bmt 0.5.2 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. checksums.yaml +4 -4
  2. data/lib/bmt/version.rb +1 -1
  3. data/lib/bmt.rb +7 -7
  4. data/lib/data/0.1/methodologies/active_directory.json +426 -0
  5. data/lib/data/0.1/methodologies/ai_llm.json +517 -0
  6. data/lib/data/0.1/methodologies/internal_network.json +454 -0
  7. data/lib/data/0.1/methodologies/website_testing.json +398 -206
  8. data/lib/data/0.1/schema.json +4 -4
  9. metadata +11 -75
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: ff2dc8922c0f4b0a0de12d7ed0e8a3dad462839ac393bb590fa107e7ef6dec96
4
- data.tar.gz: 0b56a54ce3cbc894aab9e26525268ca42ab330c95c7115f344d2a111ddb722b8
3
+ metadata.gz: f11ec97873738b913e31ac592026b6ee4a864db97eadba21de3c5d2af41acd54
4
+ data.tar.gz: 5fcf1038249d82290fbf4f1662e54f808e1b6609ad00c57893723a0f4609f82b
5
5
  SHA512:
6
- metadata.gz: ad7985d3b24b71b148210ddcecc8426e5b054ff7983a7a9da04ca84f0f9507b7cf9c7b24d71b23a4db6072cd7fdc0244d4b1d2b9a118352644e91cfd7ca65d9f
7
- data.tar.gz: 408dee385b1603822f99b02bf9787284f23ebe7d28845293d08aa24162a15da5aa2647959f396e0ddfa6d5b7564526351e96e0f9eeefae969c45a40de3beefdb
6
+ metadata.gz: 87811dd72b31d1772bc91b087aac9a898861e15c1249f7ab859d90f34b2a8ab056a40f26215dfdee190b8940b3be615fce9045aee53a1beffbb53cb0bf93839f
7
+ data.tar.gz: 5d0df2ff0597940d075385072b29414a2a1968e0bdbed86954b2f9ca5b1553d49c4cb8809ffaceb5ace3b7aec99838a695a795ee29444fd799b0b072de23964c
data/lib/bmt/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Bmt
2
- VERSION = '0.5.2'.freeze
2
+ VERSION = '0.7.0'.freeze
3
3
  end
data/lib/bmt.rb CHANGED
@@ -20,14 +20,14 @@ module BMT
20
20
  # returns a Methodology object given a key and a version
21
21
  def find(key, version: current_version)
22
22
  raise VersionNotFoundError unless versions.include?(version)
23
- raise MethodologyNotFoundError unless methodology_keys(version: version).include?(key)
23
+ raise MethodologyNotFoundError unless methodology_keys(version:).include?(key)
24
24
 
25
25
  @methodologies[version].nil? && @methodologies[version] = {}
26
26
 
27
27
  @methodologies[version][key] ||= Methodology.new(
28
- key: key,
29
- version: version,
30
- attributes: methodology_json(key, version: version)
28
+ key:,
29
+ version:,
30
+ attributes: methodology_json(key, version:)
31
31
  )
32
32
 
33
33
  @methodologies[version][key]
@@ -43,7 +43,7 @@ module BMT
43
43
  DATA_DIR.join(version, 'methodologies').entries
44
44
  .map(&:basename)
45
45
  .map(&:to_s)
46
- .select { |dirname| dirname =~ /json/ }
46
+ .grep(/json/)
47
47
  .map { |filepath| File.basename(filepath, File.extname(filepath)) }
48
48
  end
49
49
 
@@ -55,7 +55,7 @@ module BMT
55
55
  end
56
56
 
57
57
  def methodology_json(key, version: current_version)
58
- JSON.parse(methodology_pathname(key, version: version).read)
58
+ JSON.parse(methodology_pathname(key, version:).read)
59
59
  end
60
60
 
61
61
  def methodology_pathname(key, version: current_version)
@@ -67,6 +67,6 @@ module BMT
67
67
  DATA_DIR.entries
68
68
  .map(&:basename)
69
69
  .map(&:to_s)
70
- .select { |dirname| dirname =~ /^[0-9]+\.[0-9]/ }.sort
70
+ .grep(/^[0-9]+\.[0-9]/).sort
71
71
  end
72
72
  end
data/lib/data/0.1/methodologies/active_directory.json ADDED
@@ -0,0 +1,426 @@
1
+ {
2
+ "metadata": {
3
+ "title": "Active Directory Testing",
4
+ "release_date": "2025-08-19T00:00:00+00:00",
5
+ "description": "Bugcrowd Active Directory methodology testing",
6
+ "vrt_version": "1.17"
7
+ },
8
+ "content": {
