feat: add advanced automation for ADCS, GPO, shadow creds, RBCD, LAPS, MSSQL, and expand test coverage#227
Merged
Merged
Conversation
…system **Added:** - Introduced a comprehensive attack strategy configuration system for controlling technique prioritization, allow/exclude lists, and completion modes - Added new `strategy.md` documentation describing strategy presets, technique weights, filtering, and configuration usage - Implemented a `Strategy` struct and logic for resolving strategy from env, YAML, and JSON (with `StrategyPreset` and dynamic weight merging) - Enabled per-operation and per-technique allowlists and blocklists for attack techniques (`include_techniques`, `exclude_techniques`) - Added LLM temperature override support in strategy - Created `credential_reuse` automation module for cross-domain hash reuse - Strategy-driven priority table is now rendered dynamically in the LLM system prompt if configured **Changed:** - Orchestrator config now merges strategy settings from both YAML and JSON sources, and exposes strategy to all automation and LLM runner modules - All major automation modules and vulnerability publishers now check `strategy.is_technique_allowed()` and use strategy-driven technique priorities - Exploitation workflow and automation spawner now honor strategy technique allow/exclude lists and comprehensive mode throughput - Updated documentation and YAML config comments to describe new strategy fields - LLM task runner now passes sorted technique priorities to system prompt templates for consistent agent reasoning - System prompt template now displays a dynamic attack technique priority table when strategy weights are active **Removed:** - Deprecated static/hardcoded attack technique tables in favor of dynamic strategy-based configuration - Redundant per-module technique filtering and priority logic in favor of central strategy resolution
…ig updates **Added:** - Introduced strategy gates to skip secretsdump and dc_secretsdump operations if excluded by technique strategy in dispatcher logic, affecting credential expansion, local admin secretsdump, and admin credential upgrades **Changed:** - Updated credential expansion flow to check strategy before dispatching secretsdump tasks, both for direct and hash-based expansion - Modified admin credential detection to respect strategy exclusion for secretsdump before attempting escalation - Refined local admin secretsdump logic to skip both secretsdump and dc_secretsdump when excluded by strategy - Updated default configuration to use the "stealth" strategy, exclude secretsdump and dc_secretsdump, continue after DA, and prioritize alternate escalation techniques via technique_weights **Removed:** - Removed commented-out alternative values in configuration for clarity and to reflect new default strategy and exclusions
dreadnode-renovate-bot
Bot
added
the
area/docs
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #227 +/- ##
==========================================
+ Coverage 51.06% 56.68% +5.62%
==========================================
Files 374 382 +8
Lines 56705 65001 +8296
==========================================
+ Hits 28959 36849 +7890
- Misses 27746 28152 +406 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
…ations **Added:** - Implemented `auto_shadow_credentials` automation to exploit GenericAll/WriteDacl ACL edges via shadow credentials, enabling credential extraction without LSASS access - new `shadow_credentials.rs` - Added `auto_rbcd_exploitation` automation for GenericAll/GenericWrite on computer objects, chaining addcomputer, rbcd_write, S4U, and secretsdump - new `rbcd.rs` - Introduced `auto_mssql_exploitation` automation to follow up on exploited MSSQL access with xp_cmdshell, impersonation, and credential extraction - new `mssql_exploitation.rs` - Spawned new automations in the orchestrator's automation spawner **Changed:** - Enhanced strategy weights to include `shadow_credentials` and `mssql_deep_exploitation` for all built-in presets - Updated unconstrained delegation automation to support user account exploitation via LLM agent, not just machine accounts, and improved deduplication logic - Improved domain/controller/host resolution logic in ADCS and coercion automations, using the attacker's real listener IP for NTLM relays and coercion targets - Unified skip logic in ACL, S4U, unconstrained, and related automations to only