feat: capture trust partner SID from trust enum to unblock child→parent forge by l50 · Pull Request #311 · dreadnode/ares

l50 · 2026-05-13T17:49:05Z

Key Changes:

Added support for extracting and propagating the securityIdentifier (domain SID) during domain trust enumeration and parsing
Updated trust parsing logic to handle both canonical and base64-encoded securityIdentifier formats
Modified orchestrator state publishing to upsert domain SIDs from trust data, ensuring correct automation on hardened DCs
Expanded and improved test coverage to validate new SID extraction and handling logic

Added:

security_identifier field to TrustInfo struct, with appropriate serde handling for optionality and defaulting - ares-core/src/models/core.rs
Logic in trust parser to extract securityIdentifier from both canonical text and base64-encoded LDAP outputs, including a decoder for binary SIDs - ares-tools/src/parsers/trust.rs
Tests for parsing, decoding, and correct state population of securityIdentifier, including multiple edge cases and block boundaries - ares-tools/src/parsers/trust.rs, ares-cli/src/orchestrator/state/publishing/entities.rs
Inline extraction and emission of canonical securityIdentifier in impacket LDAP enumeration for pass-the-hash authentication - ares-tools/src/recon.rs

Changed:

Trust enumeration and parsing code paths to support and carry securityIdentifier where present, ensuring downstream state and automation logic can use the SID directly
Orchestrator state publishing logic to upsert domain_sids from trust-enum data, mirroring the post-SAMR lookup persistence path and supporting automation on hardened 2019+ DCs - ares-cli/src/orchestrator/state/publishing/entities.rs
Test helpers and fixtures across several test modules to include security_identifier in constructed TrustInfo instances where relevant

Removed:

Redundant or now-unnecessary fallback logic and comments related to SID acquisition via legacy mechanisms in favor of direct propagation from trust enumeration

…ation **Added:** - Added `security_identifier` field to `TrustInfo` struct to store domain SID in canonical S-1-5-21-X-Y-Z form - Extended trust enumeration parsers to extract and decode securityIdentifier from both canonical string and base64 LDAP outputs - Introduced logic to upsert domain SIDs into orchestrator state and persist them in Redis when available - Added tests to verify correct extraction, propagation, and absence handling of securityIdentifier during trust enumeration and state publishing **Changed:** - Updated trust enumeration logic in ares-tools to request and emit securityIdentifier for each trusted domain, both in impacket-LDAP and ldapsearch code paths - Modified orchestrator state publishing to mirror securityIdentifier from trust objects into domain_sids and Redis for reliable parent-SID checks, improving automation on hardened DCs - Updated all relevant test trust objects to include the new `security_identifier` field as None where not set **Removed:** - Removed legacy approach of only relying on post-hoc SAMR/lsaquery for domain SID resolution, replacing with direct propagation from trust enumeration when available

codecov · 2026-05-13T17:53:46Z

Codecov Report

❌ Patch coverage is 98.88268% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 76.08%. Comparing base (72fa578) to head (e8e6784).

Files with missing lines	Patch %	Lines
ares-cli/src/ops/inject.rs	0.00%	1 Missing ⚠️
ares-tools/src/parsers/trust.rs	99.20%	1 Missing ⚠️

Additional details and impacted files

@@                   Coverage Diff                    @@
##           feat/more-attack-cov     #311      +/-   ##
========================================================
+ Coverage                 76.05%   76.08%   +0.03%     
========================================================
  Files                       439      439              
  Lines                    118188   118361     +173     
========================================================
+ Hits                      89884    90054     +170     
- Misses                    28304    28307       +3