9
+ "steps": [
10
+ {
11
+ "key": "reconnaissance_enumeration",
12
+ "title": "Reconnaissance & Enumeration",
13
+ "description": "Perform initial reconnaissance to enumerate the internal network from an unauthenticated perspective, with the aim of identifying hosts, users, key services, low hanging fruit and potential footholds for quick wins.",
14
+ "type": "checklist",
15
+ "items": [
16
+ {
17
+ "key": "host_service_discovery",
18
+ "title": "Host and Service Discovery",
19
+ "caption": "",
20
+ "description": "Conduct port scanning to identify live hosts and accessible (TCP & UDP) services. Map out high-value targets and assess the services and systems in use throughout the domain.",
21
+ "tools": "Nmap, Zenmap"
22
+ },
23
+ {
24
+ "key": "legacy_unencrypted_services",
25
+ "title": "Legacy & Unencrypted Services",
26
+ "caption": "",
27
+ "description": "Identify any legacy and unencrypted services (e.g telnet, FTP etc.) in use. Sniff traffic for plaintext credentials or sensitive data that could be used to gain unauthorised access to systems.",
28
+ "tools": "Nmap, Zenmap, Wireshark, TCPDump"
29
+ },
30
+ {
31
+ "key": "unpatched_software",
32
+ "title": "Unpatched Software & CVEs",
33
+ "caption": "",
34
+ "description": "Identify the use of outdated and unpatched software in use throughout the network. Assess which publicly disclosed vulnerabilities impact these software versions, and particularly for quick compromises that could be used to gain a foothold.",
35
+ "tools": "Nmap, Zenmap"
36
+ },
37
+ {
38
+ "key": "locate_dc",
39
+ "title": "Locate Domain Controllers",
40
+ "caption": "",
41
+ "description": "Identify the DCs present in the domain.",
42
+ "tools": "nmap -p 88 --open <ip_range>, nslookup -type=SRV _ldap._tcp.dc._msdcs.<domain>"
43
+ },
44
+ {
45
+ "key": "dns_enumeration",
46
+ "title": "DNS Enumeration",
47
+ "caption": "",
48
+ "description": "Identify DNS servers, enumerate the available DNS records and attempt zone transfer(s).",
49
+ "tools": "Fierce, dig, nslookup, dnsenum, sublist3r"
50
+ },
51
+ {
52
+ "key": "null_sessions_guest_access",
53
+ "title": "Null Sessions & Guest Access",
54
+ "caption": "",
55
+ "description": "Identify SMB & MSRPC services which support null sessions and/or guest access. If supported, leverage this access to enumerate useful information (e.g users, groups, password policy, shares etc.).",
56
+ "tools": "NetExec, enum4linux, rpcclient"
57
+ },
58
+ {
59
+ "key": "ldap_anonymous",
60
+ "title": "Microsoft LDAP Anonymous Bind",
61
+ "caption": "",
62
+ "description": "Discover any LDAP server(s) which support anonymous bind. Abuse this access to extract useful information (e.g users, computers, groups, vulnerable targets).",
63
+ "tools": "Ldapsearch"
64
+ },
65
+ {
66
+ "key": "share_enum",
67
+ "title": "Share Enumeration",
68
+ "caption": "",
69
+ "description": "Identify insecure network shares that are accessible to unauthenticated users. Search these shares for the presence of sensitive data (e.g credentials, configuration files, customer data).",
70
+ "tools": "Crackmapexec, NetExec, SMBMap, SMBClient, enum4linux, nmap"
71
+ }
72
+ ]
73
+ },
74
+ {
75
+ "key": "initial_access",
76
+ "title": "Initial Access",
77
+ "description": "Explore vulnerabilities and misconfigurations which could be abused from an unauthenticated perspective to gain an initial foothold in the domain.",
78
+ "type": "checklist",
79
+ "items": [
80
+ {
81
+ "key": "pxe_theft",
82
