feat: add comprehensive automation modules for AD and Windows exploitation#233
Open
feat: add comprehensive automation modules for AD and Windows exploitation#233
Conversation
) **Key Changes:** - Added extensive unit and integration tests across all modules in ares-cli, ares-core, ares-llm, and ares-tools - Improved test coverage for pure functions, builder APIs, input validation, and end-to-end tool workflows - Introduced mock executor for ares-tools to enable isolated tool wrapper testing - Enhanced test assertions to cover edge cases, deduplication, and error handling **Added:** - Unit tests for config, deduplication, label normalization, user and credential processing, and MITRE technique detection in ares-cli - Direct tests for time window plumbing, builder logic, and detection query composition in detection/techniques - Test modules for orchestrator automation helpers, deduplication keys, domain/host logic, and parent/child domain matching - Test coverage for orchestrator state persistence, publishing, milestones, and redis-backed dedup sets - Tests for result processing, admin checks, parsing, timeline event classification, and critical hash detection - Mock Redis connection and in-memory state for ares-core, including scan, pipeline, and set/hash/list operations - End-to-end and unit tests for gap analysis, recommendations, ground truth transformation, and scoring in ares-core eval modules - Tests for telemetry propagation (traceparent injection/setting), state readers/writers, and blue operations in ares-core - Blue and red/blue correlation tests for technique matching, gap reason analysis, and coverage calculation - Default test features for blue team support in ares-core, ares-llm, and ares-tools - Unit and integration tests for tool registry logic, agent role parsing, and blue tool capability assignment in ares-llm - Test coverage for all tool wrapper functions in ares-tools, including argument validation, command builder APIs, and output sanitization - Tests for output parsers, including SMB, LDAP, BloodHound, delegation, and credential spider logic **Changed:** - Refactored code to allow easier dependency injection for testability (e.g., generic TaskQueueCore over connection type) - Adjusted some test-only code paths to use #[cfg(test)] or #[cfg(feature = "test-utils")] - Improved test assertions to cover corner cases, deduplication, ordering, and fallback logic - Updated test data to use consistent sample IPs, domains, and hostnames across modules - Enhanced test performance by using in-memory or tempfile-backed stores for persistence tests **Removed:** - Unused or dead test helper modules (e.g., resume_helper.rs in orchestrator recovery) - Redundant #[allow(dead_code)] attributes on enums and structs now covered by tests - Legacy or placeholder test code in favor of comprehensive, behavior-driven test suites
…ults **Added:** - Included "Last validated" timestamp and summary at the top for tracking latest checklist validation status **Changed:** - Marked infrastructure, domain, host, trust, and service checks as completed with explanations for each item (e.g., enumeration, exploitation, null auth) - Updated user enumeration and credential discovery status across all domains, specifying which credentials were obtained, hashes dumped, or exploits attempted - Added automation results and enumeration status for group, ACL, and cross-domain membership checks, noting where automation did not enumerate - Annotated ACL, credential discovery, and network attack sections with details on which vulnerabilities were detected, exploited, or not tested - Updated Kerberos, ADCS, MSSQL, privilege escalation, and lateral movement sections to reflect actual automation and exploitation coverage, including cross-domain and forest escalation paths - Revised summary tables to provide "checked/total/coverage" metrics per category, with notes on coverage and missing automation - Added status explanations (e.g., "**credential obtained**", "**Admin Pwn3d**", "**secretsdump**") for clarity on what was automated versus pending/manual - Provided explanations for items not tested or not applicable (e.g., Linux tooling, lack of automation, missing credentials) - Updated scheduled tasks and coercion checks to reflect automation results **Removed:** - Omitted obsolete "Check Count/Status" summary table in favor of more granular "checked/total/coverage" format with notes for each category
…ogon exploits
**Added:**
- Automated detection and exploitation modules for:
- noPac (CVE-2021-42287/42278): computer account manipulation to enable DCSync
- PrintNightmare (CVE-2021-1675): Print Spooler DLL injection for SYSTEM access
- NTLM relay: automatic orchestration of relay attacks (SMB->LDAP, ADCS ESC8)
- Zerologon (CVE-2020-1472): Netlogon protocol check for DCs
- New deduplication set constants for each technique to prevent redundant dispatches
- New test coverage for deduplication keys and technique registration
**Changed:**
- Registered new automation tasks in the orchestrator automation module and spawner
- Integrated new deduplication sets into deduplication tracking and tests
- Added new techniques to all strategy weight presets (fast, comprehensive, stealth)
- Updated strategy tests to verify inclusion and correct prioritization of new techniques
