pasta-attack-sim
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChinesePASTA Stage 6: Attack Simulation
PASTA第6阶段:攻击模拟
Simulate realistic exploit chains by combining Stage 4 threats with Stage 5
vulnerabilities. Score each scenario by exploitability and impact, and assess
whether existing controls detect or prevent each chain.
通过结合第4阶段的威胁与第5阶段的漏洞,模拟真实的利用链。根据可利用性和影响为每个场景评分,并评估现有控制措施是否能检测或阻止每条攻击链。
Supported Flags
支持的参数
Read for the full flag specification. Key behaviors:
../../shared/schemas/flags.md| Flag | Stage 6 Behavior |
|---|---|
| Inherits from prior stages. Uses vulnerability inventory and threat catalog, not raw source. |
| Top 3 most critical exploit chains only, basic scoring. |
| Full attack trees for all high/critical pairs, DREAD scoring. |
| Standard + detection gap analysis, control bypass assessment, multi-stage pivots. |
| Deep + red team persona simulation with step-by-step exploit narratives. |
| Filter to attack scenarios above the specified impact level. |
完整参数规范请阅读。核心行为如下:
../../shared/schemas/flags.md| 参数 | 第6阶段行为 |
|---|---|
| 继承自之前的阶段。使用漏洞清单和威胁目录,而非原始源数据。 |
| 仅生成前3个最关键的利用链,采用基础评分。 |
| 为所有高/严重级别的威胁-漏洞对生成完整攻击树,采用DREAD评分。 |
| 标准模式 + 检测差距分析、控制措施绕过评估、多阶段横向移动分析。 |
| 深度模式 + 红队角色模拟,包含分步利用说明。 |
| 筛选出影响级别高于指定值的攻击场景。 |
Framework Context
框架背景
Read , Stage 6 section. PASTA is SEQUENTIAL.
Stage 6 consumes Stages 1-5 output and feeds Stage 7.
../../shared/frameworks/pasta.md请阅读的第6阶段内容。PASTA是按顺序执行的方法论。第6阶段会使用第1-5阶段的输出结果,并为第7阶段提供输入。
../../shared/frameworks/pasta.mdPrerequisites
前置条件
Required: Stage 5 output -- vulnerability inventory with CWE mappings and
vulnerability-threat correlations. Also needs: business assets (Stage 1), entry
points (Stage 2), components and trust boundaries (Stage 3), threat catalog
(Stage 4). If unavailable, warn and assume.
必需:第5阶段的输出结果——带有CWE映射和漏洞-威胁关联的漏洞清单。此外还需要:业务资产(第1阶段)、入口点(第2阶段)、组件与信任边界(第3阶段)、威胁目录(第4阶段)。如果这些内容不可用,会发出警告并进行假设处理。
Workflow
工作流程
Step 1: Identify Attack Pairs
步骤1:识别攻击对
Combine threats with vulnerabilities. Prioritize pairs targeting business-critical
assets. Discard pairs fully mitigated by existing controls.
将威胁与漏洞进行组合。优先处理针对业务关键资产的组合。丢弃已被现有控制措施完全缓解的组合。
Step 2: Construct Exploit Chains
步骤2:构建利用链
For each high-priority pair, build multi-step scenarios covering: entry point,
exploitation, lateral movement, privilege escalation, objective reached, and
exfiltration/impact. Construct attack trees showing alternate paths:
Goal: [Business-critical asset]
OR
+-- Path A: [Entry point] -> [Vuln-1] -> [Pivot] -> [Target]
+-- Path B: [Entry point] -> [Vuln-2] -> [Escalation] -> [Target]针对每个高优先级组合,构建涵盖以下内容的多步骤场景:入口点、利用漏洞、横向移动、权限提升、达成目标、数据泄露/影响。构建展示替代路径的攻击树:
目标: [业务关键资产]
或
+-- 路径A: [入口点] -> [漏洞-1] -> [横向移动] -> [目标]
+-- 路径B: [入口点] -> [漏洞-2] -> [权限提升] -> [目标]Step 3: Score Exploitability (DREAD)
步骤3:可利用性评分(DREAD)
| Factor | Criteria |
|---|---|
| Damage | 10 = full compromise, 1 = minor info leak |
| Reproducibility | 10 = every time, 1 = race condition |
| Exploitability | 10 = script kiddie, 1 = nation-state |
| Affected Users | 10 = all users, 1 = single user |
| Discoverability | 10 = publicly known, 1 = insider knowledge |
DREAD Score = Average of all five factors (0-10).
| 因素 | 标准 |
|---|---|
| Damage(损害) | 10 = 完全攻陷,1 = 轻微信息泄露 |
| Reproducibility(可复现性) | 10 = 每次都能成功,1 = 竞争条件下才能成功 |
| Exploitability(可利用性) | 10 = 脚本小子即可实现,1 = 仅国家级攻击者可实现 |
| Affected Users(受影响用户) | 10 = 所有用户,1 = 单个用户 |
| Discoverability(可发现性) | 10 = 公开已知,1 = 仅内部人员知晓 |
DREAD评分 = 五个因素的平均值(0-10)。
Step 4: Assess Detection Gaps
步骤4:评估检测差距
For each chain: is exploitation logged? Would alerts fire? Would WAF/IDS block
it? Is rate limiting effective? Would post-exploitation behavior be detected?
