refactor: extract, document, and test pure work selection and payload builders#233
Merged
Conversation
dreadnode-renovate-bot
Bot
added
the
area/docs
l50
force-pushed
the
main
branch
2 times, most recently
from
bda0eaa to
8a7b1b8
Compare
dreadnode-renovate-bot
Bot
added
area/pre-commit
l50
force-pushed
the
feat/more-attack-cov
branch
from
2f66c2f to
470eb2b
Compare
dreadnode-renovate-bot
Bot
added
the
area/github
l50
force-pushed
the
feat/more-attack-cov
branch
3 times, most recently
from
61cc615 to
9d669c3
Compare
) **Key Changes:** - Added extensive unit and integration tests across all modules in ares-cli, ares-core, ares-llm, and ares-tools - Improved test coverage for pure functions, builder APIs, input validation, and end-to-end tool workflows - Introduced mock executor for ares-tools to enable isolated tool wrapper testing - Enhanced test assertions to cover edge cases, deduplication, and error handling **Added:** - Unit tests for config, deduplication, label normalization, user and credential processing, and MITRE technique detection in ares-cli - Direct tests for time window plumbing, builder logic, and detection query composition in detection/techniques - Test modules for orchestrator automation helpers, deduplication keys, domain/host logic, and parent/child domain matching - Test coverage for orchestrator state persistence, publishing, milestones, and redis-backed dedup sets - Tests for result processing, admin checks, parsing, timeline event classification, and critical hash detection - Mock Redis connection and in-memory state for ares-core, including scan, pipeline, and set/hash/list operations - End-to-end and unit tests for gap analysis, recommendations, ground truth transformation, and scoring in ares-core eval modules - Tests for telemetry propagation (traceparent injection/setting), state readers/writers, and blue operations in ares-core - Blue and red/blue correlation tests for technique matching, gap reason analysis, and coverage calculation - Default test features for blue team support in ares-core, ares-llm, and ares-tools - Unit and integration tests for tool registry logic, agent role parsing, and blue tool capability assignment in ares-llm - Test coverage for all tool wrapper functions in ares-tools, including argument validation, command builder APIs, and output sanitization - Tests for output parsers, including SMB, LDAP, BloodHound, delegation, and credential spider logic **Changed:** - Refactored code to allow easier dependency injection for testability (e.g., generic TaskQueueCore over connection type) - Adjusted some test-only code paths to use #[cfg(test)] or - Improved test assertions to cover corner cases, deduplication, ordering, and fallback logic - Updated test data to use consistent sample IPs, domains, and hostnames across modules - Enhanced test performance by using in-memory or tempfile-backed stores for persistence tests **Removed:** - Unused or dead test helper modules (e.g., resume_helper.rs in orchestrator recovery) - Redundant #[allow(dead_code)] attributes on enums and structs now covered by tests - Legacy or placeholder test code in favor of comprehensive, behavior-driven test suites
…ogon exploits
**Added:**
- Automated detection and exploitation modules for:
- noPac (CVE-2021-42287/42278): computer account manipulation to enable DCSync
- PrintNightmare (CVE-2021-1675): Print Spooler DLL injection for SYSTEM access
- NTLM relay: automatic orchestration of relay attacks (SMB->LDAP, ADCS ESC8)
- Zerologon (CVE-2020-1472): Netlogon protocol check for DCs
- New deduplication set constants for each technique to prevent redundant dispatches
- New test coverage for deduplication keys and technique registration
**Changed:**
- Registered new automation tasks in the orchestrator automation module and spawner
- Integrated new deduplication sets into deduplication tracking and tests
- Added new techniques to all strategy weight presets (fast, comprehensive, stealth)
- Updated strategy tests to verify inclusion and correct prioritization of new techniques
- Updated GOAD checklist documentation to reflect dispatch and test status for added CVE exploits
**Added:** - Introduced `auto_share_coercion` automation to drop coercion files (.scf, .url, .lnk) on writable shares for NTLMv2 hash capture; integrates with dispatcher and deduplication logic - Added `auto_smb_signing_detection` automation to scan discovered hosts for SMB signing disabled and publish vulnerabilities for NTLM relay - Registered both automation tasks in the automation spawner for concurrent execution - Included test coverage for deduplication and vulnerability key generation in new modules **Changed:** - Exported `auto_share_coercion` and `auto_smb_signing_detection` from automation module for external use - Updated attack strategy presets (fast, comprehensive, stealth) to include weights for `share_coercion` technique, ensuring prioritized dispatching - Expanded the GOAD checklist documentation to reflect coverage and results for SMB signing and file-based coercion automation, increasing network poisoning & relay and user-level/coercion coverage statistics **Removed:** - Outdated checklist items and comments for coercion attacks that are now automated in `goad-checklist.md`
…, ldap signing, webdav **Added:** - Introduced `auto_mssql_coercion` to dispatch NTLM authentication coercion from MSSQL servers using xp_dirtree/xp_fileexist, enabling relay/cracking of service account hashes - Added `auto_password_policy` to enumerate password policies per domain, supporting safer password spraying and lockout avoidance - Added `auto_gpp_sysvol` for scanning SYSVOL for Group Policy Preferences passwords and credential artifacts, combining GPP XML and script searches - Added `auto_ntlmv1_downgrade` to detect DCs allowing NTLMv1 authentication, enabling capture of easily crackable hashes via downgrade attacks - Introduced `auto_ldap_signing` to check for LDAP signing/channel binding enforcement on each DC, identifying relay/NTLM vulnerabilities - Added `auto_webdav_detection` to detect WebDAV-enabled hosts for NTLM relay and proactively register related vulnerabilities for downstream modules **Changed:** - Registered new deduplication sets in state for mssql coercion, password policy, gpp sysvol, ntlmv1 downgrade, ldap signing, and webdav detection - Updated automation module exports and mod.rs to include all new automation tasks for orchestration - Registered new automation spawns in `automation_spawner.rs` to ensure new modules are launched at runtime - Expanded strategy module to assign priorities to new automation techniques across all strategy presets (fast, comprehensive, stealth) - Synchronized deduplication set lists and tests to cover all new dedup sets
