Skip to content

feat: add universal and missing ADCS techniques to scoreboard logic#207

Merged
l50 merged 2 commits into
mainfrom
scoreboard-esc8-and-universal-techniques
May 16, 2026
Merged

feat: add universal and missing ADCS techniques to scoreboard logic#207
l50 merged 2 commits into
mainfrom
scoreboard-esc8-and-universal-techniques

Conversation

@l50
Copy link
Copy Markdown
Contributor

@l50 l50 commented May 16, 2026

Key Changes:

  • Added support for ADCS ESC8, ESC5, and ESC14 techniques in scoreboard logic
  • Implemented universal technique attribution for default lab vulnerabilities
  • Updated tests and config to include new techniques and ensure coverage

Added:

  • Universal technique attribution function - Added addUniversalTechniques to
    scoreboard generation, crediting lab-wide vulnerabilities such as noPac,
    PrintNightmare, ZeroLogon, Certifried, Machine Account Quota abuse, MITM6,
    and others, making them visible regardless of per-host markers
  • New ADCS techniques - Included ADCS ESC5, ESC8, and ESC14 in the scoreboard
    label mapping for complete coverage of known ADCS escalation paths

Changed:

  • Scoreboard extraction logic - Replaced hardcoded "child_to_parent"
    technique with call to addUniversalTechniques to generalize handling of
    lab-wide vulnerabilities
  • Config updates - Added "adcs_esc8" to the list of applicable vulns in
    specific lab host configurations to reflect new technique coverage
  • Test coverage - Extended expected answer keys in tests to include
    "adcs_esc8", noPac, PrintNightmare, ZeroLogon, Certifried, machine account
    quota, mitm6, and other universal techniques to match new logic

Removed:

  • Direct addition of "child_to_parent" technique in extraction function,
    replaced by new universal handling logic

@l50
feat: add universal ADCS and CVE techniques and expand ADCS ESC coverage
bee7364 
**Added:**

- Included "adcs_esc8" in vulnerable techniques for relevant lab entities in the config
- Added new ADCS techniques ("adcs_esc5", "adcs_esc8", "adcs_esc14") to scoreboard labels
- Introduced universal techniques (e.g., "nopac", "printnightmare", "zerologon",
  "cve_2019_1040", "certifried", "krbrelayup", "machine_account_quota", "mitm6")
  via a dedicated function to ensure they are always credited
- Updated test expectations to cover the new and universal techniques

**Changed:**

- Refactored extraction of techniques to add universal techniques for every lab,
  replacing previous static addition of "child_to_parent"
- Improved documentation in code comments for universal techniques logic
@dreadnode-renovate-bot dreadnode-renovate-bot Bot added lab/GOAD Changes made to GOAD lab area/ad-labs Changes made to AD lab definitions labels May 16, 2026
@l50
feat: add domain-level detection for ADCS ESC8 technique
1bec8b9 
**Added:**

- Added logic to credit ESC8 technique when any domain has Web Enrollment enabled
  by introducing addADCSWebEnrollmentTechnique function in the scoreboard
  generator

**Changed:**

- Updated technique extraction flow to call addADCSWebEnrollmentTechnique,
  ensuring ESC8 is recognized at the domain level rather than per host

**Removed:**

- Removed "adcs_esc8" from per-host 'vulns' lists in config.json to prevent
  Ansible from dispatching non-existent vulns_adcs_esc8 role
@l50 l50 merged commit 995c182 into main May 16, 2026
9 checks passed
@l50 l50 deleted the scoreboard-esc8-and-universal-techniques branch May 16, 2026 18:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/ad-labs Changes made to AD lab definitions lab/GOAD Changes made to GOAD lab

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@l50