Skip to content

feat: add primitive tokenization for NTLM relay and NTLMv1 downgrade exploits#285

Merged
l50 merged 1 commit into
feat/more-attack-covfrom
feat/dreadgoad-ntlm-tokenization
May 12, 2026
Merged

feat: add primitive tokenization for NTLM relay and NTLMv1 downgrade exploits#285
l50 merged 1 commit into
feat/more-attack-covfrom
feat/dreadgoad-ntlm-tokenization

Conversation

@l50
Copy link
Copy Markdown
Contributor

@l50 l50 commented May 12, 2026
edited
Loading

Key Changes:

  • Implemented token emission for successful NTLM relay and NTLMv1 downgrade exploits
  • Added logic to recognize and credit scoreboard primitives for NTLM relay techniques
  • Introduced signal detection for NTLMv1 downgrade misconfigurations
  • Extended test coverage for NTLMv1 signal detection, including edge cases

Added:

  • Primitive tokenization logic for NTLM relay exploits, ensuring the scoreboard is credited even when task IDs and payloads don't naturally trigger existing mechanisms
  • Detection and tokenization for NTLMv1 downgrade exploits, emitting scoreboard tokens when Domain Controllers allow NTLMv1 authentication
  • Helper functions for extracting technique and relay target metadata from pending tasks, and for robust detection of NTLMv1-allowing configuration in result payloads
  • Comprehensive tests for NTLMv1 signal detection, covering explicit verdicts, registry values, and common output formats

Changed:

  • Enhanced the result processing flow to synthesize and publish vulnerability tokens for NTLM relay and NTLMv1 downgrade events, including error handling and detailed logging for these cases

@l50
feat: add tokenization for NTLM relay and NTLMv1 downgrade primitives
4b2c045 
**Added:**

- Emit synthetic exploit tokens for successful NTLM relay (LDAP, ADCS) by recognizing relay technique and credential evidence, ensuring scoreboard credits the primitive
- Tokenize NTLMv1 downgrade discoveries as exploits when positive signals are detected, crediting misconfiguration where DC permits NTLMv1 authentication
- Introduced helper functions to extract technique and relay target from pending tasks and to detect NTLMv1 signals in result payloads
- Added comprehensive tests for NTLMv1 signal detection, covering explicit verdicts, registry values, REG_DWORD formats, and tool output arrays

**Changed:**

- Enhanced process_completed_task logic to recognize and credit NTLM relay and NTLMv1 downgrade achievements as exploits within result processing
@l50 l50 changed the base branch from main to feat/more-attack-cov May 12, 2026 23:13
@l50 l50 changed the title feat: unify and expand exploit and enumeration automation coverage feat: add primitive tokenization for NTLM relay and NTLMv1 downgrade exploits May 12, 2026
@l50 l50 merged commit 31d2d0f into feat/more-attack-cov May 12, 2026
3 checks passed
@l50 l50 deleted the feat/dreadgoad-ntlm-tokenization branch May 12, 2026 23:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@l50