Files with missing lines	Coverage Δ
ares-cli/src/orchestrator/automation/trust.rs	`26.48% <100.00%> (+0.16%)`	⬆️
ares-cli/src/orchestrator/completion.rs	`53.23% <100.00%> (+0.07%)`	⬆️
...src/orchestrator/result_processing/admin_checks.rs	`40.31% <100.00%> (+0.11%)`	⬆️
...-cli/src/orchestrator/state/publishing/entities.rs	`98.34% <100.00%> (+0.09%)`	⬆️
ares-core/src/models/core.rs	`98.20% <100.00%> (+0.02%)`	⬆️
ares-core/src/state/reader.rs	`94.03% <100.00%> (+<0.01%)`	⬆️
ares-llm/src/routing/credentials.rs	`97.75% <100.00%> (+0.01%)`	⬆️
ares-tools/src/recon.rs	`83.70% <100.00%> (+0.09%)`	⬆️
ares-cli/src/ops/inject.rs	`0.00% <0.00%> (ø)`
ares-tools/src/parsers/trust.rs	`99.68% <99.20%> (-0.32%)`	⬇️

... and 1 file with indirect coverage changes

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

…de#196) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [softprops/action-gh-release](https://redirect.github.com/softprops/action-gh-release) | action | major | `v2.2.2` → `v3.0.0` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>softprops/action-gh-release (softprops/action-gh-release)</summary> ### [`v3.0.0`](https://redirect.github.com/softprops/action-gh-release/releases/tag/v3.0.0) [Compare Source](https://redirect.github.com/softprops/action-gh-release/compare/v2.6.2...v3.0.0) `3.0.0` is a major release that moves the action runtime from Node 20 to Node 24. Use `v3` on GitHub-hosted runners and self-hosted fleets that already support the Node 24 Actions runtime. If you still need the last Node 20-compatible line, stay on `v2.6.2`. #### What's Changed ##### Other Changes 🔄 - Move the action runtime and bundle target to Node 24 - Update `@types/node` to the Node 24 line and allow future Dependabot updates - Keep the floating major tag on `v3`; `v2` remains pinned to the latest `2.x` release ### [`v2.6.2`](https://redirect.github.com/softprops/action-gh-release/releases/tag/v2.6.2) [Compare Source](https://redirect.github.com/softprops/action-gh-release/compare/v2.6.1...v2.6.2)  #### What's Changed ##### Other Changes 🔄 - chore(deps): bump picomatch from 4.0.3 to 4.0.4 by [@dependabot](https://redirect.github.com/dependabot)\[bot] in [#775](https://redirect.github.com/softprops/action-gh-release/pull/775) - chore(deps): bump brace-expansion from 5.0.4 to 5.0.5 by [@dependabot](https://redirect.github.com/dependabot)\[bot] in [#777](https://redirect.github.com/softprops/action-gh-release/pull/777) - chore(deps): bump vite from 8.0.0 to 8.0.5 by [@dependabot](https://redirect.github.com/dependabot)\[bot] in [#781](https://redirect.github.com/softprops/action-gh-release/pull/781) **Full Changelog**: <softprops/action-gh-release@v2...v2.6.2> ### [`v2.6.1`](https://redirect.github.com/softprops/action-gh-release/releases/tag/v2.6.1) [Compare Source](https://redirect.github.com/softprops/action-gh-release/compare/v2.6.0...v2.6.1) `2.6.1` is a patch release focused on restoring linked discussion thread creation when `discussion_category_name` is set. It fixes `#764`, where the draft-first publish flow stopped carrying the discussion category through the final publish step. If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible. #### What's Changed ##### Bug fixes 🐛 - fix: preserve discussion category on publish by [@chenrui333](https://redirect.github.com/chenrui333) in [#765](https://redirect.github.com/softprops/action-gh-release/pull/765) ### [`v2.6.0`](https://redirect.github.com/softprops/action-gh-release/releases/tag/v2.6.0) [Compare Source](https://redirect.github.com/softprops/action-gh-release/compare/v2.5.3...v2.6.0) `2.6.0` is a minor release centered on `previous_tag` support for `generate_release_notes`, which lets workflows pin GitHub's comparison base explicitly instead of relying on the default range. It