…eral checks **Added:** - Automated detection and dispatch of Print Spooler service checks on discovered hosts (`auto_spooler_check`) - Automated per-domain MachineAccountQuota (MAQ) checks to support machine account attack paths (`auto_machine_account_quota`) - Automated DFSCoerce (MS-DFSNM) NTLM coercion dispatch against uncoerced DCs (`auto_dfs_coercion`) - Automated unauthenticated PetitPotam (MS-EFSRPC) coercion attempts against DCs (`auto_petitpotam_unauth`) - Automated WinRM lateral movement attempts using owned credentials against hosts with WinRM indicators (`auto_winrm_lateral`) - Unit tests for deduplication key and set name for all new modules **Changed:** - Registered new deduplication set constants and integrated them with the dedup system (`DEDUP_SPOOLER_CHECK`, `DEDUP_MACHINE_ACCOUNT_QUOTA`, `DEDUP_DFS_COERCION`, `DEDUP_PETITPOTAM_UNAUTH`, `DEDUP_WINRM_LATERAL`) - Updated automation task spawner to launch new automation modules - Re-exported new automation functions in the automation module for unified API - Added new techniques to the strategy module with appropriate priority weights for fast, comprehensive, and stealth modes - Updated GOAD checklist documentation to reflect coverage and automation for Print Spooler, WinRM lateral, and WebDAV checks, and adjusted statistics for privilege escalation, lateral movement, and coercion coverage **Removed:** - No removals in this change
…coverage **Added:** - Automated certificate abuse: `auto_certifried` module for CVE-2022-26923 machine account DNS spoofing and `auto_certipy_auth` for certificate-based authentication - DNS attack surface: `auto_dns_enum` module for zone transfer and SRV/A/CNAME record enumeration from DCs - LDAP enumeration: `auto_domain_user_enum` for per-domain user enumeration, `auto_group_enumeration` for group memberships, and `auto_foreign_group_enum` for cross-domain/forest group memberships - Privilege escalation & credential access: `auto_krbrelayup` for Kerberos relay attacks when LDAP signing is weak, `auto_lsassy_dump` for LSASS memory dump on owned hosts - Lateral movement: `auto_rdp_lateral` for RDP lateral movement to port 3389 hosts, `auto_pth_spray` for pass-the-hash spray, and `auto_localuser_spray` for explicit localuser credential checks across DCs - User coercion: `auto_searchconnector_coercion` for dropping .searchConnector-ms files on writable shares for WebDAV relay - SID and well-known account mapping: `auto_sid_enumeration` to resolve domain SIDs and enumerate renamed administrator accounts - Registered all new deduplication sets in orchestrator state and updated dedup tracking for each automation - Comprehensive test coverage for dedup key formats and logic for all new modules **Changed:** - Expanded `mod.rs` to include all new automation modules in the orchestrator - Updated `automation_spawner.rs` to spawn all new automation tasks - Extended deduplication set arrays and ALL_DEDUP_SETS in orchestrator state to include new modules for dedup and persistence - Updated strategy weights (fast, comprehensive, stealth) to assign priorities to new automation techniques, ensuring they're integrated into all operational modes - Improved documentation checklist to reflect the addition and coverage of new automation modules, including credential discovery, lateral movement, coercion, and enumeration techniques **Removed:** - No removals; all changes extend automation coverage and infrastructure
**Added:** - Implemented auto_dacl_abuse for direct ACL abuse on known attack paths, dispatching abuses such as ForceChangePassword, GenericWrite, WriteDacl, WriteOwner, and GenericAll when matching credentials and targets are found - Introduced auto_smbclient_enum to perform authenticated SMB share enumeration using available credentials, complementing unauthenticated enumeration - Unit tests for deduplication logic in both new modules **Changed:** - Registered auto_dacl_abuse and auto_smbclient_enum modules and their public exports in the automation orchestration layer - Spawned new automation tasks for dacl abuse and smbclient enum in the automation task spawner - Added deduplication constants and updated ALL_DEDUP_SETS for new automation tasks in state management - Incorporated dacl_abuse and smbclient_enum into automation strategy weights for all presets (fast, comprehensive, stealth) - Updated GOAD checklist to reflect new automation coverage, marking Certifried as dispatched and adjusting attack/coverage counts
…tool reliability - Redesign comprehensive strategy weights to use a three-tiered system that prioritizes exploitation breadth over speed-to-DA, with Tier 1 for ADCS, delegation, NTLM relay; Tier 2 for credential pipeline; Tier 3 for recon - Pass --always-continue to coercer and petitpotam to prevent EOF on interactive prompts - Fix DFSCoerce to use positional args matching CLI expectations - Add setuptools install to noPac venv in Ansible role (provides pkg_resources) - Update tests to validate tiered weights instead of flat priorities
…verage **Added:** - Introduced `acl_discovery` automation module for discovering ACL attack paths via targeted LDAP queries, bridging the gap between BloodHound collection and DACL exploitation. Includes logic to dispatch per-domain LDAP ACE enumeration tasks and register discovered ACL paths as vulnerabilities. - Added `cross_forest_enum` automation module for targeted cross-forest user and group enumeration, using best available credentials and retrying with improved creds as discovered (e.g., via hash cracking or pivots). - Implemented comprehensive unit tests for the new modules, covering dedup key logic, cross-forest detection, ACE type filtering, and fallback behaviors. - Registered new deduplication set constants `DEDUP_ACL_DISCOVERY` and `DEDUP_CROSS_FOREST_ENUM` with coverage in state management and tests. - Unit tests for deduplication constants to ensure uniqueness and presence in the global dedup set list. **Changed:** - Refined `auto_adcs_enumeration` to select credentials on a per-domain basis, ensuring proper handling of cross-domain ADCS hosts. - Enhanced test coverage across multiple automation modules with new cases for dedup key normalization, detection and filtering logic, domain extraction from hostnames, and correct fallback behaviors for missing fields. - Expanded group enumeration automation to always include filters and attributes for group objects, as well as recursion and foreign principal resolution. - Updated deduplication set constants and their use throughout state management to support new modules. - Extended `automation_spawner` and module re-exports to include new automation tasks for ACL discovery and cross-forest enumeration. - Improved documentation and comments throughout the automation codebase to clarify test logic and rationale. **Removed:** - Eliminated fallback logic in `auto_adcs_enumeration` that previously selected a single credential for all ADCS hosts, in favor of per-domain selection.
