diff --git a/.github/workflows/main-ci.yml b/.github/workflows/main-ci.yml index 293e919..e622561 100644 --- a/.github/workflows/main-ci.yml +++ b/.github/workflows/main-ci.yml @@ -29,7 +29,7 @@ jobs: done - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 1 clean: true @@ -62,7 +62,7 @@ jobs: # Tests run single-threaded: some crates manipulate EXPLOIT_LAB_ACTIVE env # vars inside tests and race when run in parallel. - name: Set up Rust toolchain - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable as of 2026-04-26 - name: Rust workspace build timeout-minutes: 15 @@ -183,26 +183,35 @@ jobs: exit $FAIL # -- Markdown Link Check ------------------------------------------------ + # Resolves links relative to the file's directory and uses process + # substitution so FAIL propagates out of the loop. Previous version + # piped through `while read`, which lost the FAIL flag in a subshell. - name: Markdown link check timeout-minutes: 5 - continue-on-error: true run: | FAIL=0 for f in README.md cves/README.md; do - if [ -f "$f" ]; then - # Check for broken internal links (files that should exist) - grep -oP '\[.*?\]\(((?!http)[^)]+)\)' "$f" | grep -oP '\(([^)]+)\)' | tr -d '()' | while read -r link; do - # Skip anchors - [[ "$link" == \#* ]] && continue - # Strip anchor from file path - FILE_PATH="${link%%#*}" - if [ ! -e "$FILE_PATH" ]; then - echo "Broken link in $f: $link" - FAIL=1 - fi - done - fi + [ -f "$f" ] || continue + DIR=$(dirname "$f") + while IFS= read -r link; do + [[ "$link" == \#* ]] && continue + [[ "$link" == http* ]] && continue + [[ "$link" == mailto:* ]] && continue + FILE_PATH="${link%%#*}" + [ -z "$FILE_PATH" ] && continue + if [ ! -e "$DIR/$FILE_PATH" ]; then + echo "::error file=$f::Broken link: $link" + FAIL=1 + fi + done < <(grep -oP '\]\(\K[^)]+' "$f") done + echo "### Markdown Links" >> $GITHUB_STEP_SUMMARY + if [ $FAIL -eq 0 ]; then + echo "✅ README links resolve" >> $GITHUB_STEP_SUMMARY + else + echo "❌ Broken links found — see annotations" >> $GITHUB_STEP_SUMMARY + fi + exit $FAIL # -- IDOL Smoke Test ---------------------------------------------------- - name: IDOL smoke test @@ -237,7 +246,7 @@ jobs: url: ${{ steps.deployment.outputs.page_url }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Build dashboard for stlite run: | @@ -265,10 +274,10 @@ jobs: cp docs/methodology/*.md _site/docs/ 2>/dev/null || true - name: Upload Pages artifact - uses: actions/upload-pages-artifact@v3 + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1 with: path: _site - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v4 + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5 diff --git a/.github/workflows/pr-validation.yml b/.github/workflows/pr-validation.yml index d400752..7db0b23 100644 --- a/.github/workflows/pr-validation.yml +++ b/.github/workflows/pr-validation.yml @@ -9,17 +9,19 @@ on: permissions: contents: read - pull-requests: write + pull-requests: read concurrency: group: pr-${{ github.event.pull_request.number || github.run_id }} cancel-in-progress: true jobs: - # Fork guard: block fork PRs from running on self-hosted runners + # Fork guard: defence-in-depth on top of the repo-level + # "Require approval for all external contributors" setting. Forks land + # here as a skipped job, and `validate` is gated via `needs:`. fork-guard: name: Fork PR Guard - runs-on: ubuntu-latest + runs-on: self-hosted if: >- github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository @@ -38,7 +40,7 @@ jobs: [ -f .git/index.lock ] && rm -f .git/index.lock 2>/dev/null || true - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 1 clean: true @@ -71,7 +73,7 @@ jobs: # Tests run single-threaded: some crates manipulate EXPLOIT_LAB_ACTIVE env # vars inside tests and race when run in parallel. - name: Set up Rust toolchain - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable as of 2026-04-26 - name: Rust workspace build timeout-minutes: 15 diff --git a/CLAUDE.md b/CLAUDE.md index 811c5b4..0b703a3 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -159,7 +159,7 @@ The report at `reports/databricks-apps-assessment/` is a concatenated Streamlit → [docs/analysis/manifest-v3-capabilities.md](docs/analysis/manifest-v3-capabilities.md) → [docs/analysis/aarch64-porting-status.md](docs/analysis/aarch64-porting-status.md) → [docs/analysis/aitm-kit-market-2026.md](docs/analysis/aitm-kit-market-2026.md) — Tycoon2FA → Sneaky2FA → Rockstar2FA evolution -→ [docs/analysis/byovd-2026-scale.md](docs/analysis/byovd-2026-scale.md) — 54-tool / 35-driver market analysis +→ [docs/analysis/byovd-2026-scale.md](docs/analysis/byovd-2026-scale.md) — BYOVD market analysis (EDR-killer tooling and the abused driver inventory) → [docs/analysis/c2-framework-market-2026.md](docs/analysis/c2-framework-market-2026.md) — C2 framework kill-chain mapping → [docs/analysis/healthcare-ransomware-2026.md](docs/analysis/healthcare-ransomware-2026.md) — sector analysis + Akira/Qilin → [docs/analysis/mobile-landscape-2026/README.md](docs/analysis/mobile-landscape-2026/README.md) — iOS/Android chains, Pwn2Own Ireland 2025 diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..fdddb29 --- /dev/null +++ b/LICENSE @@ -0,0 +1,24 @@ +This is free and unencumbered software released into the public domain. + +Anyone is free to copy, modify, publish, use, compile, sell, or +distribute this software, either in source code form or as a compiled +binary, for any purpose, commercial or non-commercial, and by any +means. + +In jurisdictions that recognize copyright laws, the author or authors +of this software dedicate any and all copyright interest in the +software to the public domain. We make this dedication for the benefit +of the public at large and to the detriment of our heirs and +successors. We intend this dedication to be an overt act of +relinquishment in perpetuity of all present and future rights to this +software under copyright law. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR +OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR +OTHER DEALINGS IN THE SOFTWARE. + +For more information, please refer to diff --git a/LICENSE-MIT b/LICENSE-MIT new file mode 100644 index 0000000..acbe58b --- /dev/null +++ b/LICENSE-MIT @@ -0,0 +1,19 @@ +Copyright 2026 Andrew Showers + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md index 2f61d15..ac392f1 100644 --- a/README.md +++ b/README.md @@ -1,42 +1,35 @@ # Security Research & Exploit Development -General-purpose security research repository covering browser exploit chain development, post-exploitation techniques, and security assessment tooling. Contains CVE reproduction work across Chrome and Firefox, along with C2 infrastructure, post-exploitation staging, and security assessment deliverables. +A general-purpose security research repository spanning browser exploit chains, post-exploitation tradecraft, identity and cloud attacks, and the assessment work that surrounds them. The contents are organized into three broad bodies of work: -## Purpose & Disclaimer - -This repository exists to support **internal security education and risk awareness**. The exploit reproductions, attack chain demonstrations, and assessment tooling are built as red-team exercises to show stakeholders — including non-technical business users — what can go wrong when production systems lack adequate human oversight and governance controls. +- **CVE reproductions** — patch analysis, triggers, and full chains for Chrome and Firefox bugs from 2024 through 2026. +- **Tooling** — a catalog of offensive modules (C2, lateral movement, AD CS, cloud identity, evasion, LLM attacks, kernel LPE, and more), each paired with detection guidance. +- **Assessment deliverables** — written reports for stakeholders, including a Databricks Apps platform review aimed at security leadership. -All materials are for **educational purposes and authorized security testing only**. All research was conducted under explicit written authorization. Exploit code is provided to support defensive research, vulnerability reproduction, and security assessment. Do not use any code or technique against systems you do not own or have explicit written authorization to test. See [SECURITY.md](SECURITY.md) for the full responsible disclosure policy and containment architecture. - -**Safeguards in place:** -- All CVEs target already-patched browser versions with publicly available PoC — no zero-days are published here. The contribution is chaining, primitives, and delivery infrastructure. -- All tool networking is loopback-only (`127.0.0.0/8` or Docker bridge), enforced by ContainmentGuard in code — not by convention. -- The Docker Compose lab runs on an `internal: true` network with no internet gateway. -- The beacon's `exec` command is refused outside Docker containers. All other beacon commands are from a hardcoded allowlist. -- IDOL persistence demo's `--plant` installs only a harmless cron heartbeat; `--cleanup` removes it. -- The GitHub Pages WASM dashboard runs on simulated data with no live C2 connectivity. +Every offensive component ships with a defender-side