2026 tradecraft gap closure: kernel LPE, Copilot, AiTM, supply chain#39
Merged
AndrewAltimit merged 18 commits intomainfrom Apr 22, 2026
Merged
2026 tradecraft gap closure: kernel LPE, Copilot, AiTM, supply chain#39AndrewAltimit merged 18 commits intomainfrom
AndrewAltimit merged 18 commits intomainfrom
Conversation
…detection artifacts Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…time allowlist Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…cape checks Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…-cutting infra WS-E1: AD CS ESC16 — CA-wide szOID_NTDS_CA_SECURITY_EXT omission exploit + detection WS-E2: Kerberos RC4→AES migration post CVE-2026-20833 enforcement (14 Apr 2026 live) WS-E4: Shadow Credentials 2026 hardening — Jan 2026 CUSTOMKEYINFO_FLAGS_MFA_NOT_USED WS-N2: Silver SAML — secondary token-signing cert abuse + scanner gap analysis WS-N4: Compliant Device / FOCI bypass — Authentication Broker CA bypass lab Cross-cutting: - containment.py: EXPLOIT_LAB_KERNEL/K8S/EBPF/MOBILE gates + mock-service assertions - ci/: 5 new CI gates (kernel_lpe_harness, aitm_loopback, suspicious_pth, loldrivers_hash, rmm_license) - tools/kernel-lpe/: README + safety_harness.py scaffold - tools/supply-chain/, tools/phishing/: top-level READMEs - CLAUDE.md: updated containment table + Index (Kernel LPE, Supply Chain, Phishing) - docs/analysis/rc4-deprecation-2026.md: new timeline analysis - docs/methodology/kerberos-lateral-movement.md: RC4 enforcement callouts Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…vice-code 2026, kernel LPE (AFD/CLFS/I/O Ring), Shai-Hulud npm worm, LiteLLM PyPI .pth stealer WS-L1/L2/L3: M365 Copilot EchoLeak (CVE-2025-32711) + ShareLeak (CVE-2026-21520) simulators, Salesforce Agentforce PipeLeak sim, payload_corpus updated with m365_copilot channel (59 payloads). WS-N1/N3: SyncJacking ImmutableId takeover simulator, EvilTokens device-code 2026 PhaaS sim with broker-client-ID FOCI path, device-code-phishing-2026 methodology doc. WS-K1/K2/K3: AFD.sys pool-grooming CVE class (CVE-2026-20810/-20831/-20860/-21241), CLFS buffer overflow (CVE-2025-60709), I/O Ring primitive (CVE-2025-21333), pool_fengshui and nt_structures reference docs, kernel LPE lab README, windows-kernel-lpe-2026 methodology. WS-S1/S2: Shai-Hulud npm worm class simulator (postinstall harvest+propagate), LiteLLM TeamPCP .pth-file PyPI stealer simulator + runtime_detector defender tool, mock npm registry + mock PyPI servers (127.0.0.1 only). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ix/FileFix/ConsentFix, GitHub Actions OIDC chain, BYOVD LOLDrivers integration WS-M1: Tycoon2FA-class AiTM simulator with loopback mock-aitm-proxy (8100) + mock-m365-login (8101); Sneaky2FA BitB, Rockstar2FA, Evilginx3 documentation; defender controls (passkey mitigation, CA token protection); aitm-phishing-2026 methodology + aitm-kit-market-2026 analysis. WS-M2: ClickFix sim HTML (clipboard-inject → Run dialog), FileFix sim HTML (Explorer address-bar primitive), ConsentFix sim Python (against mock-entra); delivery-chain-evolution 2023→2026 timeline; mock-browser-target service (127.0.0.1:8140). WS-S3: GitHub Actions pull_request_target simulator against mock-github-actions (8120); full UNC6426 OIDC chain (mock-oidc 9300 → mock-imds 9200); self-hosted-runner persistence model; tj-actions-class supply-chain compromise analysis; ci-cd-attack-modeling methodology doc. WS-B1: LOLDrivers sync (hash-only, no binaries); HVCI-bypass enumeration; capability-graph builder; 4 BYOVD CVEs (Lenovo HECI, ASRock Polychrome, Realtek HD Audio, Gigabyte GDrv3); termination-pattern simulator (kill-don't-evade, fully stubbed); byovd-2026-scale analysis; edr-silencing-via-policy updated with kill-don't-evade paradigm section. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…MM persistence, LLM eval WS-C1: HTTP/3 (QUIC) + DoQ C2 transports with loopback enforcement; aioquic integration with graceful stub fallback; profile fragments for EHR-blend and stealth modes; modern-c2-architecture methodology updated with HTTP/3 DPI bypass explanation. WS-C2: Telegram Bot API C2 transport (mock 8130) + Teams Graph C2 transport (mock 8131); PhantomBackdoor (Cato CTRL) walkthrough; mock-telegram-bot + mock-teams-graph loopback services. WS-K4: CVE-2025-33073 NTLM reflection LPE chain walkthrough + preconditions matrix. WS-E3: RelayInformer-class EPA recon — epa_enum_https.py + epa_enum_mssql.py; EPA default matrix across Exchange/ADCS/LDAP/MSSQL/SharePoint. WS-E5: SCCM TAKEOVER-5 Entra-integration chain (SpecterOps Nov 2025); CVE-2025-59501 patch gap; SCCM 2509 NTLM rejection behavior + Kerberos-only pivot paths. WS-N5: Azure Arc CVE-2026-26117 — himds named pipe DACL flaw → local admin → tenant redirect. WS-N6: PRT devtools extraction via mysignins.microsoft.com; WAM SSO flow analysis; UX defense analysis (red-border proposal vs. CDP bypass). WS-L4: Anthropic Git MCP server CVE-2025-68143/68144/68145 — commit message injection, diff content injection, read_file path traversal; git_mcp_sim.py (loopback MCP server). WS-L5: AgentDojo harness + PromptArmor adapter + MCPSec adapter + defense benchmark runner; covers instruction hierarchy trust, cosine similarity scoring, schema validation layers. WS-K8: runc container breakout CVE-2025-31133/-52565/-52881; chain_to_kubelet post-escape pivot; escape_sim.py with full STUB annotations (K8s lab gate). WS-K9: NodeRestriction CVE-2025-4563/-5187; AKS CVE-2026-33105 (CVSS 10) Azure CNI IPAM socket. WS-R1: RMM persistence (ScreenConnect/AnyDesk/QuickAssist abuse patterns + persistence mechanics); ESXi kill chain + Nutanix AHV notes; ransomware-affiliate-tradecraft-2026 + healthcare-ransomware methodology docs. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…l blinding, passkey bench, vishing tabletop, C2 profiles, Rust callstack-detect, AMSI NtContinue WS-K10: LinkPro-class eBPF rootkit (Go loader + XDP/TC modules + magic-packet C2); corpus comparison (Boopkit, TripleCross, ebpfkit, LinkPro); linux-postex-2026 methodology; Rust stub requiring EXPLOIT_LAB_EBPF=1. WS-MAC1: macOS TCC bypass — CVE-2025-43530 VoiceOver + 6-app entitlement catalog; SLAP/FLOP side-channel analysis; SysBumps KASLR; ESF detection rules; macos-postex-2026 methodology + apple-mie-impact analysis. WS-MOB1: iOS/Android landscape (research-only) — DarkSword chain, Coruna kit, Pixel 9 0-click, Pwn2Own Ireland 2025, Lockdown Mode effectiveness, enterprise MDM bypass; mobile-threat-modeling methodology. WS-FW1: Firmware landscape — Hydroph0bia Insyde H2O SMM (CVE-2025-4275/4721), LogoFAIL successors (CVE-2025-3052/-47827), SMM research, UEFI cert expiry Jun 2026, defender inventory. WS-CL1: CloudTrail blinding — 9 primitives (PutEventSelectors invisible zones, policy-size blind spot, StopEventDataStoreIngestion, etc.); cloudtrail_blind_sim.py (loopback mock-aws). WS-PK1: Passkey/WebAuthn phish-resistance bench — origin binding fundamentals, phish-resistance matrix (10 attacks × 7 MFA types), downgrade surface analysis, cross-device QR relay risk; phish-resistance-testing methodology. WS-M3: Deepfake vishing tabletop (no voice synthesis) — vishing-2026-market analysis, tabletop playbooks (CFO impersonation + Scattered Spider helpdesk), deepfake-vishing-tabletop methodology. WS-C3: C2 framework-mimic profiles (AdaptixC2/emp3r0r/APEX/Mythic/Havoc/BruteRatel/NightHawk); c2-framework-market-2026 analysis. WS-B2: callstack-detect Rust crate — kernel-ETW call-stack collector + unwind validator; spoof vs. detect matrix; callstack-spoofing methodology updated with defender counter section. WS-B3: AMSI-patchless NtContinue variant — variants.md (SetThreadContext vs NtContinue tradeoffs); new Sigma rule + KQL for NtContinue HWBP patterns. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Reflects the full 2026 tradecraft gap closure: Batches 1-5 spanning kernel LPE, Copilot/LLM CVEs, Entra modern tradecraft, AiTM/ClickFix/social-eng, supply chain (npm/PyPI/GitHub Actions), BYOVD at scale, new C2 transports (HTTP/3/DoQ/Telegram/Teams), K8s escapes, RMM persistence, eBPF rootkit, macOS/mobile/firmware research, CloudTrail blinding, passkey bench. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Three gaps identified during PRD review are filled, and internal planning-artifact language is purged from the tree so committed files read as stateless, public-facing documentation. Added: - ci/check_mock_services_loopback.py — CI gate verifying every mock service under tools/*/mock-services/ declares a loopback bind host - docs/methodology/m365-copilot-attack-surface.md — methodology doc framing the production-LLM attack class (EchoLeak / ShareLeak / PipeLeak / Reprompt), intrinsic vs implementation properties, generic attack flow, detector posture - tools/ad-cs/exploit/esc16/chain_esc16_full.md — end-to-end chain walkthrough covering ESC16+ESC10 UPN-rewrite path and the ESC16+Shadow-Credentials pivot, handoff to chain.py, remediation priority, paired detections Scrubbed: - Dead docs/v3-modernization-prd.md link from containment.py, tools/ci/check_no_committed_drivers.py, bof-loader detection README, and the Databricks report dashboard callouts - "WS7" identifier from containment docstring, SECURITY.md BYOVD row, and report dashboard header - "v3:/v4:/v5:" prefixes from SECURITY.md containment table and capability section, Cargo.toml member groupings and dependency comments, containment.py / containment-rust section banners, entra-abuse README, lateral-movement README status column - WS-XX workstream IDs from README titles and tree comments (kernel-lpe, kernel-lpe/afd, kernel-lpe/clfs, kernel-lpe/io-ring, linux-postex, llm-attacks/eval), methodology headers (windows-kernel-lpe-2026), analysis update log (entra-2026-state-of-play), mock-entra and kind-cluster infra READMEs, KQL coverage/author header comments - Sigma author-field normalization (36 files) — all ws-r1-research, ws-k8-research, ws-k9-research, ws-k10-research, ws-m2-social-engineering, ws-mac1-research, WS-L1..L4 / WS-M1 / WS-E "security research", v5-tradecraft-modernization, and the "(v6 — post-RC4-enforcement)" parenthetical on kerberos-roasting are replaced with "Security Research Lab" All six CI gates in ci/ pass. tools/ci/check_no_committed_drivers.py passes. tools/ci/check_detection_pairing.py has a pre-existing failure unrelated to this change (tools/kernel-lpe and tools/supply-chain delegate detection to per-submodule subdirs rather than a top-level detection/). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Some tool directories (tools/kernel-lpe/, tools/supply-chain/, tools/macos-postex/) host a single conceptual topic through multiple subdirectories, one per CVE or campaign, each with its own paired detection/. The previous check assumed one tool dir = one module and failed these umbrellas with MISSING detection/ at the top level. The check now: - Descends into a tool directory that has no direct detection/ when the directory has content-bearing child subdirectories, treating each child as a module tree and recursing. - Recognizes doc+detection modules (research-only topics that ship structural analysis and detection artifacts but no exploit code) as legitimate module shapes. The "content" predicate now accepts either source files or at least one populated detection/ subtree, so tools/macos-postex/tcc-bypass/ is picked up instead of silently skipped. - Skips shared-infra child names (common, lib, lab, fixtures, mock-services) when descending, matching the convention already in use inside the umbrella trees. - Reports umbrella status with the submodule breakdown indented under the umbrella line, so CI output stays readable. All 40 module trees now pass. No test harness here since this script is itself the test — running it against the current repo is the check. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Markdown formatting and polish pass across the narrative documentation added by the tradecraft gap-closure PRD, plus a new cross-cutting doc that maps offensive techniques to the log sources a defender should check for each zone of a typical enterprise network topology. Formatting fixes: - Closed the unclosed bold on "Enable Secure Boot + HVCI" in hydroph0bia-secure-boot.md and reshaped adjacent list items for consistent formatting. - Collapsed multi-line bold spans to single-line or rephrased them across eight files (m365-copilot-attack-surface, pipeleak, shareleak, passkey WebAuthn fundamentals, passkey-as-mitigation, and two vishing tabletop scripts). Multi-line bolds balance across lines but render unreliably across Markdown viewers; the rewritten form is portable. References sections added to eleven narrative docs that previously had none (six methodology, three analysis, two subdir READMEs): - docs/methodology/aitm-phishing-2026.md - docs/methodology/deepfake-vishing-tabletop.md - docs/methodology/device-code-phishing-2026.md - docs/methodology/linux-postex-2026.md - docs/methodology/macos-postex-2026.md - docs/methodology/phish-resistance-testing.md - docs/analysis/aitm-kit-market-2026.md - docs/analysis/c2-framework-market-2026.md - docs/analysis/vishing-2026-market.md - docs/analysis/firmware-landscape-2026/README.md - docs/analysis/mobile-landscape-2026/README.md Each References section cites named research organizations, standards bodies, and verifiable disclosures rather than invented URL targets, and cross-references sibling in-repo docs so defenders can navigate the catalog by topic. New cross-cutting doc: docs/methodology/network-topology-detection-mapping.md The topology doc gives defenders a zone-by-zone map (email gateway, IdP, endpoint, productivity suite, cloud control plane, CI/CD, RMM, C2 egress) with the log sources that own detection for each technique class and the relative paths to the paired detection artifacts in this repo. Includes three cross-zone chain walkthroughs (AiTM + Copilot exfil, GitHub OIDC -> AWS admin, ESC16 + Shadow Credentials -> DA) that show how a single incident correlates across zones, and guidance on how scheduled log-scanning agents should consume the mapping. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Flow, attack-chain, sequence, and decision-tree diagrams render more reliably on GitHub and other renderers when expressed in mermaid than in hand-drawn ASCII. Seventeen diagrams across seventeen files are converted; eight remaining ASCII blocks (directory trees and filesystem layouts in README.md and the kernel-lpe / linux-postex / esxi / screenconnect READMEs) are kept as ASCII because mermaid has no better representation for hierarchical filesystem listings. Converted: - docs/methodology/network-topology-detection-mapping.md — reference enterprise topology (flowchart TD with subgraphs for perimeter, identity consumers, and management plane). - docs/methodology/m365-copilot-attack-surface.md — generic attack flow for M365 Copilot indirect prompt injection. - docs/methodology/ransomware-affiliate-tradecraft-2026.md — modern affiliate kill chain (initial access through ransomware deployment). - docs/methodology/macos-postex-2026.md — TCC bypass decision tree. - docs/methodology/ci-cd-attack-modeling.md — three chain diagrams (pull_request_target → OIDC → AWS, runner .credentials exfil, tag-moved-to-malicious-commit). - docs/methodology/llm-attack-modeling.md — indirect injection sequence (attacker, content, user, LLM). - docs/methodology/kerberos-lateral-movement.md — credential-tier hierarchy from AS-REP roasting up to Golden Ticket. - tools/ad-cs/exploit/esc16/chain_esc16_full.md — Chain A (UPN rewrite) and Chain B (Shadow Credentials) for ESC16. - tools/kubernetes-postex/runc-escape/chain_to_kubelet.md — container escape to full cluster-admin chain. - tools/persistence/rmm-abuse/quickassist/persistence_mechanics.md — QuickAssist session-flow sequence. - tools/phishing/aitm-kits/sneaky2fa-bitb/selective_cloaking.md — cloaking decision tree with pass/fail classification. - tools/phishing/passkey-resistance/cross-device-flow-risks.md — FIDO2 hybrid transport topology. - tools/phishing/vishing/tabletop-exercise-scripts/it_help_desk_scattered_spider.md — helpdesk vishing branch-point decision tree with pass/fail classification. - tools/supply-chain/github-actions/README.md — pwn_request → OIDC → AWS chain. - tools/supply-chain/github-actions/self-hosted-runner/persistence_model.md — attacker decision tree for persistence on a compromised runner. - tools/supply-chain/shai-hulud-class/README.md — npm worm propagation cycle. - tools/supply-chain/shai-hulud-class/propagation_model.md — multi- maintainer propagation graph with infection highlighting. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