) **Key Changes:** - Added extensive unit and integration tests across all modules in ares-cli, ares-core, ares-llm, and ares-tools - Improved test coverage for pure functions, builder APIs, input validation, and end-to-end tool workflows - Introduced mock executor for ares-tools to enable isolated tool wrapper testing - Enhanced test assertions to cover edge cases, deduplication, and error handling **Added:** - Unit tests for config, deduplication, label normalization, user and credential processing, and MITRE technique detection in ares-cli - Direct tests for time window plumbing, builder logic, and detection query composition in detection/techniques - Test modules for orchestrator automation helpers, deduplication keys, domain/host logic, and parent/child domain matching - Test coverage for orchestrator state persistence, publishing, milestones, and redis-backed dedup sets - Tests for result processing, admin checks, parsing, timeline event classification, and critical hash detection - Mock Redis connection and in-memory state for ares-core, including scan, pipeline, and set/hash/list operations - End-to-end and unit tests for gap analysis, recommendations, ground truth transformation, and scoring in ares-core eval modules - Tests for telemetry propagation (traceparent injection/setting), state readers/writers, and blue operations in ares-core - Blue and red/blue correlation tests for technique matching, gap reason analysis, and coverage calculation - Default test features for blue team support in ares-core, ares-llm, and ares-tools - Unit and integration tests for tool registry logic, agent role parsing, and blue tool capability assignment in ares-llm - Test coverage for all tool wrapper functions in ares-tools, including argument validation, command builder APIs, and output sanitization - Tests for output parsers, including SMB, LDAP, BloodHound, delegation, and credential spider logic **Changed:** - Refactored code to allow easier dependency injection for testability (e.g., generic TaskQueueCore over connection type) - Adjusted some test-only code paths to use #[cfg(test)] or - Improved test assertions to cover corner cases, deduplication, ordering, and fallback logic - Updated test data to use consistent sample IPs, domains, and hostnames across modules - Enhanced test performance by using in-memory or tempfile-backed stores for persistence tests **Removed:** - Unused or dead test helper modules (e.g., resume_helper.rs in orchestrator recovery) - Redundant #[allow(dead_code)] attributes on enums and structs now covered by tests - Legacy or placeholder test code in favor of comprehensive, behavior-driven test suites
**Added:** - Introduced detailed unit tests for automation modules in the following areas: - Validated payload JSON structure and fields for each attack technique - Verified struct construction and field assignments for all work types - Checked deduplication key normalization and uniqueness logic per context - Asserted credential domain/user matching (including case-insensitivity) - Ensured service detection logic for SMB, RDP, WinRM, WebDAV, and others - Added coverage for selection/fallback logic in credential and user queries - Tested edge cases (e.g., empty domains, dedup keys, fallback fields, limits) - Confirmed correct logic for admin/writable share filtering and permission checks - Verified protocol and attribute lists for LDAP and other enumeration modules **Changed:** - Significantly increased unit test coverage across all orchestrator/automation modules - Strengthened assertions to ensure correct business logic for all main workflows - Unified style and approach to test construction and assertions for consistency **Removed:** - No code or test removals; all changes are additive to improve test coverage and reliability
**Added:** - Introduced pure functions (e.g., `collect_acl_discovery_work`, `collect_adcs_work`, `collect_certifried_work`, etc.) for each automation module to encapsulate work item construction logic, enabling unit testing without dispatcher or async runtime - Added comprehensive unit tests for each new work collection function, validating all edge cases and credential selection logic **Changed:** - Refactored automation modules to delegate work item construction to the new pure `collect_*_work` functions, reducing code duplication and improving testability - Updated per-automation test modules to cover both original and new work collection logic, improving test coverage - Made `StateInner::new` public within the crate to enable state construction in tests and work functions - Ensured that all deduplication, credential selection, and domain matching logic is now unit-testable and consistent across modules **Removed:** - Removed large inline work item construction blocks from async automation routines, replacing them with calls to the new pure logic functions
…overy improvements **Added:** - Implement cross-domain LDAP operation support by adding `bind_domain` logic to orchestrator and tool payloads - Introduce `smb_login_check` tool for checking SMB credential validity and admin status; add orchestration, parsing, and dispatch support - Add `DeferredQueue::total_count()` method for deferred task monitoring - Emit timeline event when golden ticket is forged for attack path tracking - Wait for active and deferred red team tasks to drain before shutdown, with a 5-minute cap **Changed:** - Update LDAP-using orchestrator modules (`acl_discovery`, `domain_user_enum`, `group_enumeration`, `ldap_signing`) to support cross-domain operations by conditionally adding `bind_domain` to payload - Expand user discovery logic to accept and process new trusted sources: `ldap_group_enumeration`, `acl_discovery`, `foreign_group_enumeration`, `ldap_enumeration` in both parsing and polling - Enhance group and ACL enumeration instructions to clarify required `discovered_users` output format for all users found, including cross-domain memberships - Add `smb_login_check` to tool routing as a recon and auth-bearing tool - Add weight entries for `cross_forest_enum` and `acl_discovery` in all strategy presets, with associated tests - Clarify `ldap_search` and `ldap_search_descriptions` docs and logic to support `bind_domain` for correct authentication context - Set HOME env for xfreerdp execution to avoid user profile issues **Removed:** - Remove `--admin-status` flag from `domain_admin_checker` since netexec reports admin automatically - Remove unnecessary test attribute guard from `ActiveTaskTracker::total()` for production use
**Added:** - Emit timeline events for admin upgrades, exploitation, lateral movement (S4U), and domain admin achievement with MITRE technique mapping - Add defense-in-depth sanitation for span target IPs/FQDNs, rejecting CIDRs, multi-value strings, and malformed input at both span builder and extraction - Unit tests for target info extraction: CIDR/multi-token rejection, nmap arg parsing, coverage of new edge cases - Timeline event for DA auto-set from krbtgt hash in state publishing **Changed:** - Improved discovery observability: for "hosts" discoveries, emit a span per discovered host for accurate destination.address attribution - Enhanced cross-forest and group enumeration instructions for LLM agents, specifying strict JSON schema for discovered users and explicit vuln reporting - Certipy instructions for ADCS recon updated with explicit vulnerable template reporting, including guidance for mapping ESC types and failure fallback - Timeline events now include richer MITRE ATT&CK mappings based on exploitation technique, such as Kerberoasting, RBCD, ADCS ESCs, etc. - All user enumeration in essos.local marked as complete in goad-checklist.md - Unconstrained delegation and MSSQL exploitation status updated for clarity in goad-checklist.md - Coverage table in goad-checklist.md updated: user enumeration, group parsing, ADCS enumeration, lateral movement, and trust exploitation status refreshed **Removed:** - Redundant or duplicate timeline event emission for DA achievement in favor of unified event creation with full context and MITRE mapping
**Changed:** - Updated logic to check if event description already starts with 'CRITICAL:' before prepending the prefix, ensuring it is not added multiple times in `print_attack_path` function within the loot display formatter
… for multi-domain AD
