Skip to content

feat: add automatic detection and scoreboard credit for SeImpersonatePrivilege#281

Merged
l50 merged 1 commit into
feat/more-attack-covfrom
feat/dreadgoad-seimpersonate
May 12, 2026
Merged

feat: add automatic detection and scoreboard credit for SeImpersonatePrivilege#281
l50 merged 1 commit into
feat/more-attack-covfrom
feat/dreadgoad-seimpersonate

Conversation

@l50
Copy link
Copy Markdown
Contributor

@l50 l50 commented May 12, 2026
edited
Loading

Key Changes:

  • Implemented automatic parsing of task results to detect SeImpersonatePrivilege (enabled) in output
  • Emitted a seimpersonate_<host> primitive to the scoreboard when SeImpersonatePrivilege is observed
  • Updated MSSQL exploitation objectives to ensure whoami /priv output is captured and parsed
  • Added comprehensive tests for SeImpersonatePrivilege detection logic

Added:

  • SeImpersonatePrivilege detection logic in result processing: parses task output for SeImpersonatePrivilege and Enabled, and credits the primitive on the scoreboard when found
  • Host label resolution helper for stable scoreboard tokens (prefers hostname, falls back to IP, strips AD suffix)
  • Tests covering various scenarios for SeImpersonatePrivilege detection, including case insensitivity, disabled states, tool_outputs array, and empty payloads

Changed:

  • MSSQL exploitation objectives expanded to require immediate execution and full output inclusion of whoami /priv, ensuring SeImpersonatePrivilege is reliably surfaced and claimed
  • Clarified that if SeImpersonatePrivilege is detected and credited, potato-style escalations are optional and lower priority

@l50
feat: detect and credit seimpersonate primitive from whoami /priv output
de3b92b 
**Added:**

- Implement detection of SeImpersonatePrivilege enabled in task results and automatically credit the seimpersonate primitive on the scoreboard if observed
- Add helper to derive a stable host label for seimpersonate vulnerability tokens, preferring hostname and normalizing format
- Add comprehensive tests for seimpersonate signal detection logic to handle various output formats, case insensitivity, and false positive avoidance

**Changed:**

- Update MSSQL exploitation objectives to require inclusion of the full whoami /priv table in tool outputs and clarify that seimpersonate primitive is credited automatically when detected, lowering priority of manual PrintSpoofer/GodPotato exploitation
- Refine credential extraction objective wording to clarify examples and focus on in-memory secrets over redundant privilege checks
@l50 l50 changed the base branch from main to feat/more-attack-cov May 12, 2026 22:15
@l50 l50 changed the title feat: orchestrate cross-forest privilege escalation and improve state deduplication feat: add automatic detection and scoreboard credit for SeImpersonatePrivilege May 12, 2026
@l50 l50 merged commit 7e91a24 into feat/more-attack-cov May 12, 2026
1 check passed
@l50 l50 deleted the feat/dreadgoad-seimpersonate branch May 12, 2026 22:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@l50