- Updated GOAD checklist documentation to reflect dispatch and test status for added CVE exploits
**Added:** - Introduced `auto_share_coercion` automation to drop coercion files (.scf, .url, .lnk) on writable shares for NTLMv2 hash capture; integrates with dispatcher and deduplication logic - Added `auto_smb_signing_detection` automation to scan discovered hosts for SMB signing disabled and publish vulnerabilities for NTLM relay - Registered both automation tasks in the automation spawner for concurrent execution - Included test coverage for deduplication and vulnerability key generation in new modules **Changed:** - Exported `auto_share_coercion` and `auto_smb_signing_detection` from automation module for external use - Updated attack strategy presets (fast, comprehensive, stealth) to include weights for `share_coercion` technique, ensuring prioritized dispatching - Expanded the GOAD checklist documentation to reflect coverage and results for SMB signing and file-based coercion automation, increasing network poisoning & relay and user-level/coercion coverage statistics **Removed:** - Outdated checklist items and comments for coercion attacks that are now automated in `goad-checklist.md`
…, ldap signing, webdav **Added:** - Introduced `auto_mssql_coercion` to dispatch NTLM authentication coercion from MSSQL servers using xp_dirtree/xp_fileexist, enabling relay/cracking of service account hashes - Added `auto_password_policy` to enumerate password policies per domain, supporting safer password spraying and lockout avoidance - Added `auto_gpp_sysvol` for scanning SYSVOL for Group Policy Preferences passwords and credential artifacts, combining GPP XML and script searches - Added `auto_ntlmv1_downgrade` to detect DCs allowing NTLMv1 authentication, enabling capture of easily crackable hashes via downgrade attacks - Introduced `auto_ldap_signing` to check for LDAP signing/channel binding enforcement on each DC, identifying relay/NTLM vulnerabilities - Added `auto_webdav_detection` to detect WebDAV-enabled hosts for NTLM relay and proactively register related vulnerabilities for downstream modules **Changed:** - Registered new deduplication sets in state for mssql coercion, password policy, gpp sysvol, ntlmv1 downgrade, ldap signing, and webdav detection - Updated automation module exports and mod.rs to include all new automation tasks for orchestration - Registered new automation spawns in `automation_spawner.rs` to ensure new modules are launched at runtime - Expanded strategy module to assign priorities to new automation techniques across all strategy presets (fast, comprehensive, stealth) - Synchronized deduplication set lists and tests to cover all new dedup sets
…ults **Changed:** - Updated "Last validated" timestamp and status summary to reflect latest run with reduced domains and dispatches - Marked weak password policy in NORTH domain as validated via recon agent, with details on password/lockout policy enumeration - Added results for NTLMv1 downgrade and LDAP signing enforcement checks, noting dispatched automation and outcomes for each DC - Documented MSSQL NTLM coercion vector as tested, specifying dispatch of `auto_mssql_coercion` and targeted hosts - Expanded writable share coercion section to include castelblack shares and enumerated all writable shares found - Updated metrics in the summary table for Credential Discovery, Network Poisoning & Relay, and MSSQL to reflect newly validated and tested items, with increased completion percentages and updated descriptions of automated checks
…eral checks **Added:** - Automated detection and dispatch of Print Spooler service checks on discovered hosts (`auto_spooler_check`) - Automated per-domain MachineAccountQuota (MAQ) checks to support machine account attack paths (`auto_machine_account_quota`) - Automated DFSCoerce (MS-DFSNM) NTLM coercion dispatch against uncoerced DCs (`auto_dfs_coercion`) - Automated unauthenticated PetitPotam (MS-EFSRPC) coercion attempts against DCs (`auto_petitpotam_unauth`) - Automated WinRM lateral movement attempts using owned credentials against hosts with WinRM indicators (`auto_winrm_lateral`) - Unit tests for deduplication key and set name for all new modules **Changed:** - Registered new deduplication set constants and integrated them with the dedup system (`DEDUP_SPOOLER_CHECK`, `DEDUP_MACHINE_ACCOUNT_QUOTA`, `DEDUP_DFS_COERCION`, `DEDUP_PETITPOTAM_UNAUTH`, `DEDUP_WINRM_LATERAL`) - Updated automation task spawner to launch new automation modules - Re-exported new automation functions in the automation module for unified API - Added new techniques to the strategy module with appropriate priority weights for fast, comprehensive, and stealth modes - Updated GOAD checklist documentation to reflect coverage and automation for Print Spooler, WinRM lateral, and WebDAV checks, and adjusted statistics for privilege escalation, lateral movement, and coercion coverage **Removed:** - No removals in this change