**Added:**
- Introduced `resolve_dc_ip` and `all_domains_with_dcs` methods to StateInner for
robust domain controller IP resolution across all known, trusted, and discovered
domains, improving automation coverage in multi-domain and trust scenarios
- Added trust credential fallback logic (`find_trust_credential`) to enable child→parent
and cross-forest credential use for group/ACL/ADCS enumeration when no same-domain
cleartext credential is present
- Implemented multi-line rpcclient `queryuser` description/password extraction
for improved plaintext credential discovery (block-aware parser)
- Added machine hostname domain filtering (`is_machine_hostname_domain`) to prevent
SMB banners and UPNs from polluting domain context during user/password extraction
- Enhanced instructions and prompt context for LLM tasks to include explicit
pass-the-hash guidance and clarify fallback logic for AD trust/forest scenarios
- Updated ADCS tool wrappers and schemas to support pass-the-hash (`hashes` argument)
for certipy_find and rpcclient_command, with corresponding tool inventory updates
- Implemented post-exploitation grace period in completion logic to allow group/ACL/ADCS
automation to complete after DA/GT is achieved
**Changed:**
- Refactored all orchestrator automation modules to use `all_domains_with_dcs` for
DC iteration instead of direct `domain_controllers` mapping, ensuring complete
enumeration and task dispatch across all AD domains and trust relationships
- Updated credential selection logic for group/ACL/ADCS automation to:
- Only use same-domain cleartext creds for initial attempts
- Skip cross-domain creds unless a valid trust allows authentication
- Dispatch hash-based (PTH) tasks with distinct dedup keys so failed cred attempts
do not block hash fallback
- Revised group and ACL enumeration modules to generate and test dedup keys separately
for cred, hash, and trust credential attempts, preventing task starvation
- Updated LLM credential routing logic to correctly permit child→parent and bidirectional
cross-forest authentication, aligning with AD trust semantics
- Improved recon and privesc prompt templates to explicitly present technique, instructions,
NTLM hash context, and tool-specific notes for agent tasks
- Enhanced password and user extraction routines to ignore machine hostnames as domains,
ensuring only valid AD domains are tracked and assigned
- Lowered group/ACL automation intervals for faster post-DA post-exploitation coverage
- Updated test coverage for new trust/cred fallback logic, machine hostname filtering,
and rpcclient multi-user extraction
**Removed:**
- Eliminated fallback to `credentials.first()` for group/ACL/ADCS automation, preventing
accidental cross-domain task dispatch that would consume dedup slots with doomed attempts
- Removed acceptance of cross-domain creds for LDAP simple bind unless a trust relationship
is known and valid, improving automation reliability in multi-domain labs
**Added:** - Added `mark_host_owned` method to persist host ownership in Redis and trigger downstream automations when admin access is confirmed - Provided new debug and info logging for group enumeration, LDAP signing, and lsassy_dump automation modules to improve traceability - Documented cross-domain authentication requirements and bind_domain usage in automation instructions and LLM prompt templates - Extended tool schema for `ldap_search` (bind_domain) and `create_inter_realm_ticket` (optional extra_sid for child-to-parent escalation) - Added test coverage for credential fallback in group enumeration and extra_sid handling in trust ticket creation **Changed:** - Refactored automation modules (`group_enumeration`, `ldap_signing`, `lsassy_dump`) to use `force_submit`, bypassing throttler to avoid blocking on long-running recon tasks - Group enumeration and ACL discovery now support credential fallback across trusted domains using both explicit trusts and presence heuristics - Group enumeration and LDAP signing automations now provide more detailed instructions, including correct hash handling and cross-domain bind guidance - Improved domain resolution for result processing, ensuring correct attribution when extracting credentials or marking hosts as owned - Trust exploitation prompt now resolves target DC hostname for Kerberos SPN accuracy, improving guidance for secretsdump_kerberos usage - Updated tool wrappers to parse and use only the NT hash portion for pass-the-hash scenarios in rpcclient - Increased the default and tested max concurrent tasks to 12 and set more conservative weights for group_enumeration and acl_discovery in fast mode - Various documentation and checklist improvements to reflect new validation results, trust fallback logic, and accurate coverage assessment **Removed:** - Removed unnecessary debug logging from some automation modules for clarity - Eliminated redundant golden ticket extra_sid logic from trust ticket creation (now optional and user-controlled) - Pruned unreachable code paths in state and dispatcher modules
…ent wrap-up nudge (#306) **Key Changes:** - Implement deterministic exploitation chains for ADCS ESC4 and ESC8, bypassing unreliable LLM routing - Add pure helpers for argument construction and parsing in ADCS automation with comprehensive unit tests - Introduce a wrap-up nudge in the agent loop to prompt early task completion as MaxSteps approaches - Enhance JSON output with token coverage summaries and ensure consistent category classification **Added:** - Deterministic ADCS ESC4 and ESC8 chains, including helper functions for argument construction, parsing relay output, and candidate capping in `adcs_exploitation.rs` - Unit tests for new helpers: `administrator_upn`, `admin_rid500_sid`, chain argument builders, relay output parsing, candidate capping, and result detection - Pure functions for building tool argument JSON for composite tools (`build_esc4_chain_args`, `build_esc1_chain_args`, `build_relay_coerce_args`) - Token coverage summary output and associated helper function with tests in `format/json.rs` - Agent wrap-up nudge logic and associated threshold constant in `runner.rs`, along with tests for the injection predicate **Changed:** - Switch ADCS ESC4 and ESC8 exploitation from LLM-routed to deterministic, tool-driven chains in `adcs_exploitation.rs`, ensuring deduplication and correct scoreboard marking - Use pure helper functions for constructing arguments and parsing tool outputs in ADCS exploitation workflow, reducing code duplication and improving testability - Expand and restructure MSSQL exploitation objectives to emphasize early exit upon first successful primitive, improving automation efficiency and clarity in `mssql_exploitation.rs` - Make `token_category` function visible to sibling modules for consistent text/JSON classification in `display.rs` - Inject a single user-role wrap-up reminder in the agent loop when nearing MaxSteps, to encourage structured task completion and reduce stalls in `runner.rs` **Removed:** - LLM-based routing for ADCS ESC4 and ESC8 exploitation, replaced by deterministic, directly-invoked composite tools in `adcs_exploitation.rs`
