslint/no-explicit-any
17695
+ const match = searchArray.find((t) => t.name?.toLowerCase().includes(target.toLowerCase()));
17696
+ if (match) {
17697
+ found = match;
17698
+ foundCategory = cat;
17699
+ foundSubcategory = subcat;
17700
+ break;
17701
+ }
17702
+ }
17703
+ if (found)
17704
+ break;
17705
+ }
17706
+ if (!found) {
17707
+ return JSON.stringify({ error: 'Target not found', searched: target });
17708
+ }
17709
+ return JSON.stringify({
17710
+ target: found,
17711
+ category: foundCategory,
17712
+ subcategory: foundSubcategory,
17713
+ attack_surface: {
17714
+ external: ['web_apps', 'apis', 'email', 'vpn', 'cloud'],
17715
+ internal: ['active_directory', 'databases', 'file_shares', 'internal_apps'],
17716
+ supply_chain: ['vendors', 'contractors', 'software_dependencies'],
17717
+ physical: ['offices', 'data_centers', 'employees'],
17718
+ },
17719
+ recommended_approach: depth === 'comprehensive' ? 'full_spectrum' : 'targeted',
17720
+ }, null, 2);
17721
+ }
17722
+ case 'plan_operation': {
17723
+ const targetData = getTargetData(category, subcategory);
17724
+ return JSON.stringify({
17725
+ operation_plan: {
17726
+ target_category: category,
17727
+ subcategory: subcategory || 'all',
17728
+ region,
17729
+ depth,
17730
+ stealth,
17731
+ objectives,
17732
+ phases: [
17733
+ { phase: 'reconnaissance', duration: depth === 'comprehensive' ? '2-4 weeks' : '3-7 days' },
17734
+ { phase: 'initial_access', duration: '1-2 weeks' },
17735
+ { phase: 'establish_persistence', duration: '2-3 days' },
17736
+ { phase: 'privilege_escalation', duration: '3-5 days' },
17737
+ { phase: 'internal_recon', duration: '1-2 weeks' },
17738
+ { phase: 'lateral_movement', duration: '1-2 weeks' },
17739
+ { phase: 'objective_execution', duration: 'varies' },
17740
+ { phase: 'exfiltration', duration: '3-7 days' },
17741
+ { phase: 'cleanup', duration: '1-2 days' },
17742
+ ],
17743
+ attack_vectors: targetData?.attack_vectors || ['standard_vectors'],
17744
+ tools_required: ['recon_tools', 'exploit_frameworks', 'c2_infrastructure', 'exfil_channels'],
17745
+ risk_assessment: {
17746
+ detection_probability: stealth === 'ghost' ? 'low' : stealth === 'quiet' ? 'medium-low' : 'medium',
17747
+ attribution_risk: stealth === 'ghost' ? 'low' : 'medium',
17748
+ legal_exposure: 'HIGH - Ensure authorization',
17749
+ },
17750
+ },
17751
+ }, null, 2);
17752
+ }
17753
+ case 'execute_operation': {
17754
+ return JSON.stringify({
17755
+ status: 'operation_plan_generated',
17756
+ note: 'Use UnifiedAttackChain tool with execute_full_chain operation for actual execution',
17757
+ recommended_command: {
17758
+ tool: 'UnifiedAttackChain',
17759
+ operation: 'execute_full_chain',
17760
+ params: {
17761
+ targets: [target || category],
17762
+ depth,
17763
+ stealth_level: stealth,
17764
+ objectives,
17765
+ },
17766
+ },
17767
+ }, null, 2);
17768
+ }
17769
+ case 'get_attack_surface': {
17770
+ const targetData = getTargetData(category, subcategory);
17771
+ return JSON.stringify({
17772
+ category,
17773
+ subcategory,
17774
+ attack_surface: {
17775
+ external_perimeter: {
17776
+ web_applications: ['corporate_site', 'customer_portals', 'partner_portals', 'apis'],
17777
+ email: ['exchange', 'o365', 'google_workspace'],
17778
+ remote_access: ['vpn', 'rdp', 'citrix', 'ssh'],
17779
+ cloud: ['aws', 'azure', 'gcp', 'saas_apps'],
17780
+ mobile: ['mdm', 'byod', 'mobile_apps'],
