v0.7.0 — case-11 supply-chain/ESC8 + evidence schema fidelity
Highlights
Two major additions targeted at SANS FIND EVIL! 2026 submission.
case-11 supply-chain entry → AD certificate-services abuse
examples/case-studies/case-11-supplychain-ad-zeroday/ ships 12 ground-truth findings reproduced deterministically by seven MCP functions on bundled evidence. The chain:
- Trojanized signed vendor binary (SolarWinds SUNBURST class entry, T1195.002)
- Low-and-slow C2 beaconing with calibrated sub-SIEM-threshold cadence
- PetitPotam (CVE-2021-36942) coercion of
DC01$(T1187) - ntlmrelayx
--adcsrelay to CA01 Web Enrollment endpoint (T1557.001) - Certificate issued for
DC01$under DomainController template (ESC8, T1649) - Rubeus
asktgt /certificate+s4u /impersonateuser:domadmin(T1550.003) - 4624 type-9 NewCredentials on DC (S4U2self DA impersonation)
- PsExec / wmiexec overpass-the-hash lateral to DC, file server, endpoint (T1021.002, T1021.006, T1550.002)
- ntdsutil
ifm create full(T1003.003) + mimikatzdcsync /user:krbtgt(T1003.006) - AdminSDHolder ACL modification (T1098.005 — self-healing privileged persistence via SDProp)
- Golden Ticket forged with KRBTGT hash (T1558.001) used next morning
- Three sequential
wevtutil cl+ EventID 1102 self-emission (T1070.001)
Chain composed entirely from public references (CISA AA20-352A, SpecterOps "Certified Pre-Owned", MS-EFSRPC CVE, MITRE T1098.005/T1003.006/T1558.001). All hosts/IPs/domain (ent.example.local)/SIDs are RFC1918/RFC5737/RFC2606 synthetic with zero cross-reference to any real environment.
Every sample evidence file enriched to native forensic-tool dump fidelity
Prior versions of sample-evidence-realistic/ files were too sparse to look like genuine forensic-tool captures. This release replaces every file with the on-disk schema produced by the corresponding real tool — without breaking any detection.
| Surface | Now matches output of |
|---|---|
| Windows event logs | EvtxECmd (full EVTX field set, ms timestamps, consistent SIDs) |
| Network flows | Zeek conn.log (uid, ja3, ja3s, tls_version, http_method, user_agent) |
| $MFT | MFTECmd 25-column (both 0x10 SI and 0x30 FN timestamps, USN, LSN, SecurityId) |
| Shellbags | SBECmd (BagPath, NodeSlot, AbsolutePath, LastInteracted, HasExplored) |
| Run keys / services / shimcache | RECmd / AppCompatCacheParser |
| Prefetch | PECmd JSON (Volumes, FilesLoaded, run times) |
| Chrome History | Hindsight (transition, danger_type, opened, referrer, etag) |
| Linux journal | systemd-journald (__REALTIME_TIMESTAMP, _BOOT_ID, _MACHINE_ID, _AUDIT_LOGINUID) |
| Linux auditd | SYSCALL+EXECVE+CWD+PATH+PROCTITLE+USER_LOGIN+CRED_ACQ+USER_CMD+USER_AUTH |
| macOS unified log | log show (thread, type, subsystem, category, sender) |
| macOS FSEvents | FSEventsParser (id, mask, flags, inode, node_id, sha256_at_event) |
| Memory image info | winpmem metadata (kernel_base, KDBG offset, physical layout, yara hits) |
Fixed
setupapi.dev.logwas missing from realistic variant — agent F-013 IP-KVM detection silently failed and dropped recall to 0.5 on--variant realistic. Restored with full setupapi log fidelity around the IP-KVM (VID 0557 PID 2419 ATEN) signal.
Post-release counts
| Surface | Value |
|---|---|
| Native MCP functions | 67 |
| Total ground-truth findings | 99 |
| ↳ Layer 1 (8 cases: 01–07 + 11) | 69 |
| ↳ Layer 2 (3 cases: 08 CFReDS, 09 Hadi, 10 M57) | 30 |
| Bundled case studies | 11 |
| Evidence files in realistic variant | 49 |
| MITRE ATT&CK tactic coverage | 11 of 12 |
| Unit tests | 68 green |
Verification
recall: 1.000 (F-001 + F-013)
false_positive_rate: 0.000
hallucination_count: 0
evidence_integrity_preserved: true
self_correction_observed: true
audit_chain_length: 3 entries, SHA-256-linked
Full Changelog
See CHANGELOG.md for the complete diff.
Compare: v0.6.1...v0.7.0