**Key Changes:** - Adds an automated OPENQUERY fallback to `auto_mssql_link_pivot`: when `mssql_exec_linked` (EXEC AT) fails with a Kerberos double-hop / SSPI shape, the same probe is retried through `mssql_openquery` against the same linked server, riding the stored `sp_addlinkedsrvlogin` mapping instead of double-hopping the connecting principal's identity - Narrows the retry trigger to a stable cross-forest auth signature (`Login failed for user`, `Cannot generate SSPI context`, `SSPI handshake failed`, `KDC_ERR_*`, `the trust relationship`, `double-hop`, `delegation not permitted`) and explicitly excludes generic "RPC out disabled" / "linked server not found" errors that OPENQUERY can't route around - Extracts the EXEC AT classify logic into a shared verdict path so EXEC AT and OPENQUERY share one classifier **Added:** - `run_openquery_fallback` — dispatches `mssql_openquery` after EXEC AT failed cross-forest, preserves the original EXEC AT outcome when OPENQUERY also fails (EXEC AT's error is more diagnostic) — `ares-cli/src/orchestrator/automation/mssql_link_pivot.rs` - `probe_failure_is_cross_forest_shape` — narrow case-insensitive matcher for cross-forest auth failures on `ProbeOutcome::ToolError` / `ProbeOutcome::NoEvidence`; explicitly skips `DispatchFailure` (transport) and `Confirmed` — `ares-cli/src/orchestrator/automation/mssql_link_pivot.rs` - `classify_probe_result` — pure classifier that wraps `dispatch_tool` results into a `ProbeOutcome` (ToolError / Confirmed / NoEvidence / DispatchFailure) shared by EXEC AT and OPENQUERY paths — `ares-cli/src/orchestrator/automation/mssql_link_pivot.rs` - 13 new unit tests covering every cross-forest error shape (login-failed, SSPI context, SSPI handshake, KDC_ERR, case insensitivity), the exclusion cases (RPC disabled, missing linked server, DispatchFailure, Confirmed), and the shared classifier verdicts **Changed:** - `run_pivot_probe` routes through the shared classifier and triggers the OPENQUERY fallback when the first probe outcome matches the cross-forest signature; `Confirmed` outcomes short-circuit before the fallback — `ares-cli/src/orchestrator/automation/mssql_link_pivot.rs` - OPENQUERY-confirmed hops flow through the existing `Confirmed` outcome → `credit_pivot_exploited` → `mark_exploited`, matching the EXEC AT scoreboard-credit path (`auto_mssql_exploitation` already names `mssql_openquery` as the cross-forest fallback in the LLM prompt, but the deterministic chain never tried it — cross-forest dreadgoad scenarios were exhausting `MAX_PIVOT_ATTEMPTS` and locking the dedup without ever firing OPENQUERY)
) **Key Changes:** - Replaces the LLM-routed GPO abuse dispatch with a deterministic chain that calls `pygpoabuse_immediate_task` directly via `dispatch_tool` and `mark_exploited` on success - Adds an output parser (`parse_pygpoabuse_output`) classifying the tool result as Success / NoEvidence / KnownFailure(reason); auth failures, missing-GPO, and insufficient-rights now burn a failure-counter slot instead of looping - Adds an args builder (`build_pygpoabuse_args`) that injects a unique `ARES_GPO_Probe_<suffix>` task name, a benign `cmd /c whoami` payload, and `force=true` so retries don't trip the tool's "task already exists" guard **Added:** - `GpoAbuseOutcome` enum (`Success` | `NoEvidence` | `KnownFailure(&'static str)`) and `parse_pygpoabuse_output` covering pygpoabuse's `[+]`/`[-]`/`[!]` line prefixes - `ares-cli/src/orchestrator/automation/gpo.rs` - `build_pygpoabuse_args` producing the `pygpoabuse_immediate_task` JSON shape with a unique `ARES_GPO_Probe_<suffix>` task name and `force=true` default - Explicit `mark_exploited` call inside the deterministic spawn so the `gpo_abuse_*` task-id bypasses the `exploit_*` gate in `result_processing` while still crediting the scoreboard - same pattern as ESC1/ESC8/ESC11/mssql_link_pivot - 12 unit tests covering parser branches (success markers, KDC pre-auth, no-such-object, insufficient access, partial-success-with-auth-failure) and the args builder (suffix uniqueness, force flag, required field shape) **Changed:** - Reworked `auto_gpo_abuse` to invoke `dispatch_gpo_abuse_deterministic` instead of `throttled_submit("exploit", "privesc", payload, ...)` — the prior path frequently routed to unrelated tools (e.g. `bloodhound_collect`) because `technique=gpo_abuse` did not deterministically map to `pygpoabuse`, and omitted the required `command` field even when routing landed correctly - Updated in-flight deduplication and abandon-on-cap handling around the deterministic dispatch so retries unlock the dedup only on `NoEvidence`; `KnownFailure` keeps dedup locked because the cause won't change on retry with the same input
…310) **Key Changes:** - Adds an inline parser for `zerologon_check` (netexec --zerologon) output in `ares-tools/src/parsers/mod.rs` that emits a `zerologon` vulnerability with `vuln_id = zerologon_<ip_with_dots_to_underscores>` when the DC is detected as vulnerable - Adds the `is_zerologon_vulnerable` helper recognising positive markers (bare `VULNERABLE` token, "vulnerable to Zerologon" phrase, `[+] Domain is vulnerable`) and letting negative markers ("Not vulnerable", "is patched", "target appears patched") win even when a banner line mentions `VULNERABLE` - Closes the discovery gap so `auto_zerologon`'s `zerologon_check` dispatch lands a `zerologon` entry in `discovered_vulnerabilities`, unblocking the generic exploit workflow already wired up in `exploitation.rs` **Added:** - `is_zerologon_vulnerable` helper with banner / negative-marker disambiguation - `ares-tools/src/parsers/mod.rs` - `parse_tool_output` branch that emits a `zerologon` vulnerability keyed by `zerologon_<ip_with_dots_to_underscores>` (falls back through `dc_ip` → `target_ip`, with a missing-IP guard so a parse on output without a target is a no-op) - 8 parser-level unit tests (positive markers, negative markers, banner-line edge case, substring-without-boundary) and 5 `parse_tool_output_zerologon` integration tests (emission, patched-DC silence, dc_ip/target_ip fallback, vuln_id idempotence, missing-IP guard)