counterpart. The repository is meant to feed scheduled enterprise log-scan agents and red-team tabletop work, so breadth is intentional. --- -## Databricks Apps Assessment +## Purpose & Disclaimer -The primary security assessment deliverable is an interactive report evaluating the Databricks Apps platform under production conditions. +This repository exists to support **internal security education and risk awareness**. The exploit reproductions, attack chain demonstrations, and assessment tooling are built as red-team exercises that show stakeholders — including non-technical business users — what can go wrong when production systems lack adequate human oversight and governance controls. -- **Report**: `reports/databricks-apps-assessment/` — Streamlit dashboard covering attack surface, identity chain exploitability, OAuth/OBO token abuse, and detection recommendations. -- **Run it**: `cd reports/databricks-apps-assessment && pip install -r requirements.txt && streamlit run app.py` -- **Audience**: C-suite and security leadership. The report frames each finding in business-risk terms alongside the technical demonstration. +All materials are for **educational purposes and authorized security testing only**. Research was conducted under explicit written authorization. Exploit code is provided to support defensive research, vulnerability reproduction, and security assessment. Do not use any code or technique against systems you do not own or have explicit written authorization to test. See [SECURITY.md](SECURITY.md) for the full responsible-disclosure policy and containment architecture. -Key findings covered in the report: -- OAuth On-Behalf-Of (OBO) token abuse paths in Databricks Apps -- Databricks app identity chain and service principal exposure -- Detection gaps in Databricks audit logs -- Recommended monitoring, governance, and access control improvements +**Safeguards in place:** + +- Every CVE here targets an already-patched browser version with a publicly available PoC. No zero-days are published. The contribution is in the chaining, primitives, and delivery infrastructure built around them. +- All tool networking is loopback-only (`127.0.0.0/8` or the Docker bridge). This is enforced in code by [`ContainmentGuard`](tools/lib/containment.py) — not by convention. +- The [Docker Compose lab](docker-compose.lab.yml) runs on an `internal: true` network with no internet gateway. +- The beacon refuses to run its `exec` command outside of a Docker container, and every other beacon command is on a hardcoded allowlist. +- The IDOL persistence demo (`--plant`) only installs a harmless cron heartbeat that `--cleanup` removes. +- The GitHub Pages dashboard runs entirely on simulated data — there is no live C2 connectivity in the public site. --- ## Contained Lab Environment -A Docker Compose lab provides a fully isolated environment for running tools end-to-end. All services run on an internal Docker network with **no internet access**. +A Docker Compose lab provides a fully isolated environment for running tools end-to-end. All services run on an internal Docker network with **no internet access**, so tools that "phone home" simply talk to mock services running alongside them. ```bash make lab-up # Start: C2 server, 2 beacons, exploit server, 2 target apps @@ -45,6 +38,8 @@ make lab-status # Show running services + C2 status make lab-logs # Tail all logs ``` +The lab can be brought up incrementally — the base `make lab-up` is enough for most C2 and exploit-server work, and additional mock IdPs and OAuth issuers come up via dedicated targets so you only run what your scenario needs. + | Service | Port | Description | How to start | |---------|------|-------------|--------------| | C2 server | `127.0.0.1:8443` | Operator API + beacon protocol | `make lab-up` | @@ -52,115 +47,120 @@ make lab-logs # Tail all logs | Target app 1 | `127.0.0.1:8501` | Simulated Databricks Streamlit app | `make lab-up` | | Target app 2 | `127.0.0.1:8502` | Second target for lateral movement | `make lab-up` | | Mock Entra IdP | `127.0.0.1:9100` | Device code, token, PRT SSO endpoints | `make lab-up` | -| Mock IMDS | `127.0.0.1:9200` | AWS/GCP/Azure metadata service mock | `make lab-up` | +| Mock IMDS | `127.0.0.1:9200` | AWS / GCP / Azure metadata service mock | `make lab-up` | | LLM copilot app | `127.0.0.1:8080` | Ollama-backed enterprise copilot (injection target) | `make lab-llm-up` | | Mock OIDC issuer | `127.0.0.1:9300` | GitHub Actions OIDC simulation (WIF abuse) | `make lab-oidc-up` | | Mock SAML SP/IdP | `127.0.0.1:9400` | SAML assertion target (Golden SAML demo) | `make lab-saml-up` | | Mock Databricks | `127.0.0.1:9500` | Databricks Apps OAuth/OBO mock | `make lab-databricks-up` | | AD CS lab | `192.168.56.10` | Windows DC + Enterprise CA (Vagrant, host-only) | `make lab-adcs-up` | -**Containment:** ContainmentGuard (`tools/lib/containment.py`) enforces loopback-only networking, non-root execution, tmpdir isolation, and Docker environment detection across all tools. +**Containment.** [`tools/lib/containment.py`](tools/lib/containment.py) — and its Rust counterpart in [`tools/rust/containment/`](tools/rust/containment/) — is the trust boundary. It enforces loopback-only networking, non-root execution, tmpdir isolation, and Docker environment detection across every tool. If a tool tries to step outside the sandbox (talk to a real tenant, reach a real metadata service, write outside the fixture root), the guard refuses before any side effect happens. --- ## Tools +Each tool below ships under [tools/](tools/) and has a sibling `detection/` directory containing Sigma rules, KQL queries, or other defender-side guidance for the same technique. The brief descriptions are intentionally compact — each linked README expands on usage, lab requirements, and detection. + ### C2 & Infrastructure -- **C2 Server & Beacon** (`tools/c2/`) - Modular C2 with pluggable transports (HTTP polling, WebSocket, gRPC, SMB/Unix pipe, DNS-over-HTTPS, HTTP/3, DoQ, Telegram Bot, Teams Graph), YAML transport profiles with hot-reload, and P2P relay topology. Flask server with session crypto (X25519 + ChaCha20-Poly1305). Hardcoded command allowlist. Loopback-only, ContainmentGuard-enforced. -- **C2 Transports** (`tools/c2/transports/`) - `http_polling/`, `websocket/`, `grpc/`, `passive_smb_pipe/`, `dns_over_https/`, `http3/` (QUIC), `doq/` (DNS-over-QUIC), `telegram-bot/` (mock 8130), `teams-graph/` (mock 8131). Each ships with Sigma/KQL detection. -- **C2 Framework Profiles** (`tools/c2/profiles/framework-mimics/`) - Transport-signature profiles for AdaptixC2, emp3r0r, APEX, Mythic, Havoc, BruteRatel C4, NightHawk. Use with beacon for detection-rule validation. -- **C2 Relay** (`tools/c2/relay/`) - P2P relay node supporting beacon chains of depth ≥2. -- **Dashboard** (`tools/dashboard/`) - Session management console with multi-transport session view, profile editor, and relay topology graph. +- **C2 Server & Beacon** — [tools/c2/](tools/c2/). Modular C2 with pluggable transports (HTTP polling, WebSocket, gRPC, SMB / Unix pipe, DNS-over-HTTPS, HTTP/3, DoQ, Telegram Bot, Teams Graph), YAML transport profiles with hot-reload, and a P2P relay topology. Flask server with X25519 + ChaCha20-Poly1305 session crypto, hardcoded command allowlist, and loopback-only enforcement. +- **C2 Transports** — [tools/c2/transports/](tools/c2/transports/). One subdirectory per transport (`http_polling/`, `websocket/`, `grpc/`, `passive_smb_pipe/`, `dns_over_https/`, `http3/` for QUIC, `doq/` for DNS-over-QUIC, `telegram-bot/` and `teams-graph/` mocks). Each ships with Sigma / KQL detection alongside the offensive code. +- **C2 Framework Profiles** — [tools/c2/profiles/framework-mimics/](tools/c2/profiles/framework-mimics/). Transport-signature profiles that mimic AdaptixC2, emp3r0r, APEX, Mythic, Havoc, Brute Ratel C4, and NightHawk. Use them with the beacon to validate detection rules against specific framework footprints. +- **C2 Relay** — [tools/c2/relay/](tools/c2/relay/). P2P relay node that supports beacon chains of depth ≥2, for testing detections that key off intermediate hops rather than direct callbacks. +- **Dashboard** — [tools/dashboard/](tools/dashboard/). Session management console with multi-transport session view, profile editor, and a relay topology graph. ### Active Directory & Kerberos -- **AD CS Abuse** (`tools/ad-cs/`) - ESC1–ESC16 exploitation toolkit: LDAP-based template enumerator (certipy patterns), per-ESC exploit modules, chain orchestrator, and Shadow Credentials 2026 update (Jan 2026 NGC key write hardening). All lab-domain-gated (`corp.lab.local`). -- **Kerberos Lateral Movement** (`tools/kerberos/`) - S4U2self/S4U2proxy abuse, RBCD chain, NTLM relay + EPA recon (RelayInformer-class), CVE-2025-33073 NTLM reflection LPE, AES-only Kerberoasting (post-CVE-2026-20833 RC4 enforcement), service-account triage. +- **AD CS Abuse** — [tools/ad-cs/](tools/ad-cs/). The full ESC1 through ESC16 toolkit: an LDAP-based template enumerator following Certipy patterns, per-ESC exploit modules, a chain