+ "title": "PXE Boot Media Theft",
83
+ "caption": "",
84
+ "description": "Harvest credentials by retrieving PXE boot media when PXE deployment is configured to support 'all unknown computers' on a distribution point and requires no password or is configured with a weak password.",
85
+ "tools": "PXEThief"
86
+ },
87
+ {
88
+ "key": "unauth_sccm_abuse",
89
+ "title": "Unauthenticated SCCM Abuse",
90
+ "caption": "",
91
+ "description": "If anonymous distribution point and automatic device approval are enabled, exploit these misconfigurations to retrieve SCCM secret policies and obtain the credentials contained within.",
92
+ "tools": "SCCMSecrets.py, sccm-http-looter"
93
+ },
94
+ {
95
+ "key": "unauth_coerced_ntlm_relay",
96
+ "title": "Unauthenticated Coerced NTLM Relay (PetitPotam / CVE-2021-36943 / CVE-2022-26925)",
97
+ "caption": "",
98
+ "description": "If vulnerable, retrieve the DC machine account credentials by forcing the domain controller to authenticate to you via NTLM. Combine with ESC8 and perform a DCSync for full domain takeover.",
99
+ "tools": "Responder, Impacket NTLMrelayx, PetitPotam.py, Mimikatz, Rubeus"
100
+ },
101
+ {
102
+ "key": "timeroasting",
103
+ "title": "TimeRoasting",
104
+ "caption": "",
105
+ "description": "Take advantage of Windows's NTP authentication mechanism to request the password hash of any computer account by sending an NTP request with that account's RID.",
106
+ "tools": "timeroast.py, timeroast.ps1"
107
+ },
108
+ {
109
+ "key": "asreproast",
110
+ "title": "ASREPRoast",
111
+ "caption": "",
112
+ "description": "Enumerate and attempt to crack the password hashes for any ASREPRoastable domain accounts that do not have pre-authentication enabled. Retrieve a user list via NULL sessions or kerberos username enumeration.",
113
+ "tools": "impacket-GetNPUsers, crackmapexec, NetExec, Rubeus"
114
+ },
115
+ {
116
+ "key": "shares",
117
+ "title": "Shares",
118
+ "caption": "",
119
+ "description": "Identify insecure network shares that are accessible to unauthenticated users. Search these shares for the presence of sensitive data that could allow a foothold to be gained on the domain.",
120
+ "tools": "Crackmapexec, NetExec, SMBMap, SMBClient, enum4linux, nmap"
121
+ },
122
+ {
123
+ "key": "poisoning_relay",
124
+ "title": "Poisoning & Relay",
125
+ "caption": "",
126
+ "description": "Analyse traffic and send spoofed responses to hostname resolution queries (e.g LLMNR, NBT-NS, MDNS) with the aim of capturing hashes or relaying authentication to target systems.",
127
+ "tools": "Responder, Inveigh, NTLMRelayx"
128
+ },
129
+ {
130
+ "key": "zerologon",
131
+ "title": "ZeroLogon (CVE-2020-1472)",
132
+ "caption": "",
133
+ "description": "If vulnerable, exploit a cryptographic flaw in the ComputeNetlogonCredential call of the Netlogon Remote Protocol (MS-NRPC) to impersonate any computer, including a domain controller.",
134
+ "tools": "zerologon_tester, cve-2020-1472-exploit"
135
+ },
136
+ {
137
+ "key": "proxyshell",
138
+ "title": "ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)",
139
+ "caption": "",
140
+ "description": "If vulnerable, exploit a combination of vulnerabilities in Microsoft Exchange to gain RCE as SYSTEM on the Exchange server.",
141
+ "tools": "Metasploit exploit/windows/http/exchange_proxyshell_rce, proxyshell_rce.py"
142
+ },
143
+ {
144
+ "key": "eternalblue",
145
+ "title": "EternalBlue (MS17-010)",
146
+ "caption": "",
147