also includes the recent concurrent asset upload recovery fix, a `working_directory` docs sync, a checked-bundle freshness guard for maintainers, and clearer immutable-prerelease guidance where GitHub platform behavior imposes constraints on how prerelease asset uploads can be published. If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible. #### What's Changed ##### Exciting New Features 🎉 - feat: support previous\_tag for generate\_release\_notes by [@pocesar](https://redirect.github.com/pocesar) in [#372](https://redirect.github.com/softprops/action-gh-release/pull/372) ##### Bug fixes 🐛 - fix: recover concurrent asset metadata 404s by [@chenrui333](https://redirect.github.com/chenrui333) in [#760](https://redirect.github.com/softprops/action-gh-release/pull/760) ##### Other Changes 🔄 - docs: clarify reused draft release behavior by [@chenrui333](https://redirect.github.com/chenrui333) in [#759](https://redirect.github.com/softprops/action-gh-release/pull/759) - docs: clarify working\_directory input by [@chenrui333](https://redirect.github.com/chenrui333) in [#761](https://redirect.github.com/softprops/action-gh-release/pull/761) - ci: verify dist bundle freshness by [@chenrui333](https://redirect.github.com/chenrui333) in [#762](https://redirect.github.com/softprops/action-gh-release/pull/762) - fix: clarify immutable prerelease uploads by [@chenrui333](https://redirect.github.com/chenrui333) in [#763](https://redirect.github.com/softprops/action-gh-release/pull/763) ### [`v2.5.3`](https://redirect.github.com/softprops/action-gh-release/releases/tag/v2.5.3) [Compare Source](https://redirect.github.com/softprops/action-gh-release/compare/v2.5.2...v2.5.3)  `2.5.3` is a patch release focused on the remaining path-handling and release-selection bugs uncovered after `2.5.2`. It fixes `#639`, `#571`, `dreadnode#280`, `#614`, `dreadnode#311`, `#403`, and `#368`. It also adds documentation clarifications for `#541`, `#645`, `#542`, `#393`, and `#411`, where the current behavior is either usage-sensitive or constrained by GitHub platform limits rather than an action-side runtime bug. If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible. #### What's Changed ##### Bug fixes 🐛 - fix: prefer token input over GITHUB\_TOKEN by [@chenrui333](https://redirect.github.com/chenrui333) in [#751](https://redirect.github.com/softprops/action-gh-release/pull/751) - fix: clean up duplicate drafts after canonicalization by [@chenrui333](https://redirect.github.com/chenrui333) in [#753](https://redirect.github.com/softprops/action-gh-release/pull/753) - fix: support Windows-style file globs by [@chenrui333](https://redirect.github.com/chenrui333) in [#754](https://redirect.github.com/softprops/action-gh-release/pull/754) - fix: normalize refs-tag inputs by [@chenrui333](https://redirect.github.com/chenrui333) in [#755](https://redirect.github.com/softprops/action-gh-release/pull/755) - fix: expand tilde file paths by [@chenrui333](https://redirect.github.com/chenrui333) in [#756](https://redirect.github.com/softprops/action-gh-release/pull/756) ##### Other Changes 🔄 - docs: clarify token precedence by [@chenrui333](https://redirect.github.com/chenrui333) in [#752](https://redirect.github.com/softprops/action-gh-release/pull/752) - docs: clarify GitHub release limits by [@chenrui333](https://redirect.github.com/chenrui333) in [#758](https://redirect.github.com/softprops/action-gh-release/pull/758) - documentation clarifications for empty-token handling, `preserve_order`, and special-character asset filename behavior **Full Changelog**: <softprops/action-gh-release@v2...v2.5.3> ### [`v2.5.2`](https://redirect.github.com/softprops/action-gh-release/releases/tag/v2.5.2) [Compare Source](https://redirect.github.com/softprops/action-gh-release/compare/v2.5.1...v2.5.2)  `2.5.2` is a patch release focused on the remaining release-creation and prerelease regressions in the `2.5.x` bug-fix cycle. It fixes `#705`, fixes `#708`, fixes `#740`, fixes `#741`, and fixes `#722`. Regression testing covers the shared-tag race, prerelease event behavior, dotfile asset labels, same-filename concurrent uploads, and blocked-tag cleanup behavior. If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible. #### What's Changed ##### Bug fixes 🐛 - fix: canonicalize releases after concurrent create by [@chenrui333](https://redirect.github.com/chenrui333) in [#746](https://redirect.github.com/softprops/action-gh-release/pull/746) - fix: preserve prereleased events for prereleases by [@chenrui333](https://redirect.github.com/chenrui333) in [#748](https://redirect.github.com/softprops/action-gh-release/pull/748) - fix: restore dotfile asset labels by [@chenrui333](https://redirect.github.com/chenrui333) in [#749](https://redirect.github.com/softprops/action-gh-release/pull/749) - fix: handle upload already\_exists races across workflows by [@api2062](https://redirect.github.com/api2062) in [#745](https://redirect.github.com/softprops/action-gh-release/pull/745) - fix: clean up orphan drafts when tag creation is blocked by [@chenrui333](https://redirect.github.com/chenrui333) in [#750](https://redirect.github.com/softprops/action-gh-release/pull/750) #### New Contributors - [@api2062](https://redirect.github.com/api2062) made their first contribution in [#745](https://redirect.github.com/softprops/action-gh-release/pull/745) **Full Changelog**: <softprops/action-gh-release@v2...v2.5.2> ### [`v2.5.1`](https://redirect.github.com/softprops/action-gh-release/releases/tag/v2.5.1) [Compare Source](https://redirect.github.com/softprops/action-gh-release/compare/v2.5.0...v2.5.1)  `2.5.1` is a patch release focused on regressions introduced in `2.5.0` and on release lookup reliability. It fixes `#713`, addresses `#703`, and fixes `#724`. Regression testing shows that current `master` no longer reproduces the finalize-race behavior reported in `#704` and `#709`. #### What's Changed ##### Bug fixes 🐛 - fix: fetch correct asset URL after finalization; test; some refactoring by [@pzhlkj6612](https://redirect.github.com/pzhlkj6612) in [#738](https://redirect.github.com/softprops/action-gh-release/pull/738) - fix: release marked as 'latest' despite make\_latest: false by [@Boshen](https://redirect.github.com/Boshen) in [#715](https://redirect.github.com/softprops/action-gh-release/pull/715) - fix: use getReleaseByTag API instead of iterating all releases by [@kim-em](https://redirect.github.com/kim-em) in [#725](https://redirect.github.com/softprops/action-gh-release/pull/725) ##### Other Changes 🔄 - dependency updates, including the ESM/runtime compatibility refresh in [#731](https://redirect.github.com/softprops/action-gh-release/pull/731) #### New Contributors - [@autarch](https://redirect.github.com/autarch) made their first contribution in [#716](https://redirect.github.com/softprops/action-gh-release/pull/716) - [@pzhlkj6612](https://redirect.github.com/pzhlkj6612) made their first contribution in [#738](https://redirect.github.com/softprops/action-gh-release/pull/738) - [@Boshen](https://redirect.github.com/Boshen) made their first contribution in [#715](https://redirect.github.com/softprops/action-gh-release/pull/715) - [@kim-em](https://redirect.github.com/kim-em) made their first contribution in [#725](https://redirect.github.com/softprops/action-gh-release/pull/725) **Full Changelog**: <softprops/action-gh-release@v2...v2.5.1> ### [`v2.5.0`](https://redirect.github.com/softprops/action-gh-release/releases/tag/v2.5.0) [Compare Source](https://redirect.github.com/softprops/action-gh-release/compare/v2.4.2...v2.5.0)  #### What's Changed ##### Exciting New Features 🎉 - feat: mark release as draft until all artifacts are uploaded by [@dumbmoron](https://redirect.github.com/dumbmoron) in [#692](https://redirect.github.com/softprops/action-gh-release/pull/692) ##### Other Changes 🔄 - chore(deps): bump the npm group across 1 directory with 5 updates by [@dependabot](https://redirect.github.com/dependabot)\[bot] in [#697](https://redirect.github.com/softprops/action-gh-release/pull/697) - chore(deps): bump actions/checkout from 5.0.0 to 5.0.1 in the github-actions group by [@dependabot](https://redirect.github.com/dependabot)\[bot] in [#689](https://redirect.github.com/softprops/action-gh-release/pull/689) #### New Contributors - [@dumbmoron](https://redirect.github.com/dumbmoron) made their first contribution in [#692](https://redirect.github.com/softprops/action-gh-release/pull/692) **Full Changelog**: <softprops/action-gh-release@v2.4.2...v2.5.0> ### [`v2.4.2`](https://redirect.github.com/softprops/action-gh-release/releases/tag/v2.4.2) [Compare Source](https://redirect.github.com/softprops/action-gh-release/compare/v2.4.1...v2.4.2) #### What's Changed ##### Exciting New Features 🎉 - feat: Ensure generated release notes cannot be over 125000 characters by [@BeryJu](https://redirect.github.com/BeryJu) in [#684](https://redirect.github.com/softprops/action-gh-release/pull/684) ##### Other Changes 🔄 - dependency updates #### New Contributors - [@BeryJu](https://redirect.github.com/BeryJu) made their first contribution in [#684](https://redirect.github.com/softprops/action-gh-release/pull/684) **Full Changelog**: <softprops/action-gh-release@v2.4.1...v2.4.2> ### [`v2.4.1`](https://redirect.github.com/softprops/action-gh-release/releases/tag/v2.4.1) [Compare Source](https://redirect.github.com/softprops/action-gh-release/compare/v2.4.0...v2.4.1)  #### What's Changed ##### Other Changes 🔄 - fix(util): support brace expansion globs containing commas in parseInputFiles by [@Copilot](https://redirect.github.com/Copilot) in [#672](https://redirect.github.com/softprops/action-gh-release/pull/672) - fix: gracefully fallback to body when body\_path cannot be read by [@Copilot](https://redirect.github.com/Copilot) in [#671](https://redirect.github.com/softprops/action-gh-release/pull/671) **Full Changelog**: <softprops/action-gh-release@v2...v2.4.1> ### [`v2.4.0`](https://redirect.github.com/softprops/action-gh-release/releases/tag/v2.4.0) [Compare Source](https://redirect.github.com/softprops/action-gh-release/compare/v2.3.4...v2.4.0)  #### What's Changed ##### Exciting New Features 🎉 - feat(action): respect working\_directory for files globs by [@stephenway](https://redirect.github.com/stephenway) in [#667](https://redirect.github.com/softprops/action-gh-release/pull/667) ##### Other Changes 🔄 - chore(deps): bump the npm group with 2 updates by [@dependabot](https://redirect.github.com/dependabot)\[bot] in [#668](https://redirect.github.com/softprops/action-gh-release/pull/668) **Full Changelog**: <softprops/action-gh-release@v2.3.4...v2.4.0> ### [`v2.3.4`](https://redirect.github.com/softprops/action-gh-release/releases/tag/v2.3.4) [Compare Source](https://redirect.github.com/softprops/action-gh-release/compare/v2.3.3...v2.3.4)  #### What's Changed ##### Bug fixes 🐛 - fix(action): handle 422 already\_exists race condition by [@stephenway](https://redirect.github.com/stephenway) in [#665](https://redirect.github.com/softprops/action-gh-release/pull/665) ##### Other Changes 🔄 - chore(deps): bump actions/setup-node from 4.4.0 to 5.0.0 in the github-actions group by [@dependabot](https://redirect.github.com/dependabot)\[bot] in [#656](https://redirect.github.com/softprops/action-gh-release/pull/656) - chore(deps): bump [@types/node](https://redirect.github.com/types/node) from 20.19.11 to 20.19.13 in the npm group by [@dependabot](https://redirect.github.com/dependabot)\[bot] in [#655](https://redirect.github.com/softprops/action-gh-release/pull/655) - chore(deps): bump vite from 7.0.0 to 7.1.5 by [@dependabot](https://redirect.github.com/dependabot)\[bot] in [#657](https://redirect.github.com/softprops/action-gh-release/pull/657) - chore(deps): bump the npm group across 1 directory with 2 updates by [@dependabot](https://redirect.github.com/dependabot)\[bot] in [#662](https://redirect.github.com/softprops/action-gh-release/pull/662) - chore(deps): bump the npm group with 3 updates by [@dependabot](https://redirect.github.com/dependabot)\[bot] in [#666](https://redirect.github.com/softprops/action-gh-release/pull/666) **Full Changelog**: <softprops/action-gh-release@v2...v2.3.4> ### [`v2.3.3`](https://redirect.github.com/softprops/action-gh-release/releases/tag/v2.3.3) [Compare Source](https://redirect.github.com/softprops/action-gh-release/compare/v2.3.2...v2.3.3)  #### What's Changed ##### Exciting New Features 🎉 - feat: add input option `overwrite_files` by [@asfernandes](https://redirect.github.com/asfernandes) in [#343](https://redirect.github.com/softprops/action-gh-release/pull/343) ##### Other Changes 🔄 - dependency updates #### New Contributors - [@asfernandes](https://redirect.github.com/asfernandes) made their first contribution in [#343](https://redirect.github.com/softprops/action-gh-release/pull/343) **Full Changelog**: <softprops/action-gh-release@v2...v2.3.3> ### [`v2.3.2`](https://redirect.github.com/softprops/action-gh-release/releases/tag/v2.3.2) [Compare Source](https://redirect.github.com/softprops/action-gh-release/compare/v2.3.1...v2.3.2) - fix: revert fs `readableWebStream` change ### [`v2.3.1`](https://redirect.github.com/softprops/action-gh-release/releases/tag/v2.3.1) [Compare Source](https://redirect.github.com/softprops/action-gh-release/compare/v2.3.0...v2.3.1)  #### What's Changed ##### Bug fixes 🐛 - fix: fix file closing issue by [@WailGree](https://redirect.github.com/WailGree) in [#629](https://redirect.github.com/softprops/action-gh-release/pull/629) #### New Contributors - [@WailGree](https://redirect.github.com/WailGree) made their first contribution in [#629](https://redirect.github.com/softprops/action-gh-release/pull/629) **Full Changelog**: <softprops/action-gh-release@v2.3.0...v2.3.1> ### [`v2.3.0`](https://redirect.github.com/softprops/action-gh-release/releases/tag/v2.3.0) [Compare Source](https://redirect.github.com/softprops/action-gh-release/compare/v2.2.2...v2.3.0)  - Migrate from jest to vitest - Replace `mime` with `mime-types` - Bump to use node 24 - Dependency updates **Full Changelog**: <softprops/action-gh-release@v2.2.2...v2.3.0> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate).  Co-authored-by: dreadnode-renovate-bot[bot] <184170622+dreadnode-renovate-bot[bot]@users.noreply.github.com>

l50 merged commit 82f0fec into feat/more-attack-cov May 14, 2026
12 checks passed

l50 deleted the feat/dreadgoad-trust-partner-sid branch May 14, 2026 02:12

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: capture trust partner SID from trust enum to unblock child→parent forge#311

feat: capture trust partner SID from trust enum to unblock child→parent forge#311
l50 merged 1 commit into
feat/more-attack-covfrom
feat/dreadgoad-trust-partner-sid

l50 commented May 13, 2026 •

edited

Loading

Uh oh!

codecov Bot commented May 13, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

l50 commented May 13, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

codecov Bot commented May 13, 2026

Codecov Report

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

l50 commented May 13, 2026 •

edited

Loading