orchestrator, and the Shadow Credentials 2026 update covering January 2026 NGC key-write hardening. Every module is gated to the `corp.lab.local` lab domain. +- **Kerberos Lateral Movement** — [tools/kerberos/](tools/kerberos/). S4U2self / S4U2proxy abuse, RBCD chain, NTLM relay with EPA recon (RelayInformer-class), the CVE-2025-33073 NTLM reflection LPE, AES-only Kerberoasting (post CVE-2026-20833 RC4 enforcement), and service-account triage tooling. ### Lateral Movement -- **Lateral Movement** (`tools/lateral-movement/`) - RPC-based DCOM/TSCH/SCMR/WMI, SCCM ELEVATE1/2 + TAKEOVER-5 Entra-integration chain (SpecterOps Nov 2025), Azure Arc MSI pivot + CVE-2026-26117 (himds pipe DACL), Exchange hybrid evoSTS token forge. +- **Lateral Movement** — [tools/lateral-movement/](tools/lateral-movement/). RPC-based DCOM / TSCH / SCMR / WMI execution; SCCM ELEVATE1/2 plus the TAKEOVER-5 Entra-integration chain (SpecterOps, November 2025); Azure Arc MSI pivot with CVE-2026-26117 (`himds` pipe DACL); Exchange hybrid evoSTS token forge. ### Cloud Identity -- **Cloud Identity Attacks** (`tools/cloud-identity/`) - WIF wildcard-sub, Golden SAML, Silver SAML (secondary cert), SyncJacking (ImmutableId takeover), EvilTokens device-code 2026 PhaaS (Broker client ID FOCI path), FOCI CA bypass, PRT devtools extraction, CloudTrail blinding (9 primitives). Lab mocks: mock-oidc (9300), mock-saml (9400), mock-entra (9100/9102). -- **Entra ID Abuse** (`tools/entra-abuse/`) - Device-code phishing, PRT simulation, token replay. Historical; modern Entra work in `cloud-identity/`. +- **Cloud Identity Attacks** — [tools/cloud-identity/](tools/cloud-identity/). The modern cloud-identity surface: Workload Identity Federation wildcard `sub` abuse, Golden SAML, Silver SAML (secondary cert), SyncJacking via `ImmutableId` takeover, EvilTokens-style device-code 2026 PhaaS (Broker client ID FOCI path), FOCI Conditional Access bypass, PRT extraction via dev tools, and a CloudTrail-blinding catalog. Talks to the lab mocks: `mock-oidc` (9300), `mock-saml` (9400), `mock-entra` (9100/9102). +- **Entra ID Abuse (legacy)** — [tools/entra-abuse/](tools/entra-abuse/). Earlier device-code phishing, PRT simulation, and token-replay work. Kept for historical reference; current Entra work lives under `cloud-identity/`. ### Kernel LPE (Windows) -- **Kernel LPE** (`tools/kernel-lpe/`) - Windows kernel LPE research: AFD.sys pool-grooming family (CVE-2026-20810/-20831/-20860/-21241), CLFS buffer overflow (CVE-2025-60709), I/O Ring arb R/W primitive (CVE-2025-21333), pool feng-shui and NT structure reference docs. All require `EXPLOIT_LAB_KERNEL=1` + `kern-lab-*` hostname via `safety_harness.py`. +- **Kernel LPE** — [tools/kernel-lpe/](tools/kernel-lpe/). Research notes and harnesses for the AFD.sys pool-grooming family (CVE-2026-20810 / -20831 / -20860 / -21241), the CLFS buffer overflow CVE-2025-60709, and the I/O Ring arbitrary-R/W primitive CVE-2025-21333. Includes pool feng-shui and NT-structure reference docs. All of this is gated behind `EXPLOIT_LAB_KERNEL=1` and a `kern-lab-*` hostname, validated by `safety_harness.py` before anything dangerous runs. ### Phishing & Initial Access -- **AiTM Kits** (`tools/phishing/aitm-kits/`) - Tycoon2FA-class simulator (mock-aitm-proxy 8100 ↔ mock-m365-login 8101), Sneaky2FA BitB, Rockstar2FA, Evilginx3 documentation. Defender controls: passkey mitigation, CA token protection. -- **Social Engineering** (`tools/phishing/social-engineering/`) - ClickFix (clipboard→Run dialog), FileFix (Explorer address-bar primitive), ConsentFix (OAuth consent bypass sim against mock-entra). Delivery-chain evolution 2023→2026. -- **Passkey Phish-Resistance** (`tools/phishing/passkey-resistance/`) - WebAuthn origin binding fundamentals, phish-resistance matrix (10 attacks × 7 MFA types), downgrade surface, cross-device QR relay risk. -- **Vishing Tabletop** (`tools/phishing/vishing/`) - CFO impersonation + Scattered Spider helpdesk tabletop scripts (no voice synthesis). +- **AiTM Kits** — [tools/phishing/aitm-kits/](tools/phishing/aitm-kits/). Simulators for the major adversary-in-the-middle phishing kits — Tycoon2FA (against `mock-aitm-proxy` 8100 / `mock-m365-login` 8101), Sneaky2FA's browser-in-browser variant, and Rockstar2FA — plus reference docs for Evilginx3. Importantly, this section also documents the defender controls that actually break these kits: passkey mitigation and Conditional Access token protection. +- **Social Engineering** — [tools/phishing/social-engineering/](tools/phishing/social-engineering/). The "Fix" delivery family: ClickFix (clipboard → Run dialog), FileFix (Explorer address-bar primitive), and ConsentFix (OAuth-consent bypass simulated against `mock-entra`). Tracks how these chains evolved from 2023 through 2026. +- **Passkey Phish-Resistance** — [tools/phishing/passkey-resistance/](tools/phishing/passkey-resistance/). WebAuthn origin-binding fundamentals, a phish-resistance matrix that scores common attack types against MFA factors, the downgrade attack surface, and the cross-device QR-relay risk that has emerged with passkey rollouts. +- **Vishing Tabletop** — [tools/phishing/vishing/](tools/phishing/vishing/). Tabletop scripts for CFO-impersonation and Scattered-Spider helpdesk scenarios. Discussion-only — no voice synthesis is included. ### Supply Chain -- **GitHub Actions** (`tools/supply-chain/github-actions/`) - `pull_request_target` pwn_request sim (mock 8120), UNC6426 OIDC chain (mock-oidc 9300 → mock-imds 9200), self-hosted-runner persistence model, tj-actions-class supply-chain compromise. -- **npm Worm** (`tools/supply-chain/shai-hulud-class/`) - Shai-Hulud npm postinstall harvest+propagate class simulator (mock-npm 8110). -- **PyPI .pth Stealer** (`tools/supply-chain/pypi-pth-class/`) - LiteLLM TeamPCP .pth persistence simulator + runtime_detector defender tool (mock-pypi 8111). +- **GitHub Actions** — [tools/supply-chain/github-actions/](tools/supply-chain/github-actions/). `pull_request_target` ("pwn_request") simulation against a mock on 8120, the UNC6426 OIDC chain (mock-oidc 9300 → mock-imds 9200), self-hosted-runner persistence, and the tj-actions-class supply-chain compromise pattern. +- **npm Worm** — [tools/supply-chain/shai-hulud-class/](tools/supply-chain/shai-hulud-class/). Shai-Hulud-class postinstall harvest-and-propagate worm simulator running against a mock npm registry on 8110. +- **PyPI .pth Stealer** — [tools/supply-chain/pypi-pth-class/](tools/supply-chain/pypi-pth-class/). LiteLLM-style `.pth` persistence simulator with a runtime-detector defender tool, exercised against `mock-pypi` on 8111. ### Evasion (Rust) -- **HW-BP Syscalls** (`tools/rust/syscalls-hwbp/`) - Hardware-breakpoint syscall dispatch bypassing userland EDR hooks. Windows-specific. -- **Modern Sleep Masks** (`tools/rust/sleep-mask-modern/`) - Cronos (fiber + RC4), RustyCronos, HWBP-driven sleep. -- **Threadless Injection** (`tools/rust/threadless-inject/`) - Module stomping, TxF, DLL-notification-callback hijack. -- **ETW-TI Awareness** (`tools/rust/etw-ti-aware/`) - ETW provider enumeration keyed on EDR GUIDs. -- **Call Stack Spoofing** (`tools/rust/callstack-spoof/`) - SilentMoonwalk-pattern gadget finder + `with_spoofed_stack()` RAII wrapper. -- **Call Stack Detection** (`tools/rust/callstack-detect/`) - Defender-side kernel-ETW call-stack collector + unwind validator; spoof-vs-detect matrix. -- **Patchless AMSI/ETW Bypass** (`tools/rust/amsi-patchless/`) - HWBP (DR0/DR1) arm/disarm; SetThreadContext and NtContinue variants documented. -- **BOF/COFF Loader** (`tools/rust/bof-loader/`) - goblin-based COFF parser, symbol allowlist, OutputSandbox capture. -- **BYOVD Framework** (`tools/byovd/`) - Hash-only manifest, HVCI blocklist checker, LOLDrivers sync (hash-only), HVCI-bypass enumeration, EDR-killer class (54-tool market, termination-pattern sim). +- **HW-BP Syscalls** — [tools/rust/syscalls-hwbp/](tools/rust/syscalls-hwbp/). Hardware-breakpoint syscall dispatch that bypasses userland EDR hooks. Windows-specific. +- **Modern Sleep Masks** — [tools/rust/sleep-mask-modern/](tools/rust/sleep-mask-modern/). Cronos (fiber + RC4), RustyCronos, and HWBP-driven sleep variants. +- **Threadless Injection** — [tools/rust/threadless-inject/](tools/rust/threadless-inject/). Module stomping, Transactional NTFS, and DLL-notification-callback hijack approaches. +- **ETW-TI Awareness** — [tools/rust/etw-ti-aware/](tools/rust/etw-ti-aware/). ETW provider enumeration keyed on EDR GUIDs — useful for understanding what telemetry the host is feeding into ETW-TI. +- **Call Stack Spoofing** — [tools/rust/callstack-spoof/](tools/rust/callstack-spoof/). SilentMoonwalk-pattern gadget finder plus a `with_spoofed_stack()` RAII wrapper for hiding suspicious frames. +- **Call Stack Detection** — [tools/rust/callstack-detect/](tools/rust/callstack-detect/). The defender-side pair of the spoof crate: a kernel-ETW call-stack collector and unwind validator, with a spoof-vs-detect matrix showing which spoof patterns survive which detections. +- **Patchless AMSI / ETW