…coverage **Added:** - Automated certificate abuse: `auto_certifried` module for CVE-2022-26923 machine account DNS spoofing and `auto_certipy_auth` for certificate-based authentication - DNS attack surface: `auto_dns_enum` module for zone transfer and SRV/A/CNAME record enumeration from DCs - LDAP enumeration: `auto_domain_user_enum` for per-domain user enumeration, `auto_group_enumeration` for group memberships, and `auto_foreign_group_enum` for cross-domain/forest group memberships - Privilege escalation & credential access: `auto_krbrelayup` for Kerberos relay attacks when LDAP signing is weak, `auto_lsassy_dump` for LSASS memory dump on owned hosts - Lateral movement: `auto_rdp_lateral` for RDP lateral movement to port 3389 hosts, `auto_pth_spray` for pass-the-hash spray, and `auto_localuser_spray` for explicit localuser credential checks across DCs - User coercion: `auto_searchconnector_coercion` for dropping .searchConnector-ms files on writable shares for WebDAV relay - SID and well-known account mapping: `auto_sid_enumeration` to resolve domain SIDs and enumerate renamed administrator accounts - Registered all new deduplication sets in orchestrator state and updated dedup tracking for each automation - Comprehensive test coverage for dedup key formats and logic for all new modules **Changed:** - Expanded `mod.rs` to include all new automation modules in the orchestrator - Updated `automation_spawner.rs` to spawn all new automation tasks - Extended deduplication set arrays and ALL_DEDUP_SETS in orchestrator state to include new modules for dedup and persistence - Updated strategy weights (fast, comprehensive, stealth) to assign priorities to new automation techniques, ensuring they're integrated into all operational modes - Improved documentation checklist to reflect the addition and coverage of new automation modules, including credential discovery, lateral movement, coercion, and enumeration techniques **Removed:** - No removals; all changes extend automation coverage and infrastructure
**Added:** - Implemented auto_dacl_abuse for direct ACL abuse on known attack paths, dispatching abuses such as ForceChangePassword, GenericWrite, WriteDacl, WriteOwner, and GenericAll when matching credentials and targets are found - Introduced auto_smbclient_enum to perform authenticated SMB share enumeration using available credentials, complementing unauthenticated enumeration - Unit tests for deduplication logic in both new modules **Changed:** - Registered auto_dacl_abuse and auto_smbclient_enum modules and their public exports in the automation orchestration layer - Spawned new automation tasks for dacl abuse and smbclient enum in the automation task spawner - Added deduplication constants and updated ALL_DEDUP_SETS for new automation tasks in state management - Incorporated dacl_abuse and smbclient_enum into automation strategy weights for all presets (fast, comprehensive, stealth) - Updated GOAD checklist to reflect new automation coverage, marking Certifried as dispatched and adjusting attack/coverage counts
…tool reliability - Redesign comprehensive strategy weights to use a three-tiered system that prioritizes exploitation breadth over speed-to-DA, with Tier 1 for ADCS, delegation, NTLM relay; Tier 2 for credential pipeline; Tier 3 for recon - Pass --always-continue to coercer and petitpotam to prevent EOF on interactive prompts - Fix DFSCoerce to use positional args matching CLI expectations - Add setuptools install to noPac venv in Ansible role (provides pkg_resources) - Update tests to validate tiered weights instead of flat priorities
dreadnode-renovate-bot
Bot
added
the
area/docs
…verage **Added:** - Introduced `acl_discovery` automation module for discovering ACL attack paths via targeted LDAP queries, bridging the gap between BloodHound collection and DACL exploitation. Includes logic to dispatch per-domain LDAP ACE enumeration tasks and register discovered ACL paths as vulnerabilities. - Added `cross_forest_enum` automation module for targeted cross-forest user and group enumeration, using best available credentials and retrying with improved creds as discovered (e.g., via hash cracking or pivots). - Implemented comprehensive unit tests for the new modules, covering dedup key logic, cross-forest detection, ACE type filtering, and fallback behaviors. - Registered new deduplication set constants `DEDUP_ACL_DISCOVERY` and `DEDUP_CROSS_FOREST_ENUM` with coverage in state management and tests. - Unit tests for deduplication constants to ensure uniqueness and presence in the global dedup set list. **Changed:** - Refined `auto_adcs_enumeration` to select credentials on a per-domain basis, ensuring proper handling of cross-domain ADCS hosts. - Enhanced test coverage across multiple automation modules with new cases for dedup key normalization, detection and filtering logic, domain extraction from hostnames, and correct fallback behaviors for missing fields. - Expanded group enumeration automation to always include filters and attributes for group objects, as well as recursion and foreign principal resolution. - Updated deduplication set constants and their use throughout state management to support new modules. - Extended `automation_spawner` and module re-exports to include new automation tasks for ACL discovery and cross-forest enumeration. - Improved documentation and comments throughout the automation codebase to clarify test logic and rationale. **Removed:** - Eliminated fallback logic in `auto_adcs_enumeration` that previously selected a single credential for all ADCS hosts, in favor of per-domain selection.
