feat: inject real operation values into agent prompt templates and reporting#270
Merged
Conversation
…ensively filter pseudo-domains **Added:** - Inject target domain, DC IP, DC FQDN, and listener IP into agent/system prompt templates via `StateSnapshot` and prompt rendering, ensuring tool-call examples use actual operation values - Heuristic function to detect and filter Windows workgroup/self-named pseudo-domains in loot and output extraction, preventing phantom AD domains from polluting achievements and credential attribution - Defensive filtering in loot achievement computation to skip workgroup and default computer-name pseudo-domains - Contextual filtering of `(domain:...)` in SMB/user extraction to avoid setting current domain to a workgroup/self-named pseudo-domain - Tests for new pseudo-domain detection and filtering behaviors across loot, orchestrator extraction, and SMB parsing - Selection of representative credential for worked example in MSSQL lateral/exploit prompt generation **Changed:** - All agent/system prompt templates now render tool-call examples and workflow steps using injected operation context values (`target_domain`, `target_dc_ip`, `target_dc_fqdn`, `listener_ip`) instead of static placeholders - `LlmTaskRunner` and prompt-building logic updated to pass listener IP and target context through to templates - `SharedState` snapshot extended to compute and expose primary target domain, DC IP, DC FQDN, and listener IP for prompt rendering - SMB NetExec banner parsing and FQDN extraction now skip workgroup/self-named pseudo-domains, matching orchestrator extraction logic - Output extraction for users now prevents workgroup banners from overwriting `current_domain` - MSSQL prompt rendering passes representative credential into templates for worked example sections - All tests and agent/system prompt rendering calls updated to provide the required context values **Removed:** - Static/placeholder values for domain, DC IP, DC FQDN, and listener IP from prompt templates and examples, eliminating risk of LLMs copying non-contextual values into real tool calls
…ning **Added:** - Forward linked-server names from vulnerability details into the task payload in `auto_mssql_exploitation`, enabling prompt templates to use real values for `linked_server` - Add `linked_server` field to `MssqlDeepWork` struct to carry context for linked server exploitation **Changed:** - Update MSSQL lateral prompt rendering to inject `linked_server` and `listener_ip` as context variables for more accurate task prompts - Refactor trust exploitation prompt logic to use `has_source_sid`, `has_target_sid`, and `can_forge` flags; ensure forge and secretsdump steps only appear when all prerequisites are present, and provide clear instructions for missing SID resolution - Remove placeholder variables from trust prompt context and templates, relying on real values passed by orchestrator - Clarify and streamline privesc agent workflow: document that all MSSQL exploitation (including linked servers) is dispatched as focused tasks with required context already set, and direct agents not to guess or call steps out of order - Improve coercion agent instructions to emphasize always using interface values from the task prompt and never guessing interface names - Revise constrained delegation exploitation task prompt: clarify that only `s4u_attack` is run directly, and that follow-up credential access tasks (secretsdump, psexec) are auto-chained by the orchestrator; remove manual step instructions and reinforce correct reporting/termination - Update MSSQL lateral task prompt to clarify that discovered linked servers trigger auto-dispatched follow-up tasks, and only pre-populated `linked_server` is used for pivoting in the current task - Improve trust exploitation task prompt to conditionally render SID and forge steps based on available data, and to clarify that secretsdump is auto-chained by the orchestrator **Removed:** - Eliminate manual and placeholder-driven steps in trust and MSSQL task prompts, ensuring all steps rely on orchestrator-populated context and auto-chained follow-ups - Remove obsolete or redundant step-by-step instructions for manual ticket and hash handling in constrained delegation and trust escalation paths, consolidating to orchestrator-driven workflows
**Added:** - Introduced `OperationContext` struct to encapsulate operation-specific fields (domain, DC IP/FQDN, listener IP) for prompt templates in `templates.rs` - Added `OperationContext::EMPTY` constant and an `insert_into` method for context injection - Added a test constant `TEST_OP` for use in prompt template tests **Changed:** - Refactored all agent and system prompt rendering functions (`render_agent_instructions`, `render_system_instructions`, etc.) to accept a single `OperationContext` argument instead of multiple individual operation-related parameters - Updated all internal calls and tests to use the new `OperationContext` signature, replacing positional string arguments with the struct - Simplified code in orchestrator, prompt, and test modules to use the unified context for readability and maintainability **Removed:** - Eliminated separate `target_domain`, `target_dc_ip`, `target_dc_fqdn`, and `listener_ip` function parameters in favor of the new `OperationContext` struct throughout the prompt/template codebase and tests
…reporting **Added:** - introduced `report_filter` module with logic to exclude machine accounts, krbtgt, local SAM built-ins, common service accounts, and already-cracked hashes from reported credentials and hashes - comprehensive unit tests for credential and hash filtering logic **Changed:** - updated loot JSON output to apply filtering so only reportable credentials and hashes are included, reducing noise for external scoreboards - added `report_filter` module import in format mod.rs to enable filtering in JSON output
**Added:** - Introduced pre-scan logic in `output_extraction/hashes.rs` to infer the dumped domain/realm from evidence in NTDS dump output, avoiding phantom krbtgt attribution when the target differs from the actual dump realm - Added tests in `output_extraction/hashes.rs` to verify domain inference behavior for krbtgt attribution, including correct fallback to the default domain and selection of the most common prefix **Changed:** - Updated test fixtures and example data across codebase to use realistic demo domains (e.g., `child.contoso.local`, `fabrikam.local`) and IPs (e.g., `192.168.58.10`) instead of placeholder or inconsistent values such as `10.0.0.1` and `north.sevenkingdoms.local` - Modified test SMB banners, workgroup FQDNs, and related domain logic in `smb.rs`, `users.rs`, and `display.rs` to consistently use `WIN-ABCDEFGHIJK.WGRP.LOCAL` and similar - Aligned test arguments and discovery payloads in orchestrator and worker tests to use the new canonical IP/domain examples - Updated documentation in `docs/red.md` and `docs/strategy.md` to reflect the same IP and domain convention in code examples and scenario explanations **Removed:** - Eliminated references to fantasy or placeholder domains and IPs in test and documentation scenarios to prevent confusion and promote consistency with standard demo environments
dreadnode-renovate-bot
Bot
added
the
area/docs
l50
changed the title
**Changed:** - Show domain admin and golden ticket achievement counts per domain in human-readable loot output, improving clarity for multi-domain environments - ares-cli/src/ops/loot/format/display.rs - Minor formatting adjustment to test for reportable credentials, improving readability - ares-cli/src/ops/loot/format/report_filter.rs - Minor code style update for hashmap initialization to a single line - ares-cli/src/orchestrator/output_extraction/hashes.rs
**Changed:** - Merged tests for `AresConfig::from_env` handling of `ARES_CONFIG` env var into a single test to prevent race conditions caused by parallel test execution and shared environment variables
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Key Changes:
Added:
Changed:
Removed: