Skip to content

feat: add deterministic ADCS ESC4 and ESC8 exploitation chains and agent wrap-up nudge#306

Merged
l50 merged 5 commits into
feat/more-attack-covfrom
feat/dreadgoad-esc4-deterministic
May 13, 2026
Merged

feat: add deterministic ADCS ESC4 and ESC8 exploitation chains and agent wrap-up nudge#306
l50 merged 5 commits into
feat/more-attack-covfrom
feat/dreadgoad-esc4-deterministic

Conversation

@l50
Copy link
Copy Markdown
Contributor

@l50 l50 commented May 13, 2026
edited
Loading

Key Changes:

  • Implement deterministic exploitation chains for ADCS ESC4 and ESC8, bypassing unreliable LLM routing
  • Add pure helpers for argument construction and parsing in ADCS automation with comprehensive unit tests
  • Introduce a wrap-up nudge in the agent loop to prompt early task completion as MaxSteps approaches
  • Enhance JSON output with token coverage summaries and ensure consistent category classification

Added:

  • Deterministic ADCS ESC4 and ESC8 chains, including helper functions for argument construction, parsing relay output, and candidate capping in adcs_exploitation.rs
  • Unit tests for new helpers: administrator_upn, admin_rid500_sid, chain argument builders, relay output parsing, candidate capping, and result detection
  • Pure functions for building tool argument JSON for composite tools (build_esc4_chain_args, build_esc1_chain_args, build_relay_coerce_args)
  • Token coverage summary output and associated helper function with tests in format/json.rs
  • Agent wrap-up nudge logic and associated threshold constant in runner.rs, along with tests for the injection predicate

Changed:

  • Switch ADCS ESC4 and ESC8 exploitation from LLM-routed to deterministic, tool-driven chains in adcs_exploitation.rs, ensuring deduplication and correct scoreboard marking
  • Use pure helper functions for constructing arguments and parsing tool outputs in ADCS exploitation workflow, reducing code duplication and improving testability
  • Expand and restructure MSSQL exploitation objectives to emphasize early exit upon first successful primitive, improving automation efficiency and clarity in mssql_exploitation.rs
  • Make token_category function visible to sibling modules for consistent text/JSON classification in display.rs
  • Inject a single user-role wrap-up reminder in the agent loop when nearing MaxSteps, to encourage structured task completion and reduce stalls in runner.rs

Removed:

  • LLM-based routing for ADCS ESC4 and ESC8 exploitation, replaced by deterministic, directly-invoked composite tools in adcs_exploitation.rs

@l50
feat: add deterministic ESC4 exploitation chain for ADCS automation
9718ecd 
**Added:**

- Implement deterministic ESC4 (writeable template) exploitation chain, chaining template-modify, request, and auth steps to ensure full privilege escalation via certipy tools
- Add `build_esc4_chain_args` helper for constructing certipy_esc4_full_chain arguments in the required JSON shape
- Add `dispatch_esc4_deterministic` function to handle deduplication, retries, and state management for ESC4 exploitation, mirroring the lifecycle of ESC1/ESC3
- Introduce tests for `build_esc4_chain_args` to verify all required fields and template handling

**Changed:**

- Update main exploitation loop to route ESC4 items through the new deterministic chain, ensuring full chain execution and robust retry handling
@l50 l50 changed the base branch from main to feat/more-attack-cov May 13, 2026 14:19
@l50 l50 changed the title feat: add GPO ACL enumeration and automate exploitation coverage feat: add deterministic ADCS ESC4 and ESC8 exploitation chains and agent wrap-up nudge May 13, 2026
@codecov
Copy link
Copy Markdown

codecov Bot commented May 13, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 88.45209% with 47 lines in your changes missing coverage. Please review.
✅ Project coverage is 75.94%. Comparing base (fd28bf4) to head (b126a41).