+ "description": "Identify any outdated and unpatched Windows hosts to target flaws in SMB v1.0 protocol for RCE on the vulnerable system(s).",
148
+ "tools": "Metasploit"
149
+ }
150
+ ]
151
+ },
152
+ {
153
+ "key": "privilege_escalation_quick_compromises",
154
+ "title": "Privilege Escalation: Quick Compromises",
155
+ "description": "Identify and exploit unpatched vulnerabilities which can be exploited from a low-privileged perspective to escalate privileges within the domain.",
156
+ "type": "checklist",
157
+ "items": [
158
+ {
159
+ "key": "ms14_068",
160
+ "title": "MS14-068",
161
+ "caption": "",
162
+ "description": "Identify unpatched domain controllers and leverage a low privileged domain user credentials to forge a high-privileged TGT.",
163
+ "tools": "FindSMB2UPTime.py , PyKEK, impacket, Kekeo, Metasploit auxiliary/admin/kerberos/ms14_068_kerberos_checksum"
164
+ },
165
+ {
166
+ "key": "ms14_025",
167
+ "title": "MS14-025: GPP Passwords from SYSVOL",
168
+ "caption": "",
169
+ "description": "Identify unpatched domain controllers to retrieve and decrypt passwords stored with Group Policy preferences.",
170
+ "tools": "Metasploit auxiliary/scanner/smb/smb_enum_gpp, Impacket Get-GPPPassword"
171
+ },
172
+ {
173
+ "key": "privexchange",
174
+ "title": " PrivExchange (CVE-2019-0724 / CVE-2019-0686)",
175
+ "caption": "",
176
+ "description": "Attempt to elicit an unpatched Exchange server to authenticate to a URL under your control. Abuse the accounts privileges to modify the ACL permissions of the existing user and grant DCSync rights.",
177
+ "tools": "privexchange.py, ntlmrelayx, Exchange2Domain, metasploit exchange_web_server_pushsubscription"
178
+ },
179
+ {
180
+ "key": "nopac",
181
+ "title": "noPac (CVE-2021-42278 & CVE-2021-42287)",
182
+ "caption": "",
183
+ "description": "Leverage low-privileged domain user credentials to attempt to impersonate a domain controller by combining SamAccountName spoofing and S4U2self.",
184
+ "tools": "nopac.py, Impacket"
185
+ },
186
+ {
187
+ "key": "printnightmare",
188
+ "title": "PrintNightmare (CVE-2021-1675, CVE-2021-34527)",
189
+ "caption": "",
190
+ "description": "Abuse PrintSpooler to load and execute a malicious DLL with the aims of attaining SYSTEM level RCE on unpatched high-value systems (e.g DC) or local priv esc (if the vulnerable machine is configured to reject remote connection).",
191
+ "tools": "SharpNightPrintmare, NetExec -M printnightmare"
192
+ },
193
+ {
194
+ "key": "certifried",
195
+ "title": "Certifried (CVE-2022-26923)",
196
+ "caption": "",
197
+ "description": "In an unpatched ADCS environment, attempt to add a new computer to the domain, modify the dNSHostName attribute to the name of the computer account to impersonate, then request a certificate on behalf of the impersonated DC.",
198
+ "tools": "Certipy"
199
+ },
200
+ {
201
+ "key": "proxynotshell",
202
+ "title": "ProxyNotShell (CVE-2022-41040, CVE-2022-41082)",
203
+ "caption": "",
204
+ "description": "Identify unpatched Exchange servers and leverage a low-privilege mail user to interact with the Exchange Powershell backend, where a deserialization flaw can be leveraged to obtain code execution.",
205
+ "tools": "Metasploit exchange_proxynotshell_rce, poc_aug3.py"
206
+ }
207
+ ]
208
+ },
209
+ {
210
+ "key": "priv_esc_lat_move_ntlm_relay",
211
+ "title": "Privilege Escalation & Lateral Movement: NTLM Relay",
212
+ "description": "Attempt to escalate privileges or move laterally throughout the domain by relaying NTLM authentication to other targets.",