…ility **Added:** - Introduced pure helper functions for credential and hash expansion logic in `credential_expansion.rs`, including domain resolution, dedup key construction, lateral/target selection, and batch work selection routines, along with comprehensive unit tests - Added pure helpers to `golden_ticket.rs` for pending domain collection, input gathering, admin name resolution, hash normalization, and payload construction, plus unit tests - Extracted pure S4U work selection and payload building logic into `s4u.rs` with extensive tests - Added pure functions in `unconstrained.rs` for host IP lookup, unconstrained work selection, and payload building for each action, with tests - Extracted and tested playbook construction helpers in `playbook.rs` for extracting users, IPs, and techniques, technique normalization, and detection template lookup **Changed:** - Refactored all orchestrator automation modules (`credential_expansion.rs`, `golden_ticket.rs`, `s4u.rs`, `unconstrained.rs`) to move complex filtering, selection, and payload construction logic into pure, testable functions - Updated async automation loops to use the new helper functions, improving readability and maintainability - Promoted work item and phase state structs to `pub(crate)` and restructured to support testing - Improved coverage and organization of tests for credential, hash, S4U, unconstrained, and playbook logic, covering edge cases and previous inline closure logic - Updated `playbook.rs` to use new pure extraction and normalization helpers for playbook generation and detection query lookup **Removed:** - Eliminated all inlined filter and work selection closures in orchestrator automation modules, replacing them with reusable, tested helpers - Removed duplicated logic for credential/hash/domain extraction, deduplication, and playbook content construction in favor of centralized helpers
…ions **Added:** - Introduced pure helper functions in `credential_access.rs` for selecting and building AS-REP roast, Kerberoast, username spray, low-hanging fruit, and secretsdump work items, as well as building their respective payloads - Added pure selection and payload-building helpers in `adcs_exploitation.rs` and `mssql_exploitation.rs` for ADCS and MSSQL deep exploitation automations - Implemented comprehensive unit tests for all new helper functions to ensure correctness and testability of selection/filtering logic **Changed:** - Refactored `auto_adcs_exploitation`, `auto_credential_access`, and `auto_mssql_exploitation` to use pure work selection and payload construction functions, reducing inline filtering logic and improving testability - Moved credential selection and deduplication logic for exploitation tasks into reusable functions, ensuring consistent filtering, fallback, and prioritization across credential-dependent automations - Improved clarity and maintainability of dispatcher automation code by encapsulating domain-specific selection and payload construction into dedicated helpers - Updated all automation modules to use the new selection and builder functions, streamlining task dispatch and reducing code duplication **Removed:** - Eliminated large inline iterator/filter_map/filter chains from automation functions, moving all logic to reusable helpers - Removed duplicated credential and deduplication handling code from main automation loops in favor of pure, testable functions
…d completion logic **Added:** - Introduced pure helper functions for task result processing in dispatcher/submission.rs: `task_params_from_payload`, `inject_vuln_id_into_result`, `parse_task_complete_result`, and `merge_result_extras`, each with comprehensive unit tests - Added pure completion decision logic: `CompletionSnapshot`, `CompletionDecision`, and `evaluate_completion` in completion.rs, along with extensive unit tests for all completion scenarios - Added new helpers and tests in trust.rs for building candidate child-to-parent escalation sets, constructing work items from multiple trust paths, and selecting admin credentials for escalation **Changed:** - Refactored inline logic in dispatcher/submission.rs to use new helper functions for task parameter extraction, result parsing, merging discoveries/findings/tool outputs, and vuln_id injection, improving code clarity and testability - Replaced inlined completion-check logic in completion.rs with calls to the new pure evaluation function, simplifying and unifying completion decision flow - Refactored trust.rs to use extracted helpers for candidate child domain set construction, work item assembly, and admin credential selection in the trust-follow automation loop **Removed:** - Eliminated redundant and duplicated inline logic for task parameter extraction, result merging, and completion checks, consolidating these behaviors into reusable, testable helper functions
…with tests **Added:** - Introduced `ForestTopology` struct and `compute_forest_topology` function for partitioning domain lists into forest roots and child domains, with full test coverage - Added `count_compromised_forests` function to count compromised forests based on domain achievements, with tests - Implemented `TokenCoverageRow` struct and `compute_token_coverage_rows` for pure computation of token scoreboard, with tests - Added `collect_payload_text_parts`, `payload_contains_golden_ticket_marker`, and `parse_sid_from_combined_text` utilities for standardized payload parsing, each with comprehensive tests **Changed:** - Refactored domain topology logic in `print_loot_human` and `print_runtime_summary` to use `compute_forest_topology` and `count_compromised_forests` - Simplified and centralized token scoreboard logic in `print_token_coverage` via `compute_token_coverage_rows` - Updated golden ticket detection in `check_golden_ticket_completion` to use unified payload marker logic - Updated domain SID extraction in `extract_and_cache_domain_sid` to use shared text part collection and parsing helpers **Removed:** - Inlined and duplicated domain topology and compromised forest calculation logic from display and summary functions - Manual extraction of text parts and SID parsing logic now replaced by reusable helpers
…ove ntsd parser coverage **Added:** - Introduced pure helper functions for computing log query time windows (`time_window_around`, `time_window_recent`) and combining LogQL regex patterns (`build_combined_logql_query`) in `loki.rs` - Added comprehensive unit tests for the new helpers in `loki.rs` - Extended `ntsd.rs` with edge case and branch coverage tests for security descriptor and ACE parsing, ACL enumeration, base64 decoding, and ACE classification **Changed:** - Refactored log query functions in `loki.rs` to use new pure time window helpers, improving readability and testability - Updated `combine_query_patterns` to use the new `build_combined_logql_query` helper for safer regex construction and clearer error handling **Removed:** - Inlined timestamp and time window parsing logic in log query functions, consolidating this logic into reusable pure helpers in `loki.rs` - Removed manual regex escaping and alternation logic from `combine_query_patterns`, delegating to the new helper
**Added:** - Added tests for NTLMv1 signal detection, SeImpersonate signal, ccache evidence, failure detection, lockout principal parsing, and locked username extraction in `result_processing/tests.rs` - Added tests for placeholder string/value detection, IP detection, common per-domain account identification, and authenticating hash type logic in `credential_resolver.rs` **Changed:** - Made `calculate_technique_coverage` function in `redblue/engine.rs` public within the crate to enable broader access for testing and use
…ogic **Added:** - Added `select_coercion_work` function to encapsulate DC selection logic for coercion, with unit tests to verify deduplication and self-exclusion - Introduced `SecretsdumpWorkItem` and `PthSecretsdumpWorkItem` types and selection functions (`select_local_admin_secretsdump_work`, `select_pth_secretsdump_work`) for secretsdump automation, with comprehensive unit tests for edge cases and logic **Changed:** - Refactored `auto_coercion` to use the new `select_coercion_work` helper, improving testability and maintainability - Updated `auto_local_admin_secretsdump` to use `select_local_admin_secretsdump_work` and `select_pth_secretsdump_work` for clearer, centralized work item filtering logic - Replaced inline selection/filtering code with calls to the new helpers in both coercion and secretsdump automation routines **Removed:** - Removed inlined credential/DC selection and deduplication logic from `auto_coercion` and `auto_local_admin_secretsdump`, consolidating logic into testable helper functions
