refactor: implement ttl-based assist-abandon dedup and improve credential relay logic#318
Merged
Conversation
…phase **Added:** - Introduced `build_certipy_auth_args` function to construct certipy_auth argument JSON, ensuring consistent keying and preventing silent failures in relay chain phase 2 - Added unit tests for `build_certipy_auth_args` to validate key requirements, optional field omission, and regression against previous keying issues **Changed:** - Replaced inline construction of certipy_auth arguments in `dispatch_relay_coerce_chain` with the new `build_certipy_auth_args` function for improved maintainability and test coverage **Removed:** - Eliminated legacy use of the `"pfx"` key in certipy_auth argument construction, enforcing use of `"pfx_path"` as required by downstream tools
…realm resolution **Added:** - Introduced `resolve_relayed_account_realm` to determine the correct realm and KDC IP for relayed accounts in cross-forest ADCS exploitation, ensuring certipy_auth targets the appropriate domain and avoids authentication errors - Added in-memory TTL-based tracking for assist-abandoned task patterns via `assist_abandoned_at` in `StateInner`, enabling expired patterns to be retried after a configurable window (`ASSIST_ABANDONED_TTL_SECS`) - Added comprehensive unit tests for both assist-abandoned TTL behavior and relay realm resolution logic **Changed:** - Updated certipy_auth dispatch to use the resolved realm and KDC IP, supporting cross-forest scenarios and preventing unnecessary authentication failures - Reworked assist-abandon deduplication to use TTL-based in-memory tracking instead of the generic dedup set, allowing patterns to expire and be retried when state changes - Modified dispatcher logic to check and mark assist-abandoned patterns using the new TTL approach, including relevant logging and comments - Adjusted documentation to reflect the move away from the static dedup set for assist-abandon tracking **Removed:** - Removed `DEDUP_ASSIST_ABANDONED` from the dedup set list and related logic, as assist-abandon deduplication is now handled with per-pattern TTLs in state
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #318 +/- ##
==========================================
+ Coverage 78.76% 78.81% +0.04%
==========================================
Files 439 439
Lines 124213 124461 +248
==========================================
+ Hits 97840 98091 +251
+ Misses 26373 26370 -3
🚀 New features to boost your workflow:
|
**Added:** - Introduced `assist_abandoned_at` timestamped HashMap in `StateInner` to track assist-abandoned patterns with a 10-minute TTL - Implemented `mark_assist_abandoned`, `mark_assist_abandoned_at`, `is_assist_abandoned`, and `is_assist_abandoned_at` methods on `StateInner` for marking and checking assist-abandoned status - Added comprehensive unit tests for TTL-based assist-abandoned logic in `state/inner.rs` - Added `resolve_relayed_account_realm` function to correctly select realm/KDC for relayed accounts, with extensive tests in `adcs_exploitation.rs` **Changed:** - Updated dispatch logic to use TTL-based assist-abandon tracking instead of permanent dedup set in `dispatcher/submission.rs` - Modified documentation and comments to reflect the new assist-abandon mechanism and removed references to phase-based dedup logic - Refactored credential, host, and event publishing to remove phase-specific comments and clarify operation - Enhanced relay/coerce automation to resolve relayed account realm/KDC dynamically, ensuring correct authentication across cross-forest boundaries in `adcs_exploitation.rs` - Updated `auto_certipy_auth` to route certipy_auth tasks to the correct toolset, preventing wasted LLM cycles on unavailable tools **Removed:** - Eliminated the `DEDUP_ASSIST_ABANDONED` constant and its use in dedup set lists and related documentation - Removed phase-specific and dual-write migration comments throughout orchestrator modules for clarity and current relevance
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Key Changes:
Added:
StateInner, with helpers for marking and checking abandonmentbuild_certipy_auth_argsandresolve_relayed_account_realmfunctions to correctly construct relay arguments and resolve relayed account home domains/KDCs, including tests for all edge casesreport_hash_valuefunction, ensuring NTLM hashes are correctly normalized for report outputChanged:
certipy_authautomation now consistently routes to theprivesctoolset, fixing silent failures from toolset mismatchDEDUP_ASSIST_ABANDONEDfrom global dedup sets; assist-abandon logic is now managed in-memory with TTL, not persisted in RedisRemoved:
assist_abandoneddedup set and all related persistence and references