Bypass** — [tools/rust/amsi-patchless/](tools/rust/amsi-patchless/). HWBP (DR0 / DR1) arm and disarm primitives. Both the SetThreadContext and NtContinue variants are documented. +- **BOF / COFF Loader** — [tools/rust/bof-loader/](tools/rust/bof-loader/). Goblin-based COFF parser, symbol allowlist, and `OutputSandbox` capture. See also [tools/bofs/](tools/bofs/) for safe BOF implementations that exercise the loader. +- **BYOVD Framework** — [tools/byovd/](tools/byovd/). Hash-only manifest, HVCI blocklist checker, LOLDrivers sync (hash-only — no driver bytes are committed), HVCI-bypass enumeration, and the EDR-killer class targeting the broader 2026 BYOVD market. ### LLM & Agent Attacks -- **M365 Copilot** (`tools/llm-attacks/m365-copilot/`) - EchoLeak (CVE-2025-32711, zero-click email→Copilot→exfil) + ShareLeak (CVE-2026-21520, Copilot Studio form-field injection). Both against mock-copilot (8090). -- **Agentforce** (`tools/llm-attacks/agentforce/`) - PipeLeak public lead-form hijack sim (mock-agentforce 8091). -- **MCP Abuse** (`tools/llm-attacks/mcp-abuse/`) - Tool poisoning, capability confusion; Git MCP server CVE class (CVE-2025-68143/68144/68145 — commit message injection, diff injection, path traversal). -- **Eval Harness** (`tools/llm-attacks/eval/`) - AgentDojo-format harness (97-task corpus), PromptArmor adapter (instruction hierarchy + cosine similarity), MCPSec adapter (schema validation + capability enforcement), defense benchmark runner. -- **Indirect Injection Corpus** (`tools/llm-attacks/indirect-injection/`) - 59-payload corpus across 8 channels including m365_copilot. +- **M365 Copilot** — [tools/llm-attacks/m365-copilot/](tools/llm-attacks/m365-copilot/). EchoLeak (CVE-2025-32711, zero-click email → Copilot → exfil) and ShareLeak (CVE-2026-21520, Copilot Studio form-field injection). Both run against `mock-copilot` on 8090. +- **Agentforce** — [tools/llm-attacks/agentforce/](tools/llm-attacks/agentforce/). PipeLeak public lead-form hijack simulation against `mock-agentforce` on 8091. +- **MCP Abuse** — [tools/llm-attacks/mcp-abuse/](tools/llm-attacks/mcp-abuse/). Tool poisoning and capability-confusion patterns, plus the Git MCP server CVE class (CVE-2025-68143 / -68144 / -68145 — commit-message injection, diff injection, path traversal). +- **Eval Harness** — [tools/llm-attacks/eval/](tools/llm-attacks/eval/). AgentDojo-format harness paired with a PromptArmor adapter (instruction hierarchy + cosine similarity), an MCPSec adapter (schema validation + capability enforcement), and a defense-benchmark runner. +- **Indirect Injection Corpus** — [tools/llm-attacks/indirect-injection/](tools/llm-attacks/indirect-injection/). Prompt-injection payloads organized by delivery channel — PDF, DOCX, HTML, email (plaintext and HTML), calendar invites, and image alt text — including a `m365_copilot` channel for the Copilot-specific surface. ### Browser -- **Browser Extension Supply-Chain** (`tools/browser-ext-attacks/`) - MV3 lab catalog: cookie theft, session hijack, form-grab, DNR redirect abuse, Cyberhaven-pattern update-hijack simulation. -- **Exploit Framework** (`tools/framework/`) - Equation Group–inspired exploit orchestration. -- **Fuzzing** (`tools/fuzzing/`) - JIT (GVN, LICM, Range Analysis), IPC, V8 Turbofan fuzzers. +- **Browser Extension Supply-Chain** — [tools/browser-ext-attacks/](tools/browser-ext-attacks/). MV3 lab catalog: cookie theft, session hijack, form-grab, DNR redirect abuse, and the Cyberhaven-pattern update-hijack simulation. +- **Browser-Native Post-Exploitation** — [tools/browser-native-postex/](tools/browser-native-postex/). WASM post-exploitation payload, with delivery via MV3 extension, service worker, or XSS. +- **Exploit Framework** — [tools/framework/](tools/framework/). Equation Group–inspired exploit orchestration glue. +- **Fuzzing** — [tools/fuzzing/](tools/fuzzing/). JIT (GVN, LICM, Range Analysis), IPC, and V8 Turbofan fuzzers. ### Kubernetes & Cloud-Native -- **Kubernetes Post-Exploitation** (`tools/kubernetes-postex/`) - runc container breakout (CVE-2025-31133/-52565/-52881) + chain to kubelet, NodeRestriction admission bypass (CVE-2025-4563/-5187), AKS CVE-2026-33105 (CVSS 10 Azure CNI IPAM socket). All require `EXPLOIT_LAB_K8S=1`. +- **Kubernetes Post-Exploitation** — [tools/kubernetes-postex/](tools/kubernetes-postex/). Runc container breakout (CVE-2025-31133 / -52565 / -52881) chained to kubelet, the NodeRestriction admission bypass (CVE-2025-4563 / -5187), and the AKS CVE-2026-33105 work (CVSS 10, Azure CNI IPAM socket). Gated behind `EXPLOIT_LAB_K8S=1`. ### Linux Post-Exploitation -- **eBPF Rootkit** (`tools/linux-postex/ebpf-rootkit/`) - LinkPro-class (XDP/TC + magic-packet C2) analysis; Boopkit / TripleCross / ebpfkit corpus comparison; Rust sim stub (`EXPLOIT_LAB_EBPF=1`). +- **eBPF Rootkit** — [tools/linux-postex/ebpf-rootkit/](tools/linux-postex/ebpf-rootkit/). LinkPro-class XDP / TC + magic-packet C2 analysis, a Boopkit / TripleCross / ebpfkit corpus comparison, and a Rust simulation stub. Gated behind `EXPLOIT_LAB_EBPF=1`. ### macOS / Mobile / Firmware (Research) -- **macOS** (`tools/macos-postex/`) - TCC bypass: CVE-2025-43530 VoiceOver + 6-app entitlement catalog; SLAP/FLOP side-channel analysis; SysBumps KASLR break. Research docs only. -- **Mobile Landscape** (`docs/analysis/mobile-landscape-2026/`) - iOS DarkSword chain, Coruna kit, Pixel 9 0-click, Pwn2Own Ireland 2025, Lockdown Mode effectiveness. Research-only, no PoC. -- **Firmware** (`docs/analysis/firmware-landscape-2026/`) - Hydroph0bia Insyde H2O SMM, LogoFAIL successors, UEFI cert expiry Jun 2026, defender inventory. +- **macOS** — [tools/macos-postex/](tools/macos-postex/). TCC bypass research: CVE-2025-43530 VoiceOver and an entitlement-overreach catalog cataloging real applications that ship with TCC-relevant permissions; SLAP / FLOP side-channel analysis; SysBumps KASLR break. Documents only — no PoC. +- **Mobile Landscape** — [docs/analysis/mobile-landscape-2026/](docs/analysis/mobile-landscape-2026/). iOS DarkSword chain, Coruna kit, Pixel 9 zero-click, Pwn2Own Ireland 2025, and Lockdown Mode effectiveness. Research-only. +- **Firmware** — [docs/analysis/firmware-landscape-2026/](docs/analysis/firmware-landscape-2026/). Hydroph0bia (Insyde H2O SMM), LogoFAIL successors, the June 2026 UEFI cert expiry, and a defender-side inventory. ### Persistence -- **RMM Abuse** (`tools/persistence/rmm-abuse/`) - ScreenConnect / AnyDesk / QuickAssist attacker patterns + persistence mechanics + detection. Cross-tool kill-chain correlation (RMM install + BYOVD = pre-ransomware indicator). -- **ESXi Post-Exploitation** (`tools/persistence/esxi-postex/`) - VM kill chain, ESXi lifecycle post-ex, Nutanix AHV parallels. +- **RMM Abuse** — [tools/persistence/rmm-abuse/](tools/persistence/rmm-abuse/). ScreenConnect / AnyDesk / QuickAssist attacker patterns with persistence mechanics and detection. Cross-tool kill-chain correlation makes the case that an RMM install combined with BYOVD is a strong pre-ransomware indicator. +- **ESXi Post-Exploitation** — [tools/persistence/esxi-postex/](tools/persistence/esxi-postex/). VM kill chain, ESXi lifecycle post-ex, and Nutanix AHV parallels. -### Legacy / Support +### Legacy & Support -- **IDOL** (`tools/idol/`) - Lateral movement PoC: credential harvest, persistence, C2 beaconing. -- **Rust Target Tools** (`tools/rust/`) - Rust workspace. Build: `cd tools/rust && cargo build --release`. -- **Post-exploit Staging** (`tools/post-exploit-staging/`) - Three-tier staging architecture. -- **Forensic Analysis** (`tools/forensic-analysis/`) - Artifact detection, audit gap analysis. -- **Validator** (`tools/validator/`) - Pre-exploitation browser fingerprinting. +- **IDOL** — [tools/idol/](tools/idol/). Lateral-movement PoC covering credential harvest, persistence, and C2 beaconing. +- **Rust Target Tools** — [tools/rust/](tools/rust/). The Rust workspace. Build with `cd tools/rust && cargo build --release`. +- **Post-Exploit Staging** — [tools/post-exploit-staging/](tools/post-exploit-staging/). Three-tier staging architecture. +- **Forensic Analysis** — [tools/forensic-analysis/](tools/forensic-analysis/). Artifact detection and audit-gap analysis. +- **Validator** — [tools/validator/](tools/validator/). Pre-exploitation browser fingerprinting. --- ## CVE Index +The repository tracks Chrome and Firefox CVEs from 2024 through 2026 — patch analysis, triggers, and complete chains. The full table is collapsed below; for the canonical index with implementation status, see [cves/README.md](cves/README.md). +