…ure functions **Added:** - Introduced `select_bloodhound_work` function to encapsulate BloodHound work selection logic, allowing for unit testing and code reuse - Added unit tests for `select_bloodhound_work` covering empty state, credential and DC presence, processed domains, and multi-domain scenarios - Introduced `select_share_spider_work` function to encapsulate share spidering work selection, making batch selection logic testable and reusable - Added unit tests for `select_share_spider_work` covering credential presence, share permissions, administrative shares, deduplication, max batch size, credential preference, and fallback cases **Changed:** - Refactored `auto_bloodhound` to use `select_bloodhound_work` for determining collection tasks, removing in-place logic and improving clarity - Refactored `auto_share_spider` to use `select_share_spider_work` for batch selection, eliminating in-line filtering and credential selection code - Removed unnecessary `debug` tracing import in `bloodhound.rs` since debug logging is no longer needed in the refactored logic
**Added:** - Added `select_share_enumeration_work` function to encapsulate work item selection logic for share enumeration, allowing for unit testing without a Dispatcher - Added comprehensive unit tests for `select_share_enumeration_work` covering domain matching, fallback logic, deduplication, processed item skipping, and max items cap **Changed:** - Refactored `auto_share_enumeration` to delegate share enumeration work selection to the new `select_share_enumeration_work` function, simplifying main logic and improving testability - Improved logging when no credentials are available by consolidating and simplifying log output **Removed:** - Removed in-line credential and work item selection logic from `auto_share_enumeration`, consolidating into the new helper function
**Added:** - Introduced `resolve_delegation_dc` function to resolve a domain controller IP with exact, child, and parent domain fallback logic - Added `select_delegation_work` function to encapsulate credential filtering and DC resolution logic for delegation enumeration - Implemented comprehensive unit tests for `resolve_delegation_dc` and `select_delegation_work` covering various domain and credential scenarios **Changed:** - Refactored `auto_delegation_enumeration` to use the new `select_delegation_work` function, improving testability and modularity by extracting filtering logic from the async workflow
**Added:** - Introduced `select_rbcd_work` function to encapsulate RBCD exploitation candidate selection logic for improved testability - Added `build_rbcd_payload` function for pure JSON payload construction from an RbcdWork struct - Implemented unit tests for RBCD candidate selection and payload generation **Changed:** - Refactored `auto_rbcd_exploitation` to delegate work selection and payload building to new helper functions - Made `RbcdWork` struct and helper functions public within the crate for testing and modularization **Removed:** - Inlined candidate selection and payload construction logic from `auto_rbcd_exploitation`, replacing with calls to the new functions
…on logic **Added:** - Introduced `CrossReuseHashWork` and `CrossReuseCredWork` type aliases for work items - Added `cred_password_prefix` utility to sanitize password prefixes for deduplication - Implemented `select_hash_reuse_work` and `select_cred_reuse_work` functions to encapsulate cross-forest hash and password reuse logic - Added comprehensive unit tests for password prefixing and both hash/password reuse work selection **Changed:** - Refactored `auto_credential_reuse` to use new helper functions for selecting work items, simplifying the main loop and reducing duplication
**Added:** - Introduced `ShadowCredWorkItem` struct to encapsulate shadow credential work details - Added `select_shadow_credentials_work` function for pure selection logic, enabling unit testing of candidate filtering and credential/hash lookup - Implemented `build_shadow_credentials_payload` for constructing dispatch payloads independently of dispatcher context **Changed:** - Refactored main work selection in `auto_shadow_credentials` to use `select_shadow_credentials_work`, improving clarity and testability - Updated payload construction in dispatch loop to use new `build_shadow_credentials_payload` function - Replaced all usages of previous `ShadowCredWork` with new `ShadowCredWorkItem` in tests for consistency - Removed unnecessary `debug` and `tracing` log usage in favor of pure functions where possible **Removed:** - Deleted the internal `ShadowCredWork` struct, consolidating all logic under the new `ShadowCredWorkItem` abstraction - Removed inlined work selection/filtering logic from `auto_shadow_credentials` in favor of extracted pure function
**Added:** - Introduced helper functions for stall recovery selection: `domains_with_pending_delegation`, `stall_spray_dedup_key`, `stall_lhf_dedup_key`, `resolve_stall_dc_ip`, `select_stall_spray_work`, and `select_stall_lhf_work` - Added comprehensive unit tests for each helper, covering edge cases and key behaviors **Changed:** - Refactored stall recovery logic in `auto_stall_detection` to use new helper functions, improving clarity and maintainability - Replaced inline deduplication and filtering code with calls to the new helpers for spray and low-hanging-fruit work selection **Removed:** - Eliminated duplicated and inlined logic for stall recovery work selection from `auto_stall_detection`, consolidating into reusable helpers
…r functions **Added:** - Added `select_gmsa_work` function to encapsulate selection logic for gMSA extraction candidates - Added `gmsa_dedup_key` helper for consistent deduplication key formatting - Added `build_gmsa_payload` helper to generate gMSA dispatch payloads - Added comprehensive tests for `select_gmsa_work`, `gmsa_dedup_key`, and `build_gmsa_payload` covering edge cases and logic branches **Changed:** - Replaced inline gMSA work selection logic in `auto_gmsa_extraction` with call to `select_gmsa_work` - Replaced inline JSON payload construction with `build_gmsa_payload` - Made `GmsaWork` struct fields and definition public within crate for testability and helper sharing **Removed:** - Removed duplicated gMSA work selection and payload construction logic from `auto_gmsa_extraction` in favor of new helper functions
**Added:** - Added `build_dacl_payload` function to construct DACL-abuse JSON payload, exposed as `pub(crate)` for unit testing - Added unit tests for `build_dacl_payload` to verify payload structure and ACL type propagation **Changed:** - Refactored payload construction in `auto_dacl_abuse` to use the new `build_dacl_payload` function - Changed `collect_dacl_work` and `DaclWork` to `pub(crate)` for better testability and access in tests **Removed:** - Removed inline payload construction from `auto_dacl_abuse` in favor of using `build_dacl_payload`
…erage in pth_spray **Added:** - Added `build_pth_payload` function to encapsulate PTH spray JSON payload construction - Added unit test for `build_pth_payload` to verify emitted fields **Changed:** - Updated PTH spray logic to use `build_pth_payload` helper for payload creation - Made `PthWork` struct and its fields public within the crate for testing and reuse