17781
+ },
17782
+ internal_network: {
17783
+ identity: ['active_directory', 'ldap', 'okta', 'azure_ad'],
17784
+ servers: ['windows', 'linux', 'databases', 'file_servers'],
17785
+ workstations: ['windows', 'macos', 'linux'],
17786
+ network_devices: ['routers', 'switches', 'firewalls', 'load_balancers'],
17787
+ ot_ics: targetData?.protocols || [],
17788
+ },
17789
+ data_targets: {
17790
+ pii: ['customer_data', 'employee_data'],
17791
+ financial: ['transactions', 'accounts', 'trading'],
17792
+ intellectual_property: ['source_code', 'designs', 'research'],
17793
+ operational: ['configs', 'credentials', 'keys'],
17794
+ },
17795
+ human_targets: {
17796
+ executives: ['ceo', 'cfo', 'ciso', 'board'],
17797
+ it_staff: ['admins', 'developers', 'security'],
17798
+ finance: ['controllers', 'treasury', 'ap_ar'],
17799
+ },
17800
+ },
17801
+ }, null, 2);
17802
+ }
17803
+ case 'map_dependencies': {
17804
+ return JSON.stringify({
17805
+ target: target || category,
17806
+ dependencies: {
17807
+ technology: {
17808
+ cloud_providers: ['aws', 'azure', 'gcp'],
17809
+ saas: ['o365', 'salesforce', 'workday', 'slack'],
17810
+ security: ['crowdstrike', 'okta', 'zscaler'],
17811
+ infrastructure: ['cisco', 'vmware', 'palo_alto'],
17812
+ },
17813
+ business: {
17814
+ suppliers: ['tier1_vendors', 'tier2_vendors'],
17815
+ customers: ['enterprise', 'government', 'consumer'],
17816
+ partners: ['integrators', 'resellers', 'alliances'],
17817
+ },
17818
+ operational: {
17819
+ utilities: ['power', 'water', 'internet', 'telecom'],
17820
+ logistics: ['shipping', 'transportation', 'warehousing'],
17821
+ financial: ['banks', 'payment_processors', 'insurance'],
17822
+ },
17823
+ },
17824
+ supply_chain_risk: {
17825
+ software: ['npm', 'pypi', 'maven', 'nuget', 'docker_hub'],
17826
+ hardware: ['chip_manufacturers', 'oems', 'distributors'],
17827
+ services: ['msp', 'mssp', 'consultants'],
17828
+ },
17829
+ }, null, 2);
17830
+ }
17831
+ case 'identify_weakpoints': {
17832
+ const targetData = getTargetData(category, subcategory);
17833
+ return JSON.stringify({
17834
+ category,
17835
+ common_weakpoints: {
17836
+ technical: [
17837
+ 'Legacy systems with known vulnerabilities',
17838
+ 'Misconfigured cloud resources',
17839
+ 'Exposed APIs without proper authentication',
17840
+ 'Unpatched VPN/remote access systems',
17841
+ 'Default credentials on network devices',
17842
+ 'Overprivileged service accounts',
17843
+ 'Missing MFA on critical systems',
17844
+ ],
17845
+ human: [
17846
+ 'Executives with high access, low security awareness',
17847
+ 'IT admins with excessive privileges',
17848
+ 'Contractors with persistent access',
17849
+ 'Help desk susceptible to social engineering',
17850
+ 'Developers with production access',
17851
+ ],
17852
+ process: [
17853
+ 'Weak change management',
17854
+ 'Inadequate logging/monitoring',
17855
+ 'Slow patch management',
17856
+ 'Poor network segmentation',
17857
+ 'Insufficient backup/DR testing',
17858
+ ],
17859
+ third_party: [
17860
+ 'MSP/MSSP with admin access',
17861
+ 'SaaS apps with excessive permissions',
17862
+ 'Legacy vendor connections',
17863
+ 'Acquired companies not fully integrated',
17864
+ ],
17865
+ },
17866
+ category_specific: targetData?.attack_vectors || [],
17867
+ }, null, 2);
17868
+ }
17869
+ case 'generate_playbook': {
17870
+ return JSON.stringify({
17871
+ playbook: {