) **Key Changes:** - Added extensive unit and integration tests across all modules in ares-cli, ares-core, ares-llm, and ares-tools - Improved test coverage for pure functions, builder APIs, input validation, and end-to-end tool workflows - Introduced mock executor for ares-tools to enable isolated tool wrapper testing - Enhanced test assertions to cover edge cases, deduplication, and error handling **Added:** - Unit tests for config, deduplication, label normalization, user and credential processing, and MITRE technique detection in ares-cli - Direct tests for time window plumbing, builder logic, and detection query composition in detection/techniques - Test modules for orchestrator automation helpers, deduplication keys, domain/host logic, and parent/child domain matching - Test coverage for orchestrator state persistence, publishing, milestones, and redis-backed dedup sets - Tests for result processing, admin checks, parsing, timeline event classification, and critical hash detection - Mock Redis connection and in-memory state for ares-core, including scan, pipeline, and set/hash/list operations - End-to-end and unit tests for gap analysis, recommendations, ground truth transformation, and scoring in ares-core eval modules - Tests for telemetry propagation (traceparent injection/setting), state readers/writers, and blue operations in ares-core - Blue and red/blue correlation tests for technique matching, gap reason analysis, and coverage calculation - Default test features for blue team support in ares-core, ares-llm, and ares-tools - Unit and integration tests for tool registry logic, agent role parsing, and blue tool capability assignment in ares-llm - Test coverage for all tool wrapper functions in ares-tools, including argument validation, command builder APIs, and output sanitization - Tests for output parsers, including SMB, LDAP, BloodHound, delegation, and credential spider logic **Changed:** - Refactored code to allow easier dependency injection for testability (e.g., generic TaskQueueCore over connection type) - Adjusted some test-only code paths to use #[cfg(test)] or #[cfg(feature = "test-utils")] - Improved test assertions to cover corner cases, deduplication, ordering, and fallback logic - Updated test data to use consistent sample IPs, domains, and hostnames across modules - Enhanced test performance by using in-memory or tempfile-backed stores for persistence tests **Removed:** - Unused or dead test helper modules (e.g., resume_helper.rs in orchestrator recovery) - Redundant #[allow(dead_code)] attributes on enums and structs now covered by tests - Legacy or placeholder test code in favor of comprehensive, behavior-driven test suites
**Added:** - Introduced detailed unit tests for automation modules in the following areas: - Validated payload JSON structure and fields for each attack technique - Verified struct construction and field assignments for all work types - Checked deduplication key normalization and uniqueness logic per context - Asserted credential domain/user matching (including case-insensitivity) - Ensured service detection logic for SMB, RDP, WinRM, WebDAV, and others - Added coverage for selection/fallback logic in credential and user queries - Tested edge cases (e.g., empty domains, dedup keys, fallback fields, limits) - Confirmed correct logic for admin/writable share filtering and permission checks - Verified protocol and attribute lists for LDAP and other enumeration modules **Changed:** - Significantly increased unit test coverage across all orchestrator/automation modules - Strengthened assertions to ensure correct business logic for all main workflows - Unified style and approach to test construction and assertions for consistency **Removed:** - No code or test removals; all changes are additive to improve test coverage and reliability
dreadnode-renovate-bot
Bot
added
the
area/pre-commit
**Changed:** - Removed all section marker banners and block comment dividers such as `// ---------------------------------------------------------------------------` and similar, from Rust source files across the codebase - Eliminated in-source commentary lines that served only as visual section breaks or for grouping, improving code readability and reducing visual clutter - Maintained all functional comments and documentation, only removing non-functional separator lines and banners
**Added:** - Introduced pure functions (e.g., `collect_acl_discovery_work`, `collect_adcs_work`, `collect_certifried_work`, etc.) for each automation module to encapsulate work item construction logic, enabling unit testing without dispatcher or async runtime - Added comprehensive unit tests for each new work collection function, validating all edge cases and credential selection logic **Changed:** - Refactored automation modules to delegate work item construction to the new pure `collect_*_work` functions, reducing code duplication and improving testability - Updated per-automation test modules to cover both original and new work collection logic, improving test coverage - Made `StateInner::new` public within the crate to enable state construction in tests and work functions - Ensured that all deduplication, credential selection, and domain matching logic is now unit-testable and consistent across modules **Removed:** - Removed large inline work item construction blocks from async automation routines, replacing them with calls to the new pure logic functions
…overy improvements **Added:** - Implement cross-domain LDAP operation support by adding `bind_domain` logic to orchestrator and tool payloads - Introduce `smb_login_check` tool for checking SMB credential validity and admin status; add orchestration, parsing, and dispatch support - Add `DeferredQueue::total_count()` method for deferred task monitoring - Emit timeline event when golden ticket is forged for attack path tracking - Wait for active and deferred red team tasks to drain before shutdown, with a 5-minute cap **Changed:** - Update LDAP-using orchestrator modules (`acl_discovery`, `domain_user_enum`, `group_enumeration`, `ldap_signing`) to support cross-domain operations by conditionally adding `bind_domain` to payload - Expand user discovery logic to accept and process new trusted sources: `ldap_group_enumeration`, `acl_discovery`, `foreign_group_enumeration`, `ldap_enumeration` in both parsing and polling - Enhance group and ACL enumeration instructions to clarify required `discovered_users` output format for all users found, including cross-domain memberships - Add `smb_login_check` to tool routing as a recon and auth-bearing tool - Add weight entries for `cross_forest_enum` and `acl_discovery` in all strategy presets, with associated tests - Clarify `ldap_search` and `ldap_search_descriptions` docs and logic to support `bind_domain` for correct authentication context - Set HOME env for xfreerdp execution to avoid user profile issues **Removed:** - Remove `--admin-status` flag from `domain_admin_checker` since netexec reports admin automatically - Remove unnecessary test attribute guard from `ActiveTaskTracker::total()` for production use
**Added:** - Emit timeline events for admin upgrades, exploitation, lateral movement (S4U), and domain admin achievement with MITRE technique mapping - Add defense-in-depth sanitation for span target IPs/FQDNs, rejecting CIDRs, multi-value strings, and malformed input at both span builder and extraction - Unit tests for target info extraction: CIDR/multi-token rejection, nmap arg parsing, coverage of new edge cases - Timeline event for DA auto-set from krbtgt hash in state publishing **Changed:** - Improved discovery observability: for "hosts" discoveries, emit a span per discovered host for accurate destination.address attribution - Enhanced cross-forest and group enumeration instructions for LLM agents, specifying strict JSON schema for discovered users and explicit vuln reporting - Certipy instructions for ADCS recon updated with explicit vulnerable template reporting, including guidance for mapping ESC types and failure fallback - Timeline events now include richer MITRE ATT&CK mappings based on exploitation technique, such as Kerberoasting, RBCD, ADCS ESCs, etc. - All user enumeration in essos.local marked as complete in goad-checklist.md - Unconstrained delegation and MSSQL exploitation status updated for clarity in goad-checklist.md - Coverage table in goad-checklist.md updated: user enumeration, group parsing, ADCS enumeration, lateral movement, and trust exploitation status refreshed **Removed:** - Redundant or duplicate timeline event emission for DA achievement in favor of unified event creation with full context and MITRE mapping
**Changed:** - Updated logic to check if event description already starts with 'CRITICAL:' before prepending the prefix, ensuring it is not added multiple times in `print_attack_path` function within the loot display formatter
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Key Changes:
coercion, and enumeration in
ares-cliAdded:
nopac(CVE-2021-42287/42278),zerologon,print_nightmare,krbrelayup,certifried(CVE-2022-26923),dacl_abusentlm_relay,share_coercion,mssql_coercion,dfs_coercion,petitpotam_unauth,searchconnector_coercionpassword_policy,gpp_sysvol,ntlmv1_downgrade,ldap_signing,webdav_detection,spooler_check,machine_account_quota,group_enumeration,localuser_spray,sid_enumeration,dns_enum,domain_user_enum,foreign_group_enum,smb_signing,smbclient_enumwinrm_lateral,rdp_lateral,pth_spray,lsassy_dumpcertipy_authpublic exports in
automation/mod.rsand dedup constants instate/mod.rssetuptoolsis installed in noPac venvfor
pkg_resourcesimportChanged:
automation_spawner.rs): registered all new modules to bespawned and monitored automatically
state/mod.rs,state/inner.rs): added dedup constantsand test coverage for all new modules, ensuring idempotency and correct state
strategy.rs):fast,comprehensive, andstealthpresets, introducing three-tier prioritization for comprehensive modedocs/goad-checklist.md): documented coverage, testobservations, and module effects for each exploit, enumeration, and privilege
escalation path