CVE reproductions across Chrome and Firefox (2024–2026) — click to expand @@ -211,6 +211,7 @@ exploits/ │ │ ├── threadless-inject/ # Module stomping / TxF / DLL-notify │ │ ├── etw-ti-aware/ # ETW-TI + EDR provider enumeration │ │ ├── callstack-spoof/ # Call stack spoofing +│ │ ├── callstack-detect/ # Defender-side call-stack validator │ │ ├── amsi-patchless/ # HWBP AMSI/ETW bypass │ │ ├── bof-loader/ # COFF/BOF executor │ │ ├── telemetry-patch/ # ETW/AMSI prologue patching @@ -220,9 +221,9 @@ exploits/ │ │ ├── transports/ # WebSocket, gRPC, SMB pipe, DoH, HTTP │ │ ├── relay/ # P2P relay node + topology graph │ │ └── profiles/ # Dynamic YAML transport profiles -│ ├── ad-cs/ # AD CS ESC1–ESC15 exploitation +│ ├── ad-cs/ # AD CS ESC1–ESC16 exploitation │ │ ├── enum/ # LDAP-based template enumerator -│ │ └── exploit/ # esc01/ through esc15/ + chain.py +│ │ └── exploit/ # esc01/ through esc16/ + chain.py │ ├── kerberos/ # Kerberos lateral movement │ │ ├── s4u/ # S4U2self / S4U2proxy │ │ ├── rbcd/ # RBCD attack chain + ACL scanner @@ -261,7 +262,7 @@ exploits/ │ │ ├── wasm-payload/ # Rust → WASM (wasm-bindgen) │ │ └── delivery/ # MV3 ext / service worker / XSS │ ├── bofs/ # BOF implementations for bof-loader -│ ├── entra-abuse/ # Device-code phishing, PRT (v3) +│ ├── entra-abuse/ # Device-code phishing, PRT (legacy) │ ├── framework/ # Exploit orchestration framework │ ├── dashboard/ # Session management dashboard │ ├── post-exploit-staging/ # Three-tier staging architecture @@ -287,16 +288,37 @@ exploits/ └── cves/ # CVE reproductions ``` +For more granular indexes, see [tools/](tools/), [docs/analysis/](docs/analysis/), and [docs/methodology/](docs/methodology/) — each has its own README. + +--- + ## Getting Started -1. Clone the repo and install lab dependencies: `pip install -r requirements-lab.txt` -2. For the Databricks assessment dashboard: `cd reports/databricks-apps-assessment && pip install -r requirements.txt && streamlit run app.py` -3. For the contained lab: `make lab-up` (requires Docker) -4. To run tools locally: `python3 tools/c2/server.py` in one terminal, `python3 tools/c2/beacon/beacon_client.py` in another -5. Browse `cves/` for specific CVE reproductions. Each CVE directory contains its own README with setup instructions. +1. Clone the repository and install lab dependencies: `pip install -r requirements-lab.txt` +2. Bring up the contained lab (requires Docker): `make lab-up`. Use `make lab-status` to confirm everything is healthy and `make lab-down` when you are finished. +3. To run tools locally without the full lab, start the C2 server in one terminal (`python3 tools/c2/server.py`) and a beacon in another (`python3 tools/c2/beacon/beacon_client.py`). +4. Browse [cves/](cves/) for specific CVE reproductions. Each CVE directory contains its own README with setup instructions. +5. For the Databricks assessment dashboard, see the section below. + +--- + +## Databricks Apps Assessment + +A secondary deliverable in this repository is an interactive security assessment of the Databricks Apps platform, prepared for security leadership. It lives at [reports/databricks-apps-assessment/](reports/databricks-apps-assessment/) and is rendered as a Streamlit dashboard. + +- **Run it.** `cd reports/databricks-apps-assessment && pip install -r requirements.txt && streamlit run app.py` +- **Build flow.** Source files live under `src/` (`_00_header.py` … `_99_dispatch.py`); `python build.py` concatenates them into the deployable `app.py`. Edit the `src/` files, never `app.py` directly. `python build.py --check` verifies the build is up to date. + +Findings the report covers include OAuth On-Behalf-Of (OBO) token-abuse paths in Databricks Apps, the Databricks app identity chain and service-principal exposure, detection gaps in the Databricks audit logs, and concrete recommendations for monitoring, governance, and access-control improvements. + +--- ## Links - **Repository**: [github.com/AndrewAltimit/exploits](https://github.com/AndrewAltimit/exploits) - **GitHub Pages**: [andrewaltimit.github.io/exploits](https://andrewaltimit.github.io/exploits/) -- **Live Dashboard**: [andrewaltimit.github.io/exploits/dashboard](https://andrewaltimit.github.io/exploits/dashboard/) - runs in-browser via WebAssembly +- **Live Dashboard**: [andrewaltimit.github.io/exploits/dashboard](https://andrewaltimit.github.io/exploits/dashboard/) — runs in-browser via WebAssembly + +## License + +Dual-licensed under [Unlicense](LICENSE) and [MIT](LICENSE-MIT). diff --git a/SECURITY.md b/SECURITY.md index 2bc8e07..562ed0c 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -24,9 +24,9 @@ Containment is enforced in code at runtime, not by convention or documentation: | Layer | Control | |-------|---------| -| **Network** | All C2 and beacon traffic is bound to loopback (`127.0.0.0/8`) or Docker bridge. ContainmentGuard (`tools/lib/containment.py`, `tools/rust/containment/`) checks the bind address at startup and exits if a non-loopback interface is requested. | +| **Network** | All C2 and beacon traffic is bound to loopback (`127.0.0.0/8`) or Docker bridge. ContainmentGuard ([`tools/lib/containment.py`](tools/lib/containment.py), [`tools/rust/containment/`](tools/rust/containment/)) checks the bind address at startup and exits if a non-loopback interface is requested. | | **Beacon commands** | The beacon enforces a hardcoded allowlist of 8 safe commands (`whoami`, `sysinfo`, `ls`, `env`, `pid`, `ping`, `sleep`, `exec`). The `exec` command is refused outside Docker containers. No dynamic command registration exists. | -| **Lab network** | The Docker Compose lab (`docker-compose.lab.yml`) runs on an `internal: true` network with no internet gateway. All inter-service traffic stays on the Docker bridge. | +| **Lab network** | The Docker Compose lab ([`docker-compose.lab.yml`](docker-compose.lab.yml)) runs on an `internal: true` network with no internet gateway. All inter-service traffic stays on the Docker bridge. | | **IDOL worm** | Persistence demo installs only a harmless cron heartbeat. `--cleanup` removes it. Credential harvest and recon scripts are read-only and do not exfiltrate data. | | **WASM dashboard** | The GitHub Pages interactive dashboard runs on simulated data generated locally in the browser. There is no real C2 server behind it, no outbound HTTP, and no network access from the WASM sandbox. The `--c2` live mode is only available in the local CLI. | | **Process isolation** | ContainmentGuard enforces non-root execution and tmpdir isolation. Docker environment detection is used as a lab-context gate for destructive operations. | @@ -35,20 +35,20 @@ Containment is enforced in code at runtime, not by convention or documentation: | **Lab tenant allowlist** | Entra-abuse tools check `ENTRA_LAB_TENANT_ID` and refuse to operate against any tenant not matching it. Production aliases (`common`, `organizations`, `consumers`) are blocked unconditionally. | | **BYOVD gate** | Kernel-mode tooling runs only under explicit written authorization recorded in a gitignored file and inside the isolated offline lab VM. Vulnerable driver binaries are never committed; `.gitignore` covers `*.sys` and a CI gate enforces it. | | **Mock-service loopback** | Every mock service under `tools/*/mock-services/` binds to loopback only. A CI gate verifies bind-host declarations statically. | -| **CI enforcement** | CI scripts in `ci/` and `tools/ci/` fail the build if any offensive module lacks a `detection/` directory, any `*.sys` driver file appears in the repo, any production Entra tenant alias appears in non-example config, or any mock service declares a non-loopback bind. | +| **CI enforcement** | CI scripts in [`ci/`](ci/) and [`tools/ci/`](tools/ci/) fail the build if any offensive module lacks a `detection/` directory, any `*.sys` driver file appears in the repo, any production Entra tenant alias appears in non-example config, or any mock service declares a non-loopback bind. | ## Capability Categories **Identity-centric post-exploitation:** -- Browser session theft (`tools/rust/cookie-theft/`) — Chrome v10/v11 cookie decryption, lab fixture only, fixture-root gated -- Entra ID abuse (`tools/entra-abuse/`, `tools/cloud-identity/`) — device-code phishing, PRT simulation, CA bypass, SyncJacking, Silver SAML, FOCI, PRT devtools extraction — all against lab mock services only -- Kubernetes post-exploitation (`tools/kubernetes-postex/`, `tools/post-exploit-staging/commands/k8s_recon/`) — pod recon, runc escape analysis, admission-bypass research against a `kind` lab cluster +- Browser session theft ([`tools/rust/cookie-theft/`](tools/rust/cookie-theft/)) — Chrome v10/v11 cookie decryption, lab fixture only, fixture-root gated +- Entra ID abuse ([`tools/entra-abuse/`](tools/entra-abuse/), [`tools/cloud-identity/`](tools/cloud-identity/)) — device-code phishing, PRT simulation, CA bypass, SyncJacking, Silver SAML, FOCI, PRT devtools extraction — all against lab mock services only +- Kubernetes post-exploitation ([`tools/kubernetes-postex/`](tools/kubernetes-postex/), [`tools/post-exploit-staging/commands/k8s_recon/`](tools/post-exploit-staging/commands/k8s_recon/)) — pod recon, runc escape analysis, admission-bypass research against a `kind` lab cluster **EDR evasion primitives (Rust, Windows-specific, lab only):** -- Sleep obfuscation (`tools/rust/sleep-mask/`, `tools/rust/sleep-mask-modern/`) — Ekko / Foliage / Cronos, compiles to a no-op stub on Linux -- Indirect syscalls (`tools/rust/syscalls/`, `tools/rust/syscalls-hwbp/`) — Hell's Gate / Tartarus Gate / HW-BP dispatch with compile-time allowlist -- Telemetry patching (`tools/rust/telemetry-patch/`, `tools/rust/amsi-patchless/`, `tools/rust/etw-ti-aware/`) — ETW + AMSI patching, HWBP patchless variants, ETW-TI awareness; paired with a memory-diffing detector and a defender-side call-stack detector (`tools/rust/callstack-detect/`) -- BOF loading (`tools/rust/bof-loader/`) — COFF executor with a strict symbol allowlist and paired detection +- Sleep obfuscation ([`tools/rust/sleep-mask/`](tools/rust/sleep-mask/), [`tools/rust/sleep-mask-modern/`](tools/rust/sleep-mask-modern/)) — Ekko / Foliage / Cronos, compiles to a no-op stub on Linux +- Indirect syscalls ([`tools/rust/syscalls/`](tools/rust/syscalls/), [`tools/rust/syscalls-hwbp/`](tools/rust/syscalls-hwbp/)) — Hell's Gate / Tartarus Gate / HW-BP dispatch with compile-time allowlist +- Telemetry patching ([`tools/rust/telemetry-patch/`](tools/rust/telemetry-patch/), [`tools/rust/amsi-patchless/`](tools/rust/amsi-patchless/), [`tools/rust/etw-ti-aware/`](tools/rust/etw-ti-aware/)) — ETW + AMSI patching, HWBP patchless variants, ETW-TI awareness; paired with a memory-diffing detector and a defender-side call-stack detector ([`tools/rust/callstack-detect/`](tools/rust/callstack-detect/)) +- BOF loading ([`tools/rust/bof-loader/`](tools/rust/bof-loader/)) — COFF executor with a strict symbol allowlist and paired detection Every offensive module ships with a `detection/` directory containing defender artifacts (Sigma rules, KQL queries, Falco rules, Sysmon configs, or hunting runbooks). diff --git a/docs/analysis/aitm-kit-market-2026.md b/docs/analysis/aitm-kit-market-2026.md index 0a136c2..3879134 100644 --- a/docs/analysis/aitm-kit-market-2026.md +++ b/docs/analysis/aitm-kit-market-2026.md @@ -131,7 +131,7 @@ The session anomaly detection path is the most reliable cross-kit detection. ## Detection Coverage Assessment -The detection rules in `tools/phishing/aitm-kits/*/detection/` target each kit's +The detection rules in [`tools/phishing/aitm-kits/*/detection/`](../../tools/phishing/aitm-kits/) target each kit's differentiating indicators while sharing the common session replay detection logic: - **Tycoon2FA**: MFA-success-then-replay IP mismatch, OAuth code exchange mismatch @@ -157,6 +157,6 @@ Both are needed for complete coverage. Related in-repo: -- `tools/phishing/aitm-kits/` — Tycoon2FA, Sneaky2FA, Rockstar2FA, Evilginx3 reproductions. -- `docs/methodology/aitm-phishing-2026.md` — attack mechanics + defender controls. -- `docs/methodology/phish-resistance-testing.md` — WebAuthn/FIDO2 as durable counter. +- [`tools/phishing/aitm-kits/`](../../tools/phishing/aitm-kits/) — Tycoon2FA, Sneaky2FA, Rockstar2FA, Evilginx3 reproductions. +- [`docs/methodology/aitm-phishing-2026.md`](../methodology/aitm-phishing-2026.md) — attack mechanics + defender controls. +- [`docs/methodology/phish-resistance-testing.md`](../methodology/phish-resistance-testing.md) — WebAuthn/FIDO2 as durable counter. diff --git a/docs/analysis/amsi-bypass-timeline.md b/docs/analysis/amsi-bypass-timeline.md index 7c9f58d..fa07697 100644 --- a/docs/analysis/amsi-bypass-timeline.md +++ b/docs/analysis/amsi-bypass-timeline.md @@ -22,25 +22,25 @@ Chronological history of AMSI bypass techniques and their patch/detection status - Memory scanning on suspicious API invocations - `BeforeAmsiScanBuffer` / `AfterAmsiScanBuffer` callbacks (MDE 2023+) -**HWBP bypass** (`tools/rust/amsi-patchless/`) remains the lowest-footprint approach: +**HWBP bypass** ([`tools/rust/amsi-patchless/`](../../tools/rust/amsi-patchless/)) remains the lowest-footprint approach: - No memory modification — no memory diff signal - VEH handler is in image-backed memory (if gadgets sourced from loaded modules) - Detectable via: thread context DR modification events (ETW), VEH registration anomalies -**Combining HWBP with call-stack spoofing** (`tools/rust/callstack-spoof/`) removes the +**Combining HWBP with call-stack spoofing** ([`tools/rust/callstack-spoof/`](../../tools/rust/callstack-spoof/)) removes the stack-based detection signal from the VEH handler invocation. ## Implementation -- `tools/rust/amsi-patchless/` — HWBP-based bypass with ETW variant -- `tools/rust/callstack-spoof/` — companion stack spoofer -- `tools/rust/telemetry-patch/` — memory-patching variant (for comparison; higher footprint) +- [`tools/rust/amsi-patchless/`](../../tools/rust/amsi-patchless/) — HWBP-based bypass with ETW variant +- [`tools/rust/callstack-spoof/`](../../tools/rust/callstack-spoof/) — companion stack spoofer +- [`tools/rust/telemetry-patch/`](../../tools/rust/telemetry-patch/) — memory-patching variant (for comparison; higher footprint) ## Detection -- `tools/rust/amsi-patchless/detection/sigma/amsi_hwbp_bypass.yml` -- `tools/rust/amsi-patchless/detection/sigma/thread_context_dr_modification.yml` -- `tools/rust/callstack-spoof/detection/sigma/callstack_spoofing_detection.yml` +- [`tools/rust/amsi-patchless/detection/sigma/amsi_hwbp_bypass.yml`](../../tools/rust/amsi-patchless/detection/sigma/amsi_hwbp_bypass.yml) +- [`tools/rust/amsi-patchless/detection/sigma/thread_context_dr_modification.yml`](../../tools/rust/amsi-patchless/detection/sigma/thread_context_dr_modification.yml) +- [`tools/rust/callstack-spoof/detection/sigma/callstack_spoofing_detection.yml`](../../tools/rust/callstack-spoof/detection/sigma/callstack_spoofing_detection.yml) ## References diff --git a/docs/analysis/byovd-2026-scale.md b/docs/analysis/byovd-2026-scale.md index 8bd966f..dcce809 100644 --- a/docs/analysis/byovd-2026-scale.md +++ b/docs/analysis/byovd-2026-scale.md @@ -41,7 +41,7 @@ endpoint fleets contain a mix of HVCI-capable and HVCI-incapable hardware. **HVCI-bypass** — A minority of drivers bypass HVCI due to legacy signing exceptions, OEM allowlisting, or WHQL co-signatures that predate mandatory HVCI. Approximately one in five LOLDrivers catalog entries carry an HVCI-bypass -designation (see `tools/byovd/loldrivers-integration/` for catalog analysis). +designation (see [`tools/byovd/loldrivers-integration/`](../../tools/byovd/loldrivers-integration/) for catalog analysis). These are the highest-priority research targets and the highest-priority defensive gaps. @@ -167,14 +167,14 @@ review than an average new driver. The following tools in this repository implement the research and detection content for BYOVD: -- `tools/byovd/` — core framework, manifest schema, blocklist checker -- `tools/byovd/loldrivers-integration/` — catalog sync, HVCI bypass enumeration, +- [`tools/byovd/`](../../tools/byovd/) — core framework, manifest schema, blocklist checker +- [`tools/byovd/loldrivers-integration/`](../../tools/byovd/loldrivers-integration/) — catalog sync, HVCI bypass enumeration, capability graph -- `tools/byovd/edr-killer-class/` — behavior model, CVE analysis, termination +- [`tools/byovd/edr-killer-class/`](../../tools/byovd/edr-killer-class/) — behavior model, CVE analysis, termination pattern simulator (stubbed), detection content -- `tools/edr-silencing/` — WDAC policy abuse, callback integrity, blind spot +- [`tools/edr-silencing/`](../../tools/edr-silencing/) — WDAC policy abuse, callback integrity, blind spot enumeration, BYOVD orchestration -- `docs/methodology/edr-silencing-via-policy.md` — architectural defence +- [`docs/methodology/edr-silencing-via-policy.md`](../methodology/edr-silencing-via-policy.md) — architectural defence methodology including the Kill-Don't-Evade paradigm --- diff --git a/docs/analysis/c2-framework-market-2026.md b/docs/analysis/c2-framework-market-2026.md index c4f8790..f1fad3d 100644 --- a/docs/analysis/c2-framework-market-2026.md +++ b/docs/analysis/c2-framework-market-2026.md @@ -93,8 +93,8 @@ means: `.pdata`/`.xdata` cross-check. The arms race now centers on unwind-metadata-consistent call stack construction. -See `tools/rust/callstack-detect/` for the defender-side implementation and -`tools/rust/callstack-spoof/spoof_vs_detect_matrix.md` for the spoof-vs-detect matrix. +See [`tools/rust/callstack-detect/`](../../tools/rust/callstack-detect/) for the defender-side implementation and +[`tools/rust/callstack-spoof/spoof_vs_detect_matrix.md`](../../tools/rust/callstack-spoof/spoof_vs_detect_matrix.md) for the spoof-vs-detect matrix. ## Cloud-Native C2 Gap @@ -112,7 +112,7 @@ through at least 2027. ## Profile Files -Traffic profiles for each framework: `tools/c2/profiles/framework-mimics/` +Traffic profiles for each framework: [`tools/c2/profiles/framework-mimics/`](../../tools/c2/profiles/framework-mimics/) ## References @@ -129,6 +129,6 @@ Traffic profiles for each framework: `tools/c2/profiles/framework-mimics/` Related in-repo: -- `tools/c2/profiles/framework-mimics/` — AdaptixC2, emp3r0r, APEX, Mythic, Havoc, Brute Ratel, Nighthawk profiles. -- `tools/c2/transports/` — HTTP/3, DoQ, Telegram-bot, Teams-Graph transport reproductions. -- `docs/methodology/modern-c2-architecture.md` — transport-layer and channel modeling. +- [`tools/c2/profiles/framework-mimics/`](../../tools/c2/profiles/framework-mimics/) — AdaptixC2, emp3r0r, APEX, Mythic, Havoc, Brute Ratel, Nighthawk