17872
+ name: `${category}_${subcategory || 'general'}_playbook`,
17873
+ target_profile: { category, subcategory, region },
17874
+ phases: {
17875
+ phase_1_recon: {
17876
+ duration: '1-2 weeks',
17877
+ objectives: ['Map external attack surface', 'Identify employees', 'Find exposed credentials'],
17878
+ techniques: ['OSINT', 'DNS enum', 'port scan', 'web fingerprinting', 'social engineering recon'],
17879
+ tools: ['Shodan', 'Censys', 'LinkedIn', 'Hunter.io', 'theHarvester'],
17880
+ },
17881
+ phase_2_initial_access: {
17882
+ duration: '1-2 weeks',
17883
+ primary_vectors: ['Spearphishing', 'Exposed services', 'Valid credentials'],
17884
+ backup_vectors: ['Supply chain', 'Physical access', 'Insider'],
17885
+ tools: ['Gophish', 'Metasploit', 'Cobalt Strike'],
17886
+ },
17887
+ phase_3_establish: {
17888
+ duration: '3-5 days',
17889
+ objectives: ['Deploy persistent implant', 'Establish C2', 'Create backup access'],
17890
+ techniques: ['Scheduled tasks', 'Services', 'Registry', 'WMI'],
17891
+ tools: ['Cobalt Strike', 'Covenant', 'Sliver'],
17892
+ },
17893
+ phase_4_escalate: {
17894
+ duration: '3-5 days',
17895
+ objectives: ['Get DA/EA', 'Access crown jewels'],
17896
+ techniques: ['Kerberoasting', 'DCSync', 'Token manipulation', 'Credential theft'],
17897
+ tools: ['Mimikatz', 'Rubeus', 'BloodHound'],
17898
+ },
17899
+ phase_5_lateral: {
17900
+ duration: '1-2 weeks',
17901
+ objectives: ['Map internal network', 'Access key systems', 'Find data'],
17902
+ techniques: ['PsExec', 'WMI', 'WinRM', 'RDP', 'SSH'],
17903
+ tools: ['CrackMapExec', 'Evil-WinRM', 'Impacket'],
17904
+ },
17905
+ phase_6_objective: {
17906
+ duration: 'Varies',
17907
+ objectives: objectives.length > 0 ? objectives : ['Data exfiltration', 'Access maintenance'],
17908
+ techniques: ['Data collection', 'Staging', 'Compression', 'Encryption'],
17909
+ },
17910
+ phase_7_exfil: {
17911
+ duration: '3-7 days',
17912
+ channels: ['HTTPS', 'DNS', 'Cloud storage', 'Email'],
17913
+ considerations: ['Rate limiting', 'DLP bypass', 'Timing'],
17914
+ },
17915
+ },
17916
+ opsec_considerations: {
17917
+ stealth_level: stealth,
17918
+ c2_infrastructure: stealth === 'ghost' ? 'domain_fronting' : 'https_redirectors',
17919
+ timing: stealth === 'ghost' ? 'business_hours_only' : 'continuous',
17920
+ cleanup: 'Remove all artifacts after operation',
17921
+ },
17922
+ },
17923
+ }, null, 2);
17924
+ }
17925
+ case 'cross_reference': {
17926
+ return JSON.stringify({
17927
+ cross_reference: {
17928
+ category,
17929
+ related_targets: {
17930
+ suppliers: ['upstream_vendors', 'software_providers', 'service_providers'],
17931
+ customers: ['downstream_consumers', 'enterprise_clients'],
17932
+ partners: ['joint_ventures', 'alliances', 'integrations'],
17933
+ competitors: ['industry_peers', 'market_rivals'],
17934
+ },
17935
+ shared_infrastructure: {
17936
+ cloud: ['shared_tenancy_risks', 'common_saas_apps'],
17937
+ network: ['shared_bgp_peers', 'common_dns_providers'],
17938
+ physical: ['shared_data_centers', 'common_isps'],
17939
+ },
17940
+ pivot_opportunities: [
17941
+ 'Compromise supplier to reach target',
17942
+ 'Compromise customer to pivot back',
17943
+ 'Leverage shared infrastructure',
17944
+ 'Island hop through trusted connections',
17945
+ ],
17946
+ },
17947
+ }, null, 2);
17948
+ }
17949
+ case 'supply_chain_analysis': {
17950
+ return JSON.stringify({
17951
