v4 tradecraft modernization: 8 workstreams (AD CS, LLM, cloud identity, modern C2, evasion, Kerberos, browser ext, EDR policy)#36
Merged
AndrewAltimit merged 3 commits intomainfrom Apr 20, 2026
Conversation
Adds tools/edr-silencing/ with three sub-modules covering the policy layer complement to tools/rust/telemetry-patch/: - wdac-abuse/: WDAC policy XML generator (deny-by-hash, allow-by-cert, downgrade-to-audit modes) and analyzer; lab sample policies; Sigma rules for Event 3089/3099 policy changes and audit-mode deployment detection. - ppl-bypass/: PPL process enumeration and bypass technique advisory (documentation only — no exploit code); bypass_timeline.md covering mimidrv through BYOVD with patch status; Sigma rules for driver load and process-access attempts against protected processes. - blind-spot-enum/: EDR telemetry coverage mapper (ETW providers, kernel callbacks, userland hooks, AMSI, network filter); coverage gap advisor with gap IDs tied to specific attacker capabilities; three EDR behavioral profiles (vendor-name-free); Sigma rules for security-tool enumeration. All Python tools use ContainmentGuard.assert_offline_vm(). No compiled policy binaries (.p7/.cip), no .sys drivers. Detection directories present in all three sub-modules, satisfying check_detection_pairing.py. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…s, lab catalog, defender tooling Adds complete WS-G workstream: lab malicious extension catalog demonstrating what MV3 retained (cookie theft via chrome.cookies HttpOnly bypass, session hijacking via webRequest observation, form credential grabbing via content script, DNR-based traffic redirection), end-to-end Cyberhaven-style update hijack simulation with mock Web Store, and defender-side static/runtime tooling. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…sive research WS-A: Modern C2 — 5 pluggable transports (WebSocket, gRPC, SMB pipe, DoH, HTTP polling), dynamic YAML profile hot-reload, P2P relay chains (depth ≥2), extended operator API for relay topology and profile switching. WS-B: Modern evasion — HW-BP (DR0–DR3+VEH) syscall dispatch, Cronos/RustyCronos/ HWBP sleep masks (supersedes Ekko/Foliage), module stomping + TxF hollowing + DLL-notify threadless injection, ETW-TI aware provider enumeration, BYOVD orchestration framework (hash-only manifest, HVCI blocklist). 86 new Rust tests. WS-C: AD CS ESC1–15 — full Python exploitation toolkit, LDAP enumerator, 15 exploit modules, chain.py (ESC1→TGT/PFX→ccache), Vagrant 3-VM lab (corp.lab.local), 30+ Sigma/KQL rules across all ESC variants. WS-D: Cloud identity — WIF wildcard-sub abuse, OIDC trust confusion (fork-PR/ CodeCov pattern), Golden SAML (xmlsec1) + Storm-0558 OIDC token forging, Entra 2026 19-technique viability matrix, Databricks OBO chain abuse. New lab fixtures: mock-oidc-issuer (9300), mock-saml (9400), mock-databricks (9500). Extended CI gate for AWS/GCP/Azure IDs. WS-E: LLM/agent abuse — 51-payload injection corpus (7 channels), MCP server tool poisoning/rug-pull, agent confused-deputy PoCs, transcript detector, eval benchmark harness. New assert_llm_endpoint_is_lab() containment guard. Lab: Ollama + copilot Flask app (port 8080). WS-F: Kerberos — S4U2self/S4U2proxy, RBCD with raw SD construction, NTLM relay (SMB→LDAP, LDAPS channel-binding), targeted roasting with hardware-grounded crack- time estimator. 10 Sigma rules + KQL for Defender for Identity. WS-G: Browser extension supply-chain — MV3 extension catalog (cookie theft, session hijack, form-grab, DNR redirect), Cyberhaven-pattern update-hijack simulation, manifest risk scorer (0–10), CDP runtime monitor, permission_differ.py (exits 1 for CI on permission expansion). WS-H: EDR silencing via policy — WDAC policy generator/analyzer (deny-by-hash, allow-by-cert, downgrade-to-audit), PPL bypass research + patch timeline, EDR coverage map with 11 named gap advisories and vendor-name-free behavioral profiles. Cross-cutting: updated README.md (tools catalog, directory tree, lab services table), CLAUDE.md (Where Things Live, tools index), Makefile (lab-llm-up/down, lab-saml-up/down, lab-databricks-up/down, lab-oidc-up/down). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements all 8 workstreams from the tradecraft modernization PRD, bringing the repo's technique catalog from a 2017-2022 snapshot to 2025-2026 frontier tradecraft.
detection/directory (Sigma/KQL rules, false-positive notes) -- CI gate compliantWorkstreams
WS-A -- Modern C2 Architecture
WS-B -- Modern Evasion (Rust)
syscalls-hwbp/: DR0-DR3 + VEH hardware-breakpoint syscall dispatch -- bypasses userland EDR hooks without memory modificationsleep-mask-modern/: Cronos (fiber + RC4 stack encryption), RustyCronos (pure-Rust), HWBP-driven sleep -- supersedes Ekko/Foliagethreadless-inject/: module stomping, Phantom DLL hollowing (TxF), DLL-notification-callback hijack (TheirHazard)etw-ti-aware/: passive ETW-TI detection, 20 EDR provider GUIDs, hooked-stub fingerprintingbyovd/: Python orchestration framework -- hash-only manifest, HVCI blocklist checker, lab-gated APIWS-C -- AD CS ESC1-15
make lab-adcs-up/lab-adcs-down/lab-adcs-destroyWS-D -- Modern Cloud Identity
WS-E -- LLM and Agent Abuse
assert_llm_endpoint_is_lab()added to tools/lib/containment.pymake lab-llm-upWS-F -- Modern Kerberos / Lateral Movement
WS-G -- Browser Extension Supply-Chain (MV3)
WS-H -- EDR Silencing via Policy
Infrastructure updates
Test plan
cd tools/rust && cargo test-- 308+ tests passEXPLOIT_LAB_ACTIVE=1 python tools/ci/check_detection_pairing.py-- all new modules have detection/ dirspython tools/ci/check_no_real_tenants.py-- no real tenant/cloud IDs committedpython tools/ci/check_no_committed_drivers.py-- no *.sys filesmake lab-up-- base lab still starts cleanlymake lab-adcs-up-- requires vagrant + VirtualBoxmake lab-llm-up-- requires docker + ~5GB for Ollama modelGenerated with Claude Code