halt after DA if the configured strategy does not require continued path search - Improved credential fallback: now checks for both password and NTLM hash for all automations requiring authentication - Updated certipy parser to handle additional ESC types, inline patterns, CA name, and template extraction for more robust ADCS vuln parsing - Ensured password spray fallback in stall detection is only triggered if allowed by current strategy - Added `listener_ip` field to orchestrator config, populated from env or auto- detected based on first target IP, and used throughout automations as needed - Included listener IP and strategy preset in startup logging for better context - Modified callback handler to route `list_credentials` to the actual credential store, so lateral/exploit agents receive real data - Improved built-in LLM callback: clarified messaging when no credentials are available in the agent context **Removed:** - Deprecated legacy logic for selecting listeners and credentials in coercion and unconstrained delegation automations in favor of new centralized config
**Changed:** - Set operation strategy from 'stealth' to 'comprehensive' to exploit all discovered vulnerabilities rather than prioritizing stealth - Cleared `exclude_techniques` to an empty list, allowing all techniques instead of blocking `secretsdump` and `dc_secretsdump` by default
l50
force-pushed
the
worktree-expand-path-diversity
branch
from
9fdd057 to
c102838
Compare
…tor and agent modules
**Added:**
- Comprehensive unit tests for helper and filter logic in orchestrator automation modules:
- Added tests for NetBIOS to FQDN resolution, domain matching, FQDN extraction, and hash dedup
logic for credential expansion
- Added tests for MSSQL exploitation helpers (`is_mssql_deep_candidate`, `resolve_mssql_target_ip`)
including edge cases and dedup key formatting
- Added tests for RBCD helpers (`is_rbcd_candidate`, `resolve_computer_ip`) for various matching
scenarios and dedup keys
- Added tests for shadow credentials candidate detection across supported types and casing
- Added tests for unconstrained delegation helper logic and constants
- Unit tests for configuration helpers:
- Tests for local IP detection, strategy parsing, and environment variable overrides
- Unit tests for strategy presets and logic:
- Tests for comprehensive/fast/stealth presets, technique weights, inclusion/exclusion logic, and
priority calculation
- Unit tests for agent callback handler logic in ares-llm:
- Tests for all built-in callback tool fallbacks, correct result types, error handling, and
disabled/forwarded tool handling
- Unit tests for Certipy parser helpers:
- Tests for ESC priority, CA name and template extraction, parsing various Certipy output
formats, and ESC type list completeness
**Changed:**
- Improved code coverage and reliability by validating logic against realistic and edge-case inputs
- Documented test intent and expected outcomes for future maintainers
**Removed:**
- No code or test logic removed; all changes are additive to test coverage
…ction **Added:** - Introduced `auto_adcs_exploitation` automation to exploit discovered ADCS vulnerabilities (ESC1/ESC4/ESC8) and dispatch exploitation tasks based on enumeration results - Added `auto_gpo_abuse` automation to detect and exploit GPO write access vulnerabilities, dispatching tasks for code execution via pyGPOAbuse - Implemented `auto_laps_extraction` automation to extract LAPS passwords using explicit and sweep strategies, complementing low-hanging fruit checks - Created new modules: `adcs_exploitation.rs`, `gpo.rs`, and `laps.rs` for the above automations - Registered new deduplication key constants: `DEDUP_ADCS_EXPLOIT`, `DEDUP_GPO_ABUSE`, `DEDUP_LAPS` for tracking task processing - Added relevant tests for GPO and ADCS candidate detection in new modules **Changed:** - Extended automation spawner to launch `auto_adcs_exploitation`, `auto_gpo_abuse`, and `auto_laps_extraction` alongside other automation tasks - Updated `mod.rs` to import and re-export new automation functions for orchestration - Enhanced `gmsa.rs` to include vulnerability-driven gMSA detection logic, increasing coverage of gMSA account extraction - Updated deduplication sets in `state/mod.rs` and validation in `state/inner.rs` to include new dedup keys - Tuned strategy weights in `strategy.rs` to assign priorities to new automation techniques for fast, comprehensive, and stealth modes **Removed:** - Removed limitation of gMSA extraction to user-based detection only; now includes vuln-driven discovery
**Added:**
- Added extensive test coverage for edge cases and helper functions across the
following modules:
- `ares-cli/src/dedup/tests.rs`: edge cases for deduplication, domain
normalization, hash/cred/user dedup, and source label normalization
- `ares-cli/src/ops/loot/format/display.rs`: tests for formatting helpers,
domain/forest structure, MITRE extraction, and achievement logic
- `ares-cli/src/orchestrator/automation/adcs_exploitation.rs`: tests for
extraction helpers, ESC type normalization, role selection, and
integration scenarios
- `ares-cli/src/orchestrator/automation/credential_expansion.rs`: tests for
pass-the-hash logic, dedup key formatting, hash and credential filters,
and domain matching
- `ares-cli/src/orchestrator/automation/gmsa.rs`: tests for gMSA detection
helpers, vuln type matching, dedup key construction
- `ares-cli/src/orchestrator/automation/gpo.rs`: tests for vuln type
matching, dedup key logic, and detail extraction helpers
- `ares-cli/src/orchestrator/automation/laps.rs`: tests for LAPS candidate
matching, dedup key, and constant values
- `ares-cli/src/orchestrator/automation/rbcd.rs`: tests for candidate
selection, dedup key, computer IP resolution, and target logic
- `ares-cli/src/orchestrator/automation/s4u.rs`: tests for result pattern
matching, lockout/revocation detection, and constant values
- `ares-cli/src/orchestrator/automation/shadow_credentials.rs`: tests for
candidate matching, source/target extraction, dedup key, and structure
- `ares-cli/src/orchestrator/automation/unconstrained.rs`: tests for phase
state transitions, hostname resolution, dedup key logic, and action
dispatch
- `ares-cli/src/orchestrator/callback_handler/tests.rs`: coverage for
disabled tool handlers, agent status, hash summaries, and pagination
- `ares-cli/src/orchestrator/completion.rs`: tests for forest root logic,
undominated forest computation, trust helpers, and edge cases
- `ares-cli/src/orchestrator/deferred.rs`: tests for task score
calculation, serialization, and queue prefix
- `ares-cli/src/orchestrator/dispatcher/mod.rs`: tests for credential
inflight logic, key extraction, and concurrency limits
- `ares-cli/src/orchestrator/monitoring.rs`: tests for agent registry
operations, stale detection, heartbeat, and critical tool structure
- `ares-cli/src/orchestrator/result_processing/tests.rs`: tests for DA
indicator, parent ID resolution, and discovery parsing
- `ares-cli/src/worker/tool_executor.rs`: tests for request/response
structures, error handling, and queue key formatting
- `ares-core/src/correlation/redblue/tests.rs`: coverage for correlation
engine, match quality, reporting, and technique coverage
- `ares-core/src/eval/results.rs`: tests for evaluation result structure,
grading, summary, serialization, and dataset aggregation
- `ares-core/src/models/operation.rs`: tests for operation meta parsing,
datetime/string helpers, and attack chain formatting
- `ares-core/src/persistent_store/store.rs`: tests for IP detection and
SHA-256 helpers
- `ares-core/src/token_usage.rs`: tests for token usage structures, cost
estimation, model field helpers, and serialization
- `ares-tools/src/acl.rs`: tests for DN formatting, argument helpers, and
credential target formatting
- `ares-tools/src/privesc/delegation.rs`: tests for argument validation,
credential helpers, and command construction
- Created `docs/goad-checklist.md` with an exhaustive checklist for GOAD
deployment, users, groups, ACLs, vulnerabilities, and attack validation
**Changed:**
- Improved code coverage for edge cases, input validation, and helper function
correctness in all major orchestrator automation modules and tooling
- Enhanced test assertions for input normalization, domain/forest handling,
deduplication keys, error handling, and credential/host/attack chain logic
**Removed:**
- No production code removed; all changes are test or documentation additions
for validation and coverage purposes
l50
changed the title
l50
added a commit
that referenced
this pull request
Apr 22, 2026