… windows dep Three issues that together blocked cargo build --workspace on Linux CI. 1. tools/rust/cookie-theft/Cargo.toml and tools/rust/syscalls/Cargo.toml each carried a stale top-level [workspace] declaration. These were opt-outs from the parent workspace used when the crates pre-dated being listed in tools/rust/Cargo.toml's [workspace].members. Both crates have since been added to the parent workspace, so the child declarations turned into duplicate roots and cargo rejected the workspace with "multiple workspace roots found in the same workspace". Dropping the empty [workspace] stanza resolves it — the parent workspace owns these crates now. 2. tools/rust/callstack-detect/Cargo.toml depended on the high-level windows = "0.61" umbrella crate unconditionally. On Linux builds that pulled windows-future 0.2.1 as a transitive, which expects windows-core APIs that the pinned windows-core 0.61.2 does not expose, producing a cargo.io version-mismatch compile error on every Linux workspace build. Every other Windows-dependent crate in this workspace already pins windows-sys behind a [target.'cfg(target_os = "windows")'.dependencies] block, and every use of windows::* in callstack-detect/src is already #[cfg(target_os = "windows")]-gated. Moving the dependency under the same target gate keeps the Windows build identical while letting the workspace resolve and build cleanly on Linux. Verified: cargo build --workspace --release completes in ~26s on Linux with only pre-existing dead-code / lifetime-elision warnings. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
detection/(Sigma rules, KQL queries, hunt runbooks), containment-gated viaContainmentGuardand newEXPLOIT_LAB_KERNEL/EXPLOIT_LAB_K8S/EXPLOIT_LAB_EBPF/EXPLOIT_LAB_MOBILEenv-var gates. All simulations run against loopback mock services — no real tenants, registries, or identity providers are contacted.ci/(kernel-lpe harness import check, AiTM loopback-only, suspicious-.pthscan, LOLDrivers hash-only, no RMM license/binary, mock-services loopback) and keeps the existingtools/ci/checks (no committed drivers, detection pairing) honest.Scope by category
tools/kernel-lpe/with a hostname/BitLocker-gated safety harness..pth-file PyPI stealer, UNC6426 GitHub Actionspwn_request+ OIDC → AWS chain, self-hosted-runner backdoor, tj-actions-class compromised-action reference.tools/rust/callstack-detect/), AMSI-patchless NtContinue variant.Containment model
Every offensive module imports
ContainmentGuard(Python) or thecontainmentcrate (Rust) and gates on at leastEXPLOIT_LAB_ACTIVE=1. Higher-risk tooling requires an additional domain-specific gate (kernel LPE, K8s escape, eBPF, mobile). Mock services bind to loopback and are statically enforced byci/check_mock_services_loopback.py. BYOVD stays hash-only — no.sysbinaries are ever committed andtools/ci/check_no_committed_drivers.pyfails the build if one appears.Test plan
python3 ci/check_mock_services_loopback.py→ OK (8 servers inspected)python3 ci/check_aitm_loopback_only.py→ OKpython3 ci/check_kernel_lpe_harness.py→ OKpython3 ci/check_loldrivers_hash_only.py→ OKpython3 ci/check_no_real_rmm_license.py→ OKpython3 ci/check_no_suspicious_pth.py→ OKpython3 tools/ci/check_no_committed_drivers.py→ OK (no.sysfiles)python3 tools/ci/check_detection_pairing.py→ pre-existing failure ontools/kernel-lpeandtools/supply-chaintop-level dirs (per-submoduledetection/dirs exist); out of scope for this PRecholeak_sim.py,shareleak_sim.py,pipeleak_sim.py,shai_hulud_sim.py,pth_sim.py,eviltokens_class_sim.py,sync_simulator.pytools/*/mock-services/*binds 127.0.0.1 and rejects non-loopback--hostoverrides