针对每条攻击链:漏洞利用是否被记录?是否会触发警报?WAF/IDS是否会阻止?速率限制是否有效?利用后的行为是否会被检测到?
Step 5: Identify Control Bypasses
步骤5:识别控制措施绕过方式
For each security control: can it be bypassed via alternative paths? Does it
cover all entry points? Are there timing windows? Can the attacker degrade it?
针对每个安全控制措施:是否可通过替代路径绕过?是否覆盖所有入口点?是否存在时间窗口?攻击者是否能削弱该控制措施?
Step 6: Rank Attack Scenarios
步骤6:对攻击场景排序
Order by: DREAD score, business impact, attack complexity (simpler = higher),
detection coverage (undetectable = higher).
排序依据:DREAD评分、业务影响、攻击复杂度(越简单优先级越高)、检测覆盖范围(无法检测的优先级越高)。
Analysis Checklist
分析检查清单
- Can low-severity vulns chain into high-impact exploits?
- What is the shortest path from internet to most sensitive data?
- Would current logging detect this attack in progress?
- What skill level and tooling is required per path?
- Are there paths that bypass all existing controls?
- Can a single compromised credential yield full system access?
- Are there TOCTOU windows exploitable in chains?
- What is the blast radius of the most likely attack?
- 低严重性漏洞是否可组合成高影响的利用?
- 从互联网到最敏感数据的最短路径是什么?
- 当前日志能否检测到正在进行的攻击?
- 每条路径需要何种技能水平和工具?
- 是否存在绕过所有现有控制措施的路径?
- 单个泄露的凭证是否能导致完全的系统访问权限?
- 攻击链中是否存在可被利用的TOCTOU(时间检查到时间使用)窗口?
- 最可能发生的攻击的影响范围有多大?
Output Format
输出格式
Stage 6 produces Attack Scenarios with Exploit Chains. ID prefix: PASTA (e.g., ).
PASTA-ATK-001undefined第6阶段生成带利用链的攻击场景。ID前缀:PASTA(例如:)。
PASTA-ATK-001undefinedPASTA Stage 6: Attack Simulation
PASTA第6阶段:攻击模拟
ATK-001: [Scenario Name]
ATK-001: [场景名称]
Target: [Asset] | Actor: [Profile] | DREAD: X.X
Chain: Entry point -> Vuln exploited -> Access gained -> Pivot -> Objective
| Damage | Reproducibility | Exploitability | Affected Users | Discoverability | Score |
|---|---|---|---|---|---|
| X | X | X | X | X | X.X |
| Detection: Logging [Y/N], Alerting [Y/N], WAF [Y/N] | |||||
| Gaps: [Missing controls] |
目标: [资产] | 攻击者: [角色] | DREAD: X.X
攻击链: 入口点 -> 利用漏洞 -> 获取权限 -> 横向移动 -> 达成目标
| 损害 | 可复现性 | 可利用性 | 受影响用户 | 可发现性 | 评分 |
|---|---|---|---|---|---|
| X | X | X | X | X | X.X |
| 检测情况: 日志记录 [是/否], 警报触发 [是/否], WAF [是/否] | |||||
| 差距: [缺失的控制措施] |
Attack Scenario Summary
攻击场景汇总
| ID | Scenario | DREAD | Target Asset | Complexity | Detected |
|---|---|---|---|---|---|
| ATK-001 | ... | X.X | ... | Low/Med/High | Yes/No |
| ID | 场景 | DREAD评分 | 目标资产 | 复杂度 | 是否被检测 |
|---|---|---|---|---|---|
| ATK-001 | ... | X.X | ... | 低/中/高 | 是/否 |
Detection Gap Summary
检测差距汇总
| Gap | Scenarios Affected | Recommendation |
|---|
Findings follow `../../shared/schemas/findings.md` with:
- `dread`: Full DREAD scoring object
- `references.mitre_attck`: technique IDs, `references.cwe`: exploited CWE IDs
- `metadata.tool`: `"pasta-attack-sim"`, `metadata.framework`: `"pasta"`, `metadata.category`: `"Stage-6"`| 差距 | 受影响场景 | 建议 |
|---|
结果遵循`../../shared/schemas/findings.md`规范,包含:
- `dread`: 完整的DREAD评分对象
- `references.mitre_attck`: 技术ID, `references.cwe`: 被利用的CWE ID
- `metadata.tool`: "pasta-attack-sim", `metadata.framework`: "pasta", `metadata.category`: "Stage-6"Next Stage
下一阶段
Stage 7: Risk & Impact Analysis (). Pass attack scenarios, DREAD
scores, and detection gaps. Stage 7 combines technical exploitability with Stage 1
business impact to produce risk-weighted scores and a remediation roadmap.
pasta-risk第7阶段:风险与影响分析()。传递攻击场景、DREAD评分和检测差距。第7阶段会将技术可利用性与第1阶段的业务影响相结合,生成风险加权评分和修复路线图。
pasta-risk