213
+ "type": "checklist",
214
+ "items": [
215
+ {
216
+ "key": "hunt_relay_targets",
217
+ "title": "Hunt for relay targets",
218
+ "caption": "",
219
+ "description": "Identify targets with signing and/or channel binding unenforced. If relay protections are in use throughout domain, leverage or target protocols which cannot mandate signing.",
220
+ "tools": "NetExec --gen-relay-list targets, LdapRelayScan.py, nmap"
221
+ },
222
+ {
223
+ "key": "self_relay",
224
+ "title": "Self-Relay (MS08-068)",
225
+ "caption": "",
226
+ "description": "Identify whether any legacy hosts may be vulnerable to reflection attacks (e.g unpatched Windows 2000, XP, 2003, Vista and 2008 machines).",
227
+ "tools": "ntlmrelayx, metasploit"
228
+ },
229
+ {
230
+ "key": "smb_crossprotocol_relay",
231
+ "title": "SMB & Cross-Protocol Relay",
232
+ "caption": "",
233
+ "description": "Configure a listener and relay server to launch an opportunistic attack with the aim of relaying captured credentials to exploit other SMB services or conduct cross-protocol relay (e.g relay to MSSQL, HTTP, LDAP, RPC etc.).",
234
+ "tools": "NTLMRelayx, Responder, Inveigh, Proxychains"
235
+ },
236
+ {
237
+ "key": "coerced_authentication_relay",
238
+ "title": "Coerced Authentication & Relay",
239
+ "caption": "",
240
+ "description": "Enumerate and abuse hosts vulnerable to coerced authentication and relay attacks (e.g PetitPotam, PrinterBug, DFSCoerce etc.).",
241
+ "tools": "Coercer, PetitPotam.py, printerbug.py, dfscoerce.py"
242
+ },
243
+ {
244
+ "key": "farming_hashes",
245
+ "title": "Farming hashes - Abusing Shares & WebDAV to Coerce Authentication",
246
+ "caption": "",
247
+ "description": "Abuse shared folders with write access or WebDAV enabled hosts to force authentication via an uploaded .lnk file.",
248
+ "tools": "ntlm_theft.py, crackmapexec -M slinky, crackmapexec -M drop-sc, Farmer"
249
+ }
250
+ ]
251
+ },
252
+ {
253
+ "key": "priv_esc_lat_move_dacl_abuse",
254
+ "title": "Privilege Escalation & Lateral Movement: DACL Abuse",
255
+ "description": "Explore DACLs (Discretionary Access Control Lists) to enumerate and abuse overly permissive ACEs (Access Control Entries) which could grant the ability to escalate privileges or expand access.",
256
+ "type": "checklist",
257
+ "items": [
258
+ {
259
+ "key": "enumerate_dacl",
260
+ "title": "Enumerate Potential DACL Abuse Paths",
261
+ "caption": "",
262
+ "description": "Run a collector tool to retrieve domain data and feed this into the analyser for interpretation. Enumerate misconfigured DACLs for attack paths that could allow lateral movement or privilege escalation.",
263
+ "tools": "SharpHound, Bloodhound, PowerView, Impacket"
264
+ },
265
+ {
266
+ "key": "abuse_dacl",
267
+ "title": "Abuse Misconfigured DACLs",
268
+ "caption": "",
269
+ "description": "Leverage the discovered misconfigurations to escalate privileges or expand access.",
270
+ "tools": "Powerview, Impacket, bloodyAD, Netexec"
271
+ }
272
+ ]
273
+ },
274
+ {
275
+ "key": "priv_esc_lat_move_sccm_abuse",
276
+ "title": "Privilege Escalation & Lateral Movement: SCCM Abuse",
277
+ "description": "Identify and exploit vulnerabilities and misconfigurations present in System Center Configuration Manager (SCCM), also known as Microsoft Endpoint Configuration Manager (MECM). If SCCM/MECM is not in use in the domain, mark these checks as N/A.",
278
+ "type": "checklist",
279
+ "items": [
280
+ {