profiles. +- [`tools/c2/transports/`](../../tools/c2/transports/) — HTTP/3, DoQ, Telegram-bot, Teams-Graph transport reproductions. +- [`docs/methodology/modern-c2-architecture.md`](../methodology/modern-c2-architecture.md) — transport-layer and channel modeling. diff --git a/docs/analysis/cloud-identity-detection.md b/docs/analysis/cloud-identity-detection.md index 831774f..325e9b8 100644 --- a/docs/analysis/cloud-identity-detection.md +++ b/docs/analysis/cloud-identity-detection.md @@ -2,7 +2,7 @@ **Scope:** Detection strategies for OAuth On-Behalf-Of (OBO) token abuse, IAM pivoting, and stolen-identity access in Databricks Apps deployments on Azure. -**Related tools:** `tools/cloud-identity/oauth_obo_demo.py`, `tools/cloud-identity/token_scope_analyzer.py` +**Related tools:** [`tools/cloud-identity/oauth_obo_demo.py`](../../tools/cloud-identity/oauth_obo_demo.py), [`tools/cloud-identity/token_scope_analyzer.py`](../../tools/cloud-identity/token_scope_analyzer.py) --- diff --git a/docs/analysis/entra-2026-state-of-play.md b/docs/analysis/entra-2026-state-of-play.md index b120308..2dd745e 100644 --- a/docs/analysis/entra-2026-state-of-play.md +++ b/docs/analysis/entra-2026-state-of-play.md @@ -3,8 +3,8 @@ Living document. Updated as techniques are tested and mitigations deployed. **Last updated:** 2026-04-22 -**Lab coverage:** `tools/cloud-identity/entra-2026/`, `tools/cloud-identity/wif/`, -`tools/cloud-identity/golden-saml/`, `tools/entra-abuse/` +**Lab coverage:** [`tools/cloud-identity/entra-2026/`](../../tools/cloud-identity/entra-2026/), [`tools/cloud-identity/wif/`](../../tools/cloud-identity/wif/), +[`tools/cloud-identity/golden-saml/`](../../tools/cloud-identity/golden-saml/), [`tools/entra-abuse/`](../../tools/entra-abuse/) --- @@ -57,7 +57,7 @@ authorizes the attacker's app. - Any Conditional Access policy that doesn't explicitly block device-code flow - The victim UX remains indistinguishable from a legitimate Microsoft device login -**Lab tool:** `tools/entra-abuse/device_code_phish.py` +**Lab tool:** [`tools/entra-abuse/device_code_phish.py`](../../tools/entra-abuse/device_code_phish.py) --- @@ -73,7 +73,7 @@ Mimikatz `sekurlsa::cloudap` extracts it in software. Attack chain: local admin/SYSTEM on target → Mimikatz → PRT blob → Azure AD SSO token. -**Lab tool:** `tools/entra-abuse/prt_extract.py`, `tools/cloud-identity/entra-2026/tpm_bound_prt_analysis.py` +**Lab tool:** [`tools/entra-abuse/prt_extract.py`](../../tools/entra-abuse/prt_extract.py), [`tools/cloud-identity/entra-2026/tpm_bound_prt_analysis.py`](../../tools/cloud-identity/entra-2026/tpm_bound_prt_analysis.py) ### TPM-bound path (BROKEN) @@ -114,7 +114,7 @@ tokens with no revocation capability. - Reduce access token lifetime to 15 minutes via named locations + CA policy - Monitor for access token use from IPs inconsistent with the session IP -**Lab tool:** `tools/cloud-identity/entra-2026/cae_race.py` +**Lab tool:** [`tools/cloud-identity/entra-2026/cae_race.py`](../../tools/cloud-identity/entra-2026/cae_race.py) --- @@ -134,7 +134,7 @@ It requires: - Refresh tokens: not uniformly hardware-bound - Personal Access Tokens (PATs): completely outside the Entra ID token protection model -**Lab tool:** `tools/cloud-identity/entra-2026/token_protection_gaps.py` +**Lab tool:** [`tools/cloud-identity/entra-2026/token_protection_gaps.py`](../../tools/cloud-identity/entra-2026/token_protection_gaps.py) --- @@ -161,8 +161,8 @@ it was weaponized in SUNBURST (2020). With the ADFS token-signing private key: - Migrating from ADFS federation to Entra ID direct authentication (eliminates ADFS) **Lab tools:** -- `tools/cloud-identity/golden-saml/golden_saml.py` (SAML forgery) -- `tools/cloud-identity/golden-saml/oidc_token_forge.py` (OIDC/JWT forgery) +- [`tools/cloud-identity/golden-saml/golden_saml.py`](../../tools/cloud-identity/golden-saml/golden_saml.py) (SAML forgery) +- [`tools/cloud-identity/golden-saml/oidc_token_forge.py`](../../tools/cloud-identity/golden-saml/oidc_token_forge.py) (OIDC/JWT forgery) --- @@ -195,8 +195,8 @@ configuration. Entra ID trusts assertions signed by either the primary or second monitoring **Lab tools:** -- `tools/cloud-identity/golden-saml/silver-saml/silver_saml_forge.py` -- `tools/cloud-identity/golden-saml/silver-saml/scanner_gap_analysis.md` +- [`tools/cloud-identity/golden-saml/silver-saml/silver_saml_forge.py`](../../tools/cloud-identity/golden-saml/silver-saml/silver_saml_forge.py) +- [`tools/cloud-identity/golden-saml/silver-saml/scanner_gap_analysis.md`](../../tools/cloud-identity/golden-saml/silver-saml/scanner_gap_analysis.md) --- @@ -236,8 +236,8 @@ without the compliance check applying to the exchange. auth from non-enrollment sources **Lab tools:** -- `tools/cloud-identity/entra-2026/foci/test_harness.py` -- `tools/cloud-identity/entra-2026/foci/foci_mechanics.md` +- [`tools/cloud-identity/entra-2026/foci/test_harness.py`](../../tools/cloud-identity/entra-2026/foci/test_harness.py) +- [`tools/cloud-identity/entra-2026/foci/foci_mechanics.md`](../../tools/cloud-identity/entra-2026/foci/foci_mechanics.md) --- @@ -254,8 +254,8 @@ when trust policies use wildcards instead of exact matches. - `StringLike: azure-app-*` in cross-cloud trust — matches any Azure app OID prefix **Lab tools:** -- `tools/cloud-identity/wif/wif_abuse.py` — Flow 1 (wildcard sub) + Flow 2 (cross-cloud) -- `tools/cloud-identity/oidc-trust/oidc_confusion.py` — Fork PR, aud confusion, issuer confusion +- [`tools/cloud-identity/wif/wif_abuse.py`](../../tools/cloud-identity/wif/wif_abuse.py) — Flow 1 (wildcard sub) + Flow 2 (cross-cloud) +- [`tools/cloud-identity/oidc-trust/oidc_confusion.py`](../../tools/cloud-identity/oidc-trust/oidc_confusion.py) — Fork PR, aud confusion, issuer confusion --- @@ -270,8 +270,8 @@ when trust policies use wildcards instead of exact matches. | PAT longevity | WORKS | No expiry by default; no token protection | | Workspace token replay | WORKS | Missing iss validation across workspaces | -**Full findings:** `reports/databricks-apps-assessment/` -**Lab tools:** `tools/cloud-identity/databricks/` +**Full findings:** [`reports/databricks-apps-assessment/`](../../reports/databricks-apps-assessment/) +**Lab tools:** [`tools/cloud-identity/databricks/`](../../tools/cloud-identity/databricks/) --- diff --git a/docs/analysis/firmware-landscape-2026/README.md b/docs/analysis/firmware-landscape-2026/README.md index 16bb168..0e4a022 100644 --- a/docs/analysis/firmware-landscape-2026/README.md +++ b/docs/analysis/firmware-landscape-2026/README.md @@ -51,8 +51,8 @@ Firmware threats are relevant to healthcare for three reasons: Related in-repo: -- `docs/analysis/firmware-landscape-2026/hydroph0bia-secure-boot.md` -- `docs/analysis/firmware-landscape-2026/logofail-successors.md` -- `docs/analysis/firmware-landscape-2026/smm-research.md` -- `docs/analysis/firmware-landscape-2026/uefi-cert-expiry-jun-2026.md` -- `docs/analysis/firmware-landscape-2026/defender-inventory.md` +- [`docs/analysis/firmware-landscape-2026/hydroph0bia-secure-boot.md`](hydroph0bia-secure-boot.md) +- [`docs/analysis/firmware-landscape-2026/logofail-successors.md`](logofail-successors.md) +- [`docs/analysis/firmware-landscape-2026/smm-research.md`](smm-research.md) +- [`docs/analysis/firmware-landscape-2026/uefi-cert-expiry-jun-2026.md`](uefi-cert-expiry-jun-2026.md) +- [`docs/analysis/firmware-landscape-2026/defender-inventory.md`](defender-inventory.md) diff --git a/docs/analysis/firmware-landscape-2026/smm-research.md b/docs/analysis/firmware-landscape-2026/smm-research.md index 4364f63..c5d2599 100644 --- a/docs/analysis/firmware-landscape-2026/smm-research.md +++ b/docs/analysis/firmware-landscape-2026/smm-research.md @@ -62,7 +62,7 @@ cannot load an unsigned kernel driver to invoke SMI. BYOVD (Bring Your Own Vulnerable Driver) circumvents this by using a signed-but-vulnerable legitimate driver to proxy the SMI trigger. -The `tools/byovd/` module covers BYOVD driver candidates. +The [`tools/byovd/`](../../../tools/byovd/) module covers BYOVD driver candidates. --- diff --git a/docs/analysis/healthcare-ransomware-2026.md b/docs/analysis/healthcare-ransomware-2026.md index ec74d74..6c8b8ae 100644 --- a/docs/analysis/healthcare-ransomware-2026.md +++ b/docs/analysis/healthcare-ransomware-2026.md @@ -205,6 +205,6 @@ For a healthcare red team engagement: - HIMSS Cybersecurity Survey 2025 - Change Healthcare incident timeline: AHA analysis (2024) - Recorded Future: Healthcare Ransomware Threat Intelligence Q1 2026 -- `docs/methodology/ransomware-affiliate-tradecraft-2026.md` — affiliate TTPs -- `tools/persistence/esxi-postex/vm_layer_kill_chain.md` — ESXi kill chain detail -- `tools/persistence/rmm-abuse/README.md` — RMM persistence tooling +- [`docs/methodology/ransomware-affiliate-tradecraft-2026.md`](../methodology/ransomware-affiliate-tradecraft-2026.md) — affiliate TTPs +- [`tools/persistence/esxi-postex/vm_layer_kill_chain.md`](../../tools/persistence/esxi-postex/vm_layer_kill_chain.md) — ESXi kill chain detail +- [`tools/persistence/rmm-abuse/README.md`](../../tools/persistence/rmm-abuse/README.md) — RMM persistence tooling diff --git a/docs/analysis/kernel-callback-removal-research.md b/docs/analysis/kernel-callback-removal-research.md index 03ccebf..0cb7aa7 100644 --- a/docs/analysis/kernel-callback-removal-research.md +++ b/docs/analysis/kernel-callback-removal-research.md @@ -23,22 +23,22 @@ privileges can locate the callback tables and null out EDR entries. write. These are patched within weeks of public disclosure. 