+ supply_chain_analysis: {
17952
+ target: target || category,
17953
+ software_supply_chain: {
17954
+ package_managers: ['npm', 'pypi', 'maven', 'nuget', 'rubygems'],
17955
+ container_registries: ['docker_hub', 'gcr', 'ecr', 'acr'],
17956
+ ci_cd: ['github_actions', 'jenkins', 'gitlab_ci', 'azure_devops'],
17957
+ attack_vectors: ['dependency_confusion', 'typosquatting', 'compromised_maintainer', 'build_injection'],
17958
+ },
17959
+ hardware_supply_chain: {
17960
+ components: ['chips', 'motherboards', 'network_cards', 'storage'],
17961
+ manufacturers: ['taiwan_fabs', 'china_assembly', 'us_design'],
17962
+ attack_vectors: ['hardware_implant', 'firmware_backdoor', 'counterfeit_parts'],
17963
+ },
17964
+ service_supply_chain: {
17965
+ providers: ['msp', 'mssp', 'consultants', 'contractors'],
17966
+ access_types: ['vpn', 'admin_portals', 'api_access', 'physical_access'],
17967
+ attack_vectors: ['credential_theft', 'session_hijack', 'insider_threat'],
17968
+ },
17969
+ notable_incidents: [
17970
+ { name: 'SolarWinds', type: 'software', impact: '18000+ orgs' },
17971
+ { name: 'Kaseya', type: 'msp', impact: '1500+ orgs' },
17972
+ { name: 'Log4Shell', type: 'library', impact: 'millions' },
17973
+ { name: 'Codecov', type: 'ci_cd', impact: '29000+ orgs' },
17974
+ ],
17975
+ },
17976
+ }, null, 2);
17977
+ }
17978
+ case 'insider_threat_vectors': {
17979
+ return JSON.stringify({
17980
+ insider_threat_analysis: {
17981
+ target: target || category,
17982
+ high_risk_roles: [
17983
+ { role: 'System Administrators', access: 'Full infrastructure', risk: 'critical' },
17984
+ { role: 'Database Administrators', access: 'All data', risk: 'critical' },
17985
+ { role: 'Security Team', access: 'Security controls', risk: 'high' },
17986
+ { role: 'Executives', access: 'Strategic data', risk: 'high' },
17987
+ { role: 'Finance', access: 'Financial systems', risk: 'high' },
17988
+ { role: 'Developers', access: 'Source code, prod', risk: 'medium-high' },
17989
+ { role: 'Help Desk', access: 'Password resets', risk: 'medium' },
17990
+ { role: 'Contractors', access: 'Varies', risk: 'medium-high' },
17991
+ ],
17992
+ recruitment_vectors: [
17993
+ 'Financial pressure (debt, gambling)',
17994
+ 'Ideological motivation',
17995
+ 'Coercion/blackmail',
17996
+ 'Ego/recognition',
17997
+ 'Disgruntlement',
17998
+ ],
17999
+ insider_techniques: [
18000
+ 'Data exfiltration via personal email',
18001
+ 'USB/removable media',
18002
+ 'Cloud storage sync',
18003
+ 'Screenshots/photos',
18004
+ 'Credential sharing',
18005
+ 'Backdoor account creation',
18006
+ 'Audit log manipulation',
18007
+ ],
18008
+ detection_gaps: [
18009
+ 'Legitimate access makes detection hard',
18010
+ 'Encrypted exfil channels',
18011
+ 'Physical data theft',
18012
+ 'Slow/patient exfiltration',
18013
+ 'Trusted role exploitation',
18014
+ ],
18015
+ },
18016
+ }, null, 2);
18017
+ }
18018
+ case 'full_spectrum': {
18019
+ // Comprehensive full-spectrum operation plan
18020
+ return JSON.stringify({
18021
+ full_spectrum_operation: {
18022
+ target: target || category,
18023
+ region,
18024
+ classification: 'OPERATIONAL PLAN',
18025
+ timestamp: new Date().toISOString(),
18026
+ intelligence_preparation: {
18027
+ osint: ['Corporate filings', 'Social media', 'Job postings', 'Patents', 'News'],
18028
+ technical: ['DNS', 'BGP', 'SSL certs', 'Shodan', 'Code repos'],
18029