281
+ "key": "sccm_enum",
282
+ "title": "SCCM Enumeration",
283
+ "caption": "",
284
+ "description": "Map out SCCM components (e.g site server, site database, distribution points and management points). Leverage domain user credentials to query network resources or the local WMI database of managed SCCM clients.",
285
+ "tools": "ADSISearcher, WMI, SharpSCCM"
286
+ },
287
+ {
288
+ "key": "loot_creds_remotely",
289
+ "title": "Loot Credentials Remotely",
290
+ "caption": "",
291
+ "description": "Leverage domain user or machine credentials to harvest credentials from Management Point(s) and Distribution Points(s).",
292
+ "tools": "SCCMSecrets, sccm-http-looter, SharpSCCM"
293
+ },
294
+ {
295
+ "key": "local_cred_harvesting",
296
+ "title": "Local Credential Harvesting",
297
+ "caption": "",
298
+ "description": "Leverage local administrator privileges on an SCCM client or an SCCM member server to dump NAA credentials, secrets and client push credentials from collection variables and task sequences via WMI.",
299
+ "tools": "SharpSCCM.exe, Get-WmiObject"
300
+ },
301
+ {
302
+ "key": "relayed_sccm_abuse",
303
+ "title": "Relayed SCCM abuse",
304
+ "caption": "",
305
+ "description": "Attempt to capture and relay the SCCM site system installation account. Abuse additional vulnerabilities (PrinterBug, PetitPotam, ShadowCoerce, DFSCoerce, etc.) to coerce authentication.",
306
+ "tools": "ntlmrelayx, SCCMHunter"
307
+ },
308
+ {
309
+ "key": "authentication_coercion_client_push",
310
+ "title": "Authentication Coercion via Client Push Installation",
311
+ "caption": "",
312
+ "description": "If automatic site assignment and client push installation are enabled, attempt to coerce NTLM authentication from a site servers push installation user or machine account which can be cracked offline or relayed elsewhere for authentication. Note that it is best to run the tool with admin privileges in order to cleanup artefacts and prevent errors in SCCM.",
313
+ "tools": "Inveigh, Ntlmrelayx, SharpSCCM"
314
+ }
315
+ ]
316
+ },
317
+ {
318
+ "key": "priv_esc_adcs_abuse",
319
+ "title": "Privilege Escalation: ADCS Abuse",
320
+ "description": "Identify and exploit vulnerabilities and misconfigurations present in Active Directory Certificate Services (ADCS).",
321
+ "type": "checklist",
322
+ "items": [
323
+ {
324
+ "key": "enum_adcs",
325
+ "title": "Enumerate ADCS",
326
+ "caption": "",
327
+ "description": "Discover whether ADCS is in use in the environment. If present, identify the enterprise CA(s) for the domain.",
328
+ "tools": "Certutil, crackmapexec"
329
+ },
330
+ {
331
+ "key": "assess_templates",
332
+ "title": "Assess Templates",
333
+ "caption": "",
334
+ "description": "Enumerate the available certificate templates and assess the CA configuration for vulnerabilities and misconfigurations.",
335
+ "tools": "Certify, Certipy"
336
+ },
337
+ {
338
+ "key": "esc1_esc11",
339
+ "title": "Abuse ESC1 - ESC11",
340
+ "caption": "",
341
+ "description": "For any vulnerabilities identified, attempt to escalate privileges by abusing the relevant escalation pathway(s).",
342
+ "tools": "Certipy, Certify"
343
+ }
344
+ ]
345
+ },
346
+ {
347
+ "key": "priv_esc_lat_move_kerberos_attacks",
348
+ "title": "Privilege Escalation & Lateral Movement: Kerberos Attacks",
349
+ "description": "Identify and exploit potential attacks which target the Kerberos authentication protocol.",
350
+ "type": "checklist",
351
+ "items": [
352
+ {
353
