This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

Testing Frameworks

Beyond methodologies, security professionals use specialized frameworks to understand and model adversary behavior, providing structured approaches to threat analysis and attack simulation.

MITRE ATT&CK Framework

The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.

Structure:

  • Tactics: The "why" of an attack technique (what the adversary is trying to achieve)

  • Techniques: The "how" of an attack (the method used to achieve tactical goals)

  • Sub-techniques: More specific descriptions of adversarial behavior

Key Matrices:

  • Enterprise: Covers Windows, macOS, Linux, and cloud environments

  • Mobile: Focuses on Android and iOS platforms

  • ICS: Industrial Control Systems and operational technology

Use Cases:

  • Red team planning and simulation

  • Threat hunting and detection development

  • Security gap analysis and control validation

  • Adversary emulation and purple team exercises

Active Directory Attack Kill Chain

The AD Kill Chain specifically models attacks against Active Directory environments, which are common in enterprise networks.

Phases:

  1. Reconnaissance: Enumerate AD structure, users, groups, and trusts

  2. Initial Access: Gain foothold through credential theft or service exploitation

  3. Privilege Escalation: Elevate permissions within the domain

  4. Lateral Movement: Move between systems using AD protocols and services

  5. Persistence: Establish lasting access through AD modifications

  6. Domain Dominance: Achieve full control over the AD environment

  7. Data Exfiltration: Extract sensitive information from domain resources

Common Attack Paths:

  • Kerberoasting and ASREPRoasting

  • Pass-the-Hash and Pass-the-Ticket attacks

  • Golden and Silver Ticket generation

  • DCSync and DCShadow techniques

Cyber Kill Chain

Originally developed by Lockheed Martin, the Cyber Kill Chain describes the stages of a cyberattack from initial reconnaissance to final objectives.

Seven Phases:

  1. Reconnaissance: Research and identify targets

  2. Weaponization: Create malicious payload or exploit

  3. Delivery: Transmit the weapon to the target

  4. Exploitation: Execute code on victim's system

  5. Installation: Install malware on the target system

  6. Command and Control: Establish remote control channel

  7. Actions on Objectives: Achieve intended goals (data theft, destruction, etc.)

Benefits:

  • Linear progression model easy to understand

  • Helps identify defensive opportunities at each stage

  • Widely recognized in cybersecurity industry

  • Useful for incident response and threat analysis

Limitations:

  • Linear model may not reflect modern attack complexity

  • Less detailed than MITRE ATT&CK for specific techniques

  • May oversimplify advanced persistent threats

PreviousTesting MethodologiesNextPre-Engagement Activities

Last updated

Was this helpful?