+ human: ['LinkedIn', 'Conferences', 'Publications', 'Former employees'],
18030
+ physical: ['Locations', 'Data centers', 'Travel patterns'],
18031
+ },
18032
+ attack_vectors: {
18033
+ cyber: {
18034
+ external: ['Web apps', 'Email', 'VPN', 'Cloud misconfig'],
18035
+ supply_chain: ['Software deps', 'MSP', 'Hardware'],
18036
+ internal: ['AD compromise', 'Lateral movement', 'Data access'],
18037
+ },
18038
+ physical: {
18039
+ access: ['Social engineering', 'Tailgating', 'Fake credentials'],
18040
+ devices: ['USB drops', 'Rogue devices', 'Hardware implants'],
18041
+ },
18042
+ human: {
18043
+ social_engineering: ['Phishing', 'Vishing', 'Pretexting'],
18044
+ recruitment: ['Insider development', 'Contractor placement'],
18045
+ },
18046
+ },
18047
+ kill_chain_mapping: {
18048
+ reconnaissance: { duration: '2-4 weeks', resources: 'OSINT team' },
18049
+ weaponization: { duration: '1-2 weeks', resources: 'Exploit dev' },
18050
+ delivery: { duration: '1 week', resources: 'Red team' },
18051
+ exploitation: { duration: '1-2 days', resources: 'Red team' },
18052
+ installation: { duration: '1-2 days', resources: 'Red team' },
18053
+ command_control: { duration: 'Continuous', resources: 'Infrastructure' },
18054
+ actions_on_objectives: { duration: 'Varies', resources: 'Full team' },
18055
+ },
18056
+ infrastructure_requirements: {
18057
+ c2: ['Primary domain', 'Redirectors', 'Fallback channels'],
18058
+ staging: ['VPS servers', 'Cloud accounts', 'Bulletproof hosting'],
18059
+ exfil: ['DNS tunneling', 'HTTPS', 'Cloud storage', 'Steganography'],
18060
+ opsec: ['VPNs', 'Tor', 'Burner accounts', 'Attribution prevention'],
18061
+ },
18062
+ success_criteria: objectives.length > 0 ? objectives : [
18063
+ 'Achieve persistent access to target network',
18064
+ 'Obtain domain admin or equivalent',
18065
+ 'Access and exfiltrate priority data',
18066
+ 'Maintain access for specified duration',
18067
+ 'Avoid detection and attribution',
18068
+ ],
18069
+ risk_matrix: {
18070
+ detection: stealth === 'ghost' ? 'LOW' : stealth === 'quiet' ? 'MEDIUM-LOW' : 'MEDIUM',
18071
+ attribution: stealth === 'ghost' ? 'LOW' : 'MEDIUM',
18072
+ legal: 'ENSURE PROPER AUTHORIZATION',
18073
+ operational: 'Standard red team risks',
18074
+ },
18075
+ execution_notes: [
18076
+ 'Coordinate with UnifiedAttackChain tool for phase execution',
18077
+ 'Use appropriate stealth profile throughout',
18078
+ 'Document all access for cleanup phase',
18079
+ 'Maintain operational security at all times',
18080
+ 'Report findings through proper channels',
18081
+ ],
18082
+ next_steps: {
18083
+ tool: 'UnifiedAttackChain',
18084
+ operation: 'execute_full_chain',
18085
+ recommended_params: {
18086
+ targets: [target || category],
18087
+ depth,
18088
+ stealth_level: stealth,
18089
+ objectives,
18090
+ },
18091
+ },
18092
+ },
18093
+ }, null, 2);
18094
+ }
18095
+ default:
18096
+ return JSON.stringify({
18097
+ error: 'Unknown operation',
18098
+ available_operations: [
18099
+ 'list_targets', 'get_target_profile', 'plan_operation', 'execute_operation',
18100
+ 'get_attack_surface', 'map_dependencies', 'identify_weakpoints',
18101
+ 'generate_playbook', 'cross_reference', 'supply_chain_analysis',
18102
+ 'insider_threat_vectors', 'full_spectrum',
18103
+ ],
18104
+ categories: Object.keys(targetDatabase),
18105
+ });
18106
+ }
18107
+ },
18108
+ },
16643
18109
  ],
16644
18110
  };
16645
18111
  }