Files with missing lines Patch % Lines
...i/src/orchestrator/automation/adcs_exploitation.rs 88.45% 47 Missing ⚠️
Additional details and impacted files

Impacted file tree graph

@@                   Coverage Diff                    @@
##           feat/more-attack-cov     #306      +/-   ##
========================================================
+ Coverage                 75.90%   75.94%   +0.04%     
========================================================
  Files                       439      439              
  Lines                    117164   117571     +407     
========================================================
+ Hits                      88930    89289     +359     
- Misses                    28234    28282      +48
Files with missing lines Coverage Δ
...i/src/orchestrator/automation/adcs_exploitation.rs 63.50% <88.45%> (+6.75%) ⬆️

... and 1 file with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

l50 added 4 commits May 13, 2026 08:30
@l50
Merge branch 'feat/more-attack-cov' into feat/dreadgoad-esc4-determin…
1ecf401 
…istic
@l50
feat: add deterministic esc4 chain input validator and dedup/scoreboa…
d277b89 
…rd helpers

**Added:**

- Added Esc4ChainInputs struct and try_extract_esc4_inputs function to validate all required ESC4 chain fields are present before dispatch
- Introduced credit_esc4_exploited helper to mark ESC4 vulnerabilities as exploited in the scoreboard when the deterministic chain succeeds
- Added clear_esc4_dedup_for_retry helper to clear deduplication state for retrying failed ESC4 chains
- Implemented unit and async tests for ESC4 input validation, scoreboard marking, and dedup clearing

**Changed:**

- Refactored dispatch_esc4_deterministic to use try_extract_esc4_inputs for input validation, improving clarity and reducing duplicate code
- Updated ESC4 success and retry logic to use new credit_esc4_exploited and clear_esc4_dedup_for_retry helpers, centralizing error handling and dedup management
- Improved debug log messages for missing ESC4 inputs to clarify which fields are required and the retry behavior
@l50
feat: add ESC4 chain outcome handler and supporting helpers for ADCS …
625b776 
…exploitation

**Added:**

- Introduced `lock_esc4_dedup_for_abandoned` to permanently lock dedup on abandoned ESC4 vulns
- Added `build_esc4_tool_call` to construct the certipy_esc4_full_chain ToolCall payload
- Added `build_esc4_task_id` for generating unique ESC4 chain task IDs
- Implemented `handle_esc4_chain_outcome` to process ESC4 chain results and manage dedup/scoreboard logic
- Added comprehensive unit tests for dedup locking, tool call construction, task ID generation, and outcome handling

**Changed:**

- Refactored ESC4 dedup locking in `dispatch_esc4_deterministic` to use new helper for clarity and reuse
- Updated deterministic dispatch logic to use new helpers for task ID and ToolCall construction
- Replaced inline outcome handling in dispatch logic with new centralized outcome handler for better testability and maintainability

**Removed:**

- Removed duplicated and inline logic for dedup locking, task ID construction, and ToolCall argument assembly from the deterministic dispatch function
- Eliminated outcome processing logic from the dispatch closure, now handled by the shared outcome handler
@l50
feat: add support for ESC11 (RPC ICPR) relay target in ADCS exploitation
b126a41 
**Added:**

- Introduced `RelayMode` enum to distinguish between ESC8 (HTTP web enrollment) and ESC11 (RPC ICPR) relay modes, controlling target endpoint and labeling
- Added optional `relay_target_url` parameter to relay-coerce argument construction and parsing, enabling arbitrary relay targets (including ESC11)
- Implemented validation for `relay_target_url` to restrict to supported schemes (`http://`, `https://`, `rpc://`) and reject unsafe characters in `ares-tools`
- Extended tests to cover new `relay_target_url` behaviors, including scheme validation and default fallback
- Added unit tests for `RelayMode` logic and argument emission in both orchestrator and tools modules

**Changed:**

- Refactored orchestrator logic to route ESC8 and ESC11 through a unified `dispatch_relay_coerce_chain` function, reducing code duplication and improving clarity
- Updated candidate walk, deduplication, and logging to reflect the specific relay mode and target endpoint for both ESC8 and ESC11
- Modified relay-coerce argument construction and task labeling to support the distinction between HTTP and RPC relay targets

**Removed:**

- Replaced the dedicated `dispatch_esc8_deterministic` and `esc8_clear_dedup` functions with generic, mode-aware versions for both relay paths
@l50 l50 merged commit 073e2e7 into feat/more-attack-cov May 13, 2026
11 checks passed
@l50 l50 deleted the feat/dreadgoad-esc4-deterministic branch May 13, 2026 16:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@l50