…, MSSQL, and expand test coverage (#227) **Key Changes:** - Introduced advanced automation modules for ADCS exploitation, GPO abuse, shadow credentials, RBCD, LAPS extraction, and deep MSSQL exploitation - Enhanced strategy gating and credential inflight logic for safer, more flexible automation control - Added extensive property-based and edge case test coverage across orchestrator, token usage, result processing, and helpers - Cleaned up legacy Rust agent Warp Gate templates and documentation for clarity and modernization **Added:** - ADCS exploitation automation - New `adcs_exploitation.rs` automates exploitation of ESC1/4/8 ADCS vulnerabilities, selecting credentials and building tasks for certipy/relay attacks - GPO abuse automation - New `gpo.rs` module dispatches GPO exploitation tasks (e.g., pyGPOAbuse) when write access is detected via BloodHound/ACL analysis - Shadow credentials automation - New `shadow_credentials.rs` module exploits GenericAll/WriteDacl on users/computers via certipy shadow attacks - RBCD exploitation automation - New `rbcd.rs` module automates addcomputer→rbcd→s4u chains using credentials or NTLM hashes, matching ACL edges - LAPS extraction automation - New `laps.rs` supports explicit LAPS dump attempts both vuln-driven and domain-wide, with deduplication and task building - MSSQL deep exploitation - New `mssql_exploitation.rs` handles post-access exploitation including xp_cmdshell, impersonation, and credential extraction - Extensive property-based and edge-case tests for all new automation modules - Enhanced test coverage in orchestrator, result processing, completion, token usage, persistent store, and callback handlers - GOAD attack surface checklist in `docs/goad-checklist.md` **Changed:** - Strategy gating - All automation modules now respect `strategy` configuration for technique inclusion/exclusion and priority weighting - Credential inflight logic - Improved inflight slot handling and test coverage for concurrency limits - Orchestrator and worker config - Added listener IP auto-detection and config propagation for NTLM relay/coercion - Build system and dependencies - Updated Ansible and Python requirements for improved provisioning stability - Documentation - Overhauled and unified agent template documentation, removing legacy Rust agent Warp Gate templates in favor of simplified, current `ares-blue-*` and `ares-cracker-*` variants - Unit/integration tests - Significantly expanded property-based and edge-case tests across orchestrator, state, completion, results, token usage, and tools **Removed:** - Legacy Rust agent templates - Deleted `ares-rust-*` agent Warp Gate templates and their docs to avoid confusion and maintain a clear, modern template set - Redundant or obsolete test scaffolding and comments in favor of unified, property-based tests and edge-case coverage - Unused code paths and outdated references in orchestrator automation modules (e.g., hardcoded ares-worker@ systemd units, now replaced by ares@)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Key Changes:
shadow credentials, RBCD, LAPS extraction, and deep MSSQL exploitation
flexible automation control
orchestrator, token usage, result processing, and helpers
clarity and modernization
Added:
adcs_exploitation.rsautomates exploitationof ESC1/4/8 ADCS vulnerabilities, selecting credentials and building tasks for
certipy/relay attacks
gpo.rsmodule dispatches GPO exploitation tasks(e.g., pyGPOAbuse) when write access is detected via BloodHound/ACL analysis
shadow_credentials.rsmodule exploitsGenericAll/WriteDacl on users/computers via certipy shadow attacks
rbcd.rsmodule automates addcomputer→rbcd→s4uchains using credentials or NTLM hashes, matching ACL edges
laps.rssupports explicit LAPS dump attemptsboth vuln-driven and domain-wide, with deduplication and task building
mssql_exploitation.rshandles post-accessexploitation including xp_cmdshell, impersonation, and credential extraction
usage, persistent store, and callback handlers
docs/goad-checklist.mdChanged:
strategyconfigurationfor technique inclusion/exclusion and priority weighting
for concurrency limits
propagation for NTLM relay/coercion
improved provisioning stability
legacy Rust agent Warp Gate templates in favor of simplified, current
ares-blue-*andares-cracker-*variantstests across orchestrator, state, completion, results, token usage, and tools
Removed:
ares-rust-*agent Warp Gate templatesand their docs to avoid confusion and maintain a clear, modern template set
property-based tests and edge-case coverage
(e.g., hardcoded ares-worker@ systemd units, now replaced by ares@)