killchain-compendium/README.md

# KillChain Compendium - A Concise Security Handbook

The "KillChain Compendium" is a steadily growing, organized collection of
in-depth resources, insights, and practical guidance, structured within the
framework of the Kill Chain methodology. It serves as a comprehensive reference
manual, offering knowledge and strategies for navigating the world of hacking,
penetration testing, and cybersecurity. Whether you're an aspiring hacker, a
seasoned security professional, or anyone seeking to delve into the intricacies
of securing digital systems, the "KillChain Compendium" provides insights into
each stage of the cyber kill chain while offering notes, actionable advice and
real-world examples to bolster your understanding and capabilities in this
complex field.

## Penetration Testing

Penetration testing, often referred to as pen testing, is a systematic and
controlled process of evaluating the security of computer systems, networks,
applications, and environments. The primary objective of penetration testing is
simulate real-world cyberattacks to identify vulnerabilities and weaknesses
that could potentially be exploited by malicious actors.

## Pentetration Testing Standards

Penetration Testing Standards are guidelines and frameworks that provide best
practices and methodologies for conducting thorough and effective penetraton
testing activities. These Standards help ensure consistency, quality, and rigor
in the penetration testing process.

The [Pentesting Execution Standard](http://www.pentest-standard.org/index.php/Main_Page) provides the following sections for penetration testing execution

* Pre-engagement Interactions
* Intelligence Gathering
* Threat Modeling
* Vulnerability Analysis
* Exploitation
* Post Exploitation
* Reporting
* Authorized audit of security systems of computers and networks.

## Rules of Engagement (RoE)

Rules of Engagement (RoE) in the context of penetration testing refer to
guidelines, boundaries, and limitations that are established and agreed upon
between the penetration testing team (red team) and the organization or client
requesting the testing. These rules ensure that the testing is conducted in a
controlled manner. They define the scope, targets, and acceptable activities
for the engagement. RoE help prevent misunderstandings, conflicts, and
unintended consequences dduring the testing process.

A brief summary of the steps included in the RoE are the following

* **Permissions** of the penetration testing team
* How the **Engagement** is done, e.g. internal/external pentest or adversary emulation of [advanced persistent threads](https://csrc.nist.gov/glossary/term/advanced_persistent_threat)
* **Scope** of how the tests are going to be executed, e.g. networks, IPs, exfilration of data, which stage, downtime, DDoS
* **Non-Disclosure Agreement (NDA)** as a contract describes how knowledge about sensitive data is handled

In practical terms there is a [Rules of Engagement -- Worksheet](https://sansorg.egnyte.com/dl/bF4I3yCcnt/?) provided by [SANS](https://www.sans.org/) and [a sample of RoEs](https://redteam.guide/docs/templates/roe_template/) provided by the [RedTeam.Guide](https://redteam.guide).

## Penetration Testing Campaign

A penetration testing campaign is a planned and organized series of penetration
tests conducted on a specific target, like a computer system, network, or
application. It involves a structured approach to identifying and addressing
vulnerabilities in order to improve the overall security posture of the target.

A brief summary of the steps included are the following

* **Engagement** includes the planning and information gathering
* **Operations** includes vulnerability scanning, manual testing, analysis an communication with the client
* **Remediation** includes fixing the identified vulnerabilities, validation by re-testing, the final reporting and the lessons learned

To support your engagement, a [campaing
checklist](https://redteam.guide/docs/checklists/red-team-checklist/) is
provided by [RedTeam.Guide](https://redteam.guide/). A tool to support the
organization of teams in an engagement is
[vectr](https://github.com/SecurityRiskAdvisors/VECTR).

## Penetration Testing Methodology

Penetration testing methodologies typically follow a structured approach to
systematically identify and exploit vulnerabilities.

Included steps are the following

* Reconnaissance
* Enumeration/Scanning
* Gaining Access
* Privilege Escalation
* Covering Tracks
* Reporting

### Reconnaissance

**Passive Reconnaissance** describes the gathering of information about the
target system or organization without directly interacting with it. This
involves searching for publicly available data, such as domains names, IP
addresses and employee information.

**Active Reconnaissance** describes the interaction with the target system to
collect more detailed information, using tools like WHOIS lookups, DNS
enumeration, and network scanning. The goal is to map out the target's network
and identify potential entry points.

### Enumeration/Scanning

**Network Scanning** is the identification of active hosts, open ports, and
services runing on these ports. This helps the penetration tester understand
the network's architecture and potential attack vectors.

**Service Enumeration** is the gathering of detailed information about services
running on open ports, such as version numbers and configurations. This
information can be sued to identify known vulnerabilities associated with
specific services.

### Gaining Access

**Exploitation** is the attempt to exploit identified vulnerabilities in order
to gain unauthorized access to systems or applications. This might involve
using known exploits, custom scripts, or socail engineering techniques.

**Password Attacks** describes the attempt of trying to crack passwords or gain
unauthorized access by exploiting weak or default credentials.

### Privilege Escalation

**Vertical Movement** is the attempt to gain higher levels of access within the
system, potentially through exploiting misconfigurations or vulnerabilities
that allow for privilege elevation.

**Lateral Movement** is the attempt to move laterally within a computer system
to compromise additional systems, potentially exploiting trust relationships or
shared vulnerabilites.

### Covering Tracks

**Removing Evidence** describes taking steps to erase or alter  any traces of
the penetration testing activities to avoid detection. This might involve
deleting logs, altering timestamps, or other techniques to hide the tester's
presence.

**Backdooring** is the introduction of backoors to persistent access points to
maintain access.

### Reporting

**Findings Documentation** includes detail of the vulnerabilities that were
successfully exploited, the impact of each vulnerability, and the steps taken
to exploit them.

**Risk Assessment** is the assessment of potential business impact of each
vulnerability, considering factors such as data exposure, service disruption,
and financial consequences.

**Recommendations** provide actionable remmediation, including prioritization
of vulnerabilities based on their severity and potential impact.

**Lessons Learned** reflect on the testing process and provide insights into
the organization's security posture, including areas of strengths and
improvements.

## References

* [NIST](https://www.nist.gov/cyberframework)
* [OWASP](https://owasp.org/www-project-web-security-testing-guide/v42/)
* [OSSTMM3](https://www.isecom.org/OSSTMM.3.pdf)
* [CREST](https://www.redscan.com/news/a-guide-to-crest-penetration-testing/)
* [CAF](https://www.ncsc.gov.uk/collection/caf/caf-principles-and-guidance)
* [MITRE ATT&CK](https://tryhackme.com/room/mitre)
* [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team)
* [TIBER-EU](https://www.ecb.europa.eu/paym/cyber-resilience/tiber-eu/html/index.en.html)
* [Red Team Handbook](https://usacac.army.mil/sites/default/files/documents/RT_Handbook_v6.pdf)
* [Adversary Emulation Library](https://github.com/center-for-threat-informed-defense/adversary_emulation_library.git)