…315) **Key Changes:** - Implemented forest-aware selection of coercion sources and credentials for NTLM relay - Allowed unauthenticated PetitPotam relays when no matching credentials exist - Enhanced test coverage for cross-forest and credential-pairing logic - Updated data models and logic to support optional credentials **Added:** - Forest-aware DC and credential pairing logic to ensure relays use domain controllers and credentials from the same forest as the relay target, improving reliability for NTLM relay and PetitPotam attacks - Helper functions: `same_forest_domain`, `host_domain_for_ip`, `find_coercion_source_for_forest`, and `pick_credential_for_forest` to encapsulate domain/forest logic and credential selection - Extensive tests covering parent-child domain trusts, fallback behavior, unauthenticated relays, and helper correctness **Changed:** - Modified relay dispatch logic to allow `credential: None` when no suitable credential is found, enabling unauthenticated PetitPotam relays - Updated the relay work item structure to make credentials optional, reflecting the new unauthenticated relay path - Refactored payload construction to include the credential field only when present - Adjusted relay work collection to remove the short-circuit on empty credentials, ensuring unauthenticated relays are still attempted - Improved prioritization for coercion source and credential selection, preferring same-forest matches but falling back to any available DC or unauthenticated relays as needed - Revised and extended tests to verify new forest-aware behavior and credential selection logic **Removed:** - Obsolete test (`collect_relay_work_no_credentials`) that assumed no relay work is possible without credentials, replaced by tests verifying unauthenticated paths
… exploit (#314) **Key Changes:** - Prevent silent dropping of machine-account unconstrained delegation vulns when host IP is unknown - Route unknown-host machine accounts to LLM exploit with distinct deduplication keys - Ensure deterministic coerce chain is used only when machine host IP is known - Added targeted tests to cover new fallback and host resolution logic **Added:** - LLM fallback routing for machine accounts without known host IPs, assigning a unique dedup key to avoid collisions and ensuring exploits are attempted - Tests for unknown-host and known-host machine account scenarios, confirming correct fallback and host resolution behavior **Changed:** - Host IP resolution logic for machine accounts now distinguishes between known and unknown hosts, with explicit fallback handling - Credentials and deduplication logic updated to support new fallback paths and avoid work item loss - Self-coerce loop prevention applied only to deterministic coerce chain, bypassed for LLM fallback paths **Removed:** - Implicit dropping of machine-account unconstrained delegation vulns when host IP is missing, ensuring all valid work is surfaced
#313) **Key Changes:** - Removed ntlmv1_downgrade from the list of automation-owned vulnerabilities - Ensured ntlmv1_downgrade is handled by the generic LLM-routed exploit workflow - Added targeted tests to verify ntlmv1_downgrade is no longer treated as automation-owned **Added:** - Introduced a test confirming ntlmv1_downgrade is not considered automation-owned and is case-insensitive in matching **Changed:** - Updated is_automation_owned_vuln to exclude ntlmv1_downgrade, allowing it to route through generic exploitation for at least one attempt per dispatch - Provided explanatory comments on the reasoning and operational evidence behind this routing change **Removed:** - Removed ntlmv1_downgrade from the automation-owned vuln test cases to reflect the new workflow
…xploit payloads (#312) **Key Changes:** - Enhanced username and domain extraction in assist_pattern_key to handle nested credential fields - Fixed exploit deduplication logic to prevent repeated retries due to missed credential fields - Added comprehensive tests for username/domain extraction priority and fallback behavior **Added:** - Test cases covering various payload shapes, including nested credential objects, username/domain precedence, pass-the-hash scenarios, and cross-forest exploits **Changed:** - Username extraction now prioritizes top-level "username", then falls back to "credential.username", and finally "hash_username" - Domain extraction now prefers top-level "domain", with fallback to "credential.domain" to avoid key collisions across forests - Updated documentation and inline comments to clarify lookup priorities and rationale for changes **Removed:** - Implicit assumption that username/domain fields are always top-level, reducing risk of exploit deduplication failures
…nt forge (#311) **Key Changes:** - Added support for extracting and propagating the securityIdentifier (domain SID) during domain trust enumeration and parsing - Updated trust parsing logic to handle both canonical and base64-encoded securityIdentifier formats - Modified orchestrator state publishing to upsert domain SIDs from trust data, ensuring correct automation on hardened DCs - Expanded and improved test coverage to validate new SID extraction and handling logic **Added:** - security_identifier field to TrustInfo struct, with appropriate serde handling for optionality and defaulting - `ares-core/src/models/core.rs` - Logic in trust parser to extract securityIdentifier from both canonical text and base64-encoded LDAP outputs, including a decoder for binary SIDs - `ares-tools/src/parsers/trust.rs` - Tests for parsing, decoding, and correct state population of securityIdentifier, including multiple edge cases and block boundaries - `ares-tools/src/parsers/trust.rs`, `ares-cli/src/orchestrator/state/publishing/entities.rs` - Inline extraction and emission of canonical securityIdentifier in impacket LDAP enumeration for pass-the-hash authentication - `ares-tools/src/recon.rs` **Changed:** - Trust enumeration and parsing code paths to support and carry securityIdentifier where present, ensuring downstream state and automation logic can use the SID directly - Orchestrator state publishing logic to upsert domain_sids from trust-enum data, mirroring the post-SAMR lookup persistence path and supporting automation on hardened 2019+ DCs - `ares-cli/src/orchestrator/state/publishing/entities.rs` - Test helpers and fixtures across several test modules to include security_identifier in constructed TrustInfo instances where relevant **Removed:** - Redundant or now-unnecessary fallback logic and comments related to SID acquisition via legacy mechanisms in favor of direct propagation from trust enumeration
l50
changed the title
**Changed:** - Include `security_identifier: None` in trust test case initializations to reflect updated struct definition and ensure tests cover this field
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Key Changes:
Added:
select_asrep_work,select_kerberoast_work,select_gmsa_work,select_delegation_work,select_bloodhound_work,select_coercion_work, etc.) to each automation module, each with thorough unit testsbuild_adcs_llm_payload,build_dacl_payload,build_rbcd_payload,build_shadow_credentials_payload,build_pth_payload, etc.) with tests to ensure field coverageChanged:
Removed:
ntlmv1_downgrade, allowing it to route through the generic exploit workflowgpo_*vuln types as automation-owned