+ "key": "kerberoasting",
354
+ "title": "Kerberoasting",
355
+ "caption": "",
356
+ "description": "Identify kerberoastable users for which high-privileged domain accounts have been configured to run services. For all identified targets, retrieve the SPNs and attempt to crack the hashes.",
357
+ "tools": "impacket-GetUserSPNs, metasploit auxiliary/gather/get_user_spns, rubeus"
358
+ },
359
+ {
360
+ "key": "delegation_enum",
361
+ "title": "Delegation Enumeration",
362
+ "caption": "",
363
+ "description": "Identify accounts and computers configured with unconstrained, constrained or resource-based constrained delegation which could allow you to impersonate other users and gain access to valuable targets and services.",
364
+ "tools": "Bloodhound, PowerView, Impacket findDelegation"
365
+ },
366
+ {
367
+ "key": "delegation_abuse",
368
+ "title": "Delegation Abuse",
369
+ "caption": "",
370
+ "description": "Leverage compromised accounts or machines configured with delegation to impersonate privileged users, access high-value services, and escalate privileges within the domain.",
371
+ "tools": "Rubeus, Impacket"
372
+ }
373
+ ]
374
+ },
375
+ {
376
+ "key": "priv_esc_lat_move_cred_harvesting",
377
+ "title": "Privilege Escalation & Lateral Movement: Credential Harvesting",
378
+ "description": "Extend your reach within the domain and open up new attack pathways by pivoting throughout the network and harvesting credentials from compromised machines and accessible shares.",
379
+ "type": "checklist",
380
+ "items": [
381
+ {
382
+ "key": "auth_share_enum",
383
+ "title": "Share Enumeration",
384
+ "caption": "",
385
+ "description": "Leveraging compromised domain credentials, enumerate accessible shares and search for exposed credentials.",
386
+ "tools": "Snaffler, ShareAudit, NetExec"
387
+ },
388
+ {
389
+ "key": "shared_passwords",
390
+ "title": "Shared passwords",
391
+ "caption": "",
392
+ "description": "Assess whether shared administrator passwords are in use. Leverage these to move laterally throughout the domain and harvest credentials.",
393
+ "tools": "Sprayhound, PowerView Find-LocalAdminAccess"
394
+ },
395
+ {
396
+ "key": "harvest_credentials",
397
+ "title": "Harvest Credentials",
398
+ "caption": "",
399
+ "description": "Leverage compromised machines to extract credentials from the SAM database, LSA, LSASS, DPAPI etc.",
400
+ "tools": "Mimikatz, meterpreter, impacket-secretsdump, crackmapexec"
401
+ },
402
+ {
403
+ "key": "abuse_harvested_credentials",
404
+ "title": "Abuse harvested credentials",
405
+ "caption": "",
406
+ "description": "Assess what new attack pathways may be available with the harvested credentials. Pass or crack the hashes to use the associated accounts as needed.",
407
+ "tools": "Crackmapexec, impacket, john, hashcat"
408
+ }
409
+ ]
410
+ },
411
+ {
412
+ "key": "upload_logs",
413
+ "title": "Upload logs",
414
+ "description": "This should include output from port scans and vulnerability assessments.",
415
+ "type": "large_upload"
416
+ },
417
+ {
418
+ "key": "executive_summary",
419
+ "title": "Executive summary",
420
+ "description": "The executive summary should be written with a high-level view of both risk and business impact. It should be concise and clear, therefore it is important to use plain English. This ensures that non-technical readers can gain insight into security concerns outlined in your report.",
421
+ "type": "executive_summary"
422
+ }
423
+ ]
424
+ }
425
+ }
426
+