[Scenarios] Parent-Child Relationships

[debifrank]

Explanation

To enable branching in attack narratives, enable scenarios to be nested under each other.

• To present the graph of the parent, or children scenarios: Begin with the parent, and then branch into the children routes
• To present the threat matrix deliverable: Make a narrative combining the parent with each branch

Example

• Parent: Attacker achieves initial access through a hardware implant and is able to capture relayed domain credentials
  • Child1: Attacker utilizes relayed domain credential to abuse ADCS misconfigurations and execute a DCSync
  • Child2: Attacker utilizes relayed domain credential to abuse CVE-2021-36942, gain DA privileges, and deploy ransomware to environment

Graph

graph TD;
    Parent1-->Child1;
    Parent1-->Child2;

Loading

Threat Matrix

ID	Name
Scenario 1	Hardware Implant to DCSync
Scenario 2	Hardware Implant to Ransomware

[debifrank]

Additionally, to allow for branching and merging through child elements, scenarios should reference their own parents and immediate children to allow for the following graph structure:

graph TD;
    Root-->Child1;
    Root-->Child2;
    Child1-->Child3;
    Child1-->Child4;
    Child2-->Child5;
    Child2-->Child6;
    Child3-->Child7;
    Child4-->Child7;
    Child5-->Child8;
    Child6-->Child8;
    Child7-->Child9;
    Child8-->Child9;

Loading