2. **A BYOVD driver** — a vulnerable signed driver that provides arbitrary kernel read/write - as a primitive. See `tools/byovd/` for the BYOVD framework (hash-only manifest; no + as a primitive. See [`tools/byovd/`](../../tools/byovd/) for the BYOVD framework (hash-only manifest; no driver files committed per repo policy). 3. **A PPL bypass** — patched as pure software bypasses since 2022 (see - `tools/edr-silencing/ppl-bypass/`). + [`tools/edr-silencing/ppl-bypass/`](../../tools/edr-silencing/ppl-bypass/)). Implementing a kernel callback removal primitive without a corresponding BYOVD driver or kernel exploit has no demonstration value and would require committing a vulnerable driver -(blocked by CI gate `ci/check_no_committed_drivers.py`). +(blocked by CI gate [`ci/check_no_committed_drivers.py`](../../ci/)). **The research value is in the defensive side:** detecting when callbacks have been removed is a high-fidelity EDR evasion indicator. ## Defensive tooling -`tools/edr-silencing/callback-integrity/`: +[`tools/edr-silencing/callback-integrity/`](../../tools/edr-silencing/callback-integrity/): - `callback_enumerator.py` — Python-side EDR provider enumeration and diff tool. Enumerates known EDR providers and compares against baseline. @@ -54,8 +54,8 @@ removed is a high-fidelity EDR evasion indicator. ## Known BYOVD drivers (historical) -The `tools/byovd/` framework maintains a hash-only manifest of known vulnerable drivers. -These are never committed as binaries. See `docs/methodology/edr-silencing-via-policy.md` +The [`tools/byovd/`](../../tools/byovd/) framework maintains a hash-only manifest of known vulnerable drivers. +These are never committed as binaries. See [`docs/methodology/edr-silencing-via-policy.md`](../methodology/edr-silencing-via-policy.md) for defensive policy-based mitigations. ## References diff --git a/docs/analysis/manifest-v3-capabilities.md b/docs/analysis/manifest-v3-capabilities.md index 8db7f73..d0126b1 100644 --- a/docs/analysis/manifest-v3-capabilities.md +++ b/docs/analysis/manifest-v3-capabilities.md @@ -2,7 +2,6 @@ **Date:** 2026-04-20 **Author:** Security Research Lab -**Workstream:** WS-G — Browser Extension Supply-Chain Attacks --- diff --git a/docs/analysis/mobile-landscape-2026/README.md b/docs/analysis/mobile-landscape-2026/README.md index b32d478..17d5050 100644 --- a/docs/analysis/mobile-landscape-2026/README.md +++ b/docs/analysis/mobile-landscape-2026/README.md @@ -46,9 +46,9 @@ scenarios in which clinical staff may be targeted. Related in-repo: -- `docs/analysis/mobile-landscape-2026/ios-chains.md` -- `docs/analysis/mobile-landscape-2026/android-chains.md` -- `docs/analysis/mobile-landscape-2026/lockdown-mode-effectiveness.md` -- `docs/analysis/mobile-landscape-2026/pwn2own-ireland-2025.md` -- `docs/analysis/mobile-landscape-2026/enterprise-mdm-bypass.md` -- `docs/methodology/mobile-threat-modeling.md` — threat modeling procedure. +- [`docs/analysis/mobile-landscape-2026/ios-chains.md`](ios-chains.md) +- [`docs/analysis/mobile-landscape-2026/android-chains.md`](android-chains.md) +- [`docs/analysis/mobile-landscape-2026/lockdown-mode-effectiveness.md`](lockdown-mode-effectiveness.md) +- [`docs/analysis/mobile-landscape-2026/pwn2own-ireland-2025.md`](pwn2own-ireland-2025.md) +- [`docs/analysis/mobile-landscape-2026/enterprise-mdm-bypass.md`](enterprise-mdm-bypass.md) +- [`docs/methodology/mobile-threat-modeling.md`](../../methodology/mobile-threat-modeling.md) — threat modeling procedure. diff --git a/docs/analysis/rc4-deprecation-2026.md b/docs/analysis/rc4-deprecation-2026.md index 8b6f30b..1e2c333 100644 --- a/docs/analysis/rc4-deprecation-2026.md +++ b/docs/analysis/rc4-deprecation-2026.md @@ -234,6 +234,6 @@ exploitable service accounts. - CVE-2026-20833 / KB5041160: Microsoft Kerberos RC4 enforcement documentation - [Microsoft: AD Kerberos encryption type deprecation](https://learn.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview) - [SpecterOps: Kerberoasting in a post-RC4-enforcement world (2026)](https://posts.specterops.io/) -- `tools/kerberos/roasting/aes_roast.py` — AES Kerberoasting implementation -- `tools/kerberos/roasting/service_account_triage.py` — RC4 misconfiguration scanner -- `tools/kerberos/roasting/rc4_vs_aes_crack_times.md` — GPU benchmark reference +- [`tools/kerberos/roasting/aes_roast.py`](../../tools/kerberos/roasting/aes_roast.py) — AES Kerberoasting implementation +- [`tools/kerberos/roasting/service_account_triage.py`](../../tools/kerberos/roasting/service_account_triage.py) — RC4 misconfiguration scanner +- [`tools/kerberos/roasting/rc4_vs_aes_crack_times.md`](../../tools/kerberos/roasting/rc4_vs_aes_crack_times.md) — GPU benchmark reference diff --git a/docs/analysis/vishing-2026-market.md b/docs/analysis/vishing-2026-market.md index e33379f..2aed537 100644 --- a/docs/analysis/vishing-2026-market.md +++ b/docs/analysis/vishing-2026-market.md @@ -194,7 +194,7 @@ protocols that do not rely on voice recognition. 5. Dual-authorization for financial requests (regardless of how urgent the request seems) eliminates the single-phone-call wire fraud path entirely. -See `docs/methodology/deepfake-vishing-tabletop.md` for the defender playbook +See [`docs/methodology/deepfake-vishing-tabletop.md`](../methodology/deepfake-vishing-tabletop.md) for the defender playbook and tabletop exercise procedure. ## References @@ -211,6 +211,6 @@ and tabletop exercise procedure. Related in-repo: -- `docs/methodology/deepfake-vishing-tabletop.md` — tabletop procedure. -- `tools/phishing/vishing/` — scenario scripts. -- `docs/analysis/healthcare-ransomware-2026.md` — healthcare-vertical threat context. +- [`docs/methodology/deepfake-vishing-tabletop.md`](../methodology/deepfake-vishing-tabletop.md) — tabletop procedure. +- [`tools/phishing/vishing/`](../../tools/phishing/vishing/) — scenario scripts. +- [`docs/analysis/healthcare-ransomware-2026.md`](healthcare-ransomware-2026.md) — healthcare-vertical threat context. diff --git a/docs/methodology/aitm-phishing-2026.md b/docs/methodology/aitm-phishing-2026.md index 469fc92..747c9e6 100644 --- a/docs/methodology/aitm-phishing-2026.md +++ b/docs/methodology/aitm-phishing-2026.md @@ -45,7 +45,7 @@ instant subdomain provisioning make per-campaign URL rotation trivial. kit — operated directly by the attacker. Favored in sophisticated targeted campaigns where PhaaS infrastructure introduces supply chain risk. -See `tools/phishing/aitm-kits/` for detailed coverage of each kit. +See [`tools/phishing/aitm-kits/`](../../tools/phishing/aitm-kits/) for detailed coverage of each kit. ## Kill Chain Position @@ -91,7 +91,7 @@ tycoon_sim.py (--mode capture) → reads capture log **Containment enforcement:** - `ContainmentGuard.assert_aitm_loopback_only()` — verifies proxy is loopback - `ContainmentGuard.assert_entra_is_mock()` — verifies mock Entra endpoint -- CI gate `ci/check_aitm_loopback_only.py` — statically rejects real IdP URLs +- CI gate [`ci/check_aitm_loopback_only.py`](../../ci/check_aitm_loopback_only.py) — statically rejects real IdP URLs ## Detection Strategy @@ -148,9 +148,9 @@ The following controls are ordered from most to least durable: Cloudflare-hosted lures. The authoritative write-up on passkeys as a control is in -`tools/phishing/aitm-kits/defender-controls/passkey_as_mitigation.md`. +[`tools/phishing/aitm-kits/defender-controls/passkey_as_mitigation.md`](../../tools/phishing/aitm-kits/defender-controls/passkey_as_mitigation.md). CA Token Protection details are in -`tools/phishing/aitm-kits/defender-controls/ca_token_protection.md`. +[`tools/phishing/aitm-kits/defender-controls/ca_token_protection.md`](../../tools/phishing/aitm-kits/defender-controls/ca_token_protection.md). ## References @@ -165,7 +165,7 @@ CA Token Protection details are in Related in-repo: -- `docs/analysis/aitm-kit-market-2026.md` — kit evolution from Tycoon2FA through Rockstar2FA. -- `tools/phishing/aitm-kits/` — reproductions across Tycoon2FA, Sneaky2FA, Rockstar2FA, Evilginx3. -- `tools/phishing/aitm-kits/defender-controls/` — passkey and token-protection guidance. -- `docs/methodology/phish-resistance-testing.md` — phish-resistance bench methodology. +- [`docs/analysis/aitm-kit-market-2026.md`](../analysis/aitm-kit-market-2026.md) — kit evolution from Tycoon2FA through Rockstar2FA. +- [`tools/phishing/aitm-kits/`](../../tools/phishing/aitm-kits/) — reproductions across Tycoon2FA, Sneaky2FA, Rockstar2FA, Evilginx3. +- [`tools/phishing/aitm-kits/defender-controls/`](../../tools/phishing/aitm-kits/defender-controls/) — passkey and token-protection guidance. +- [`docs/methodology/phish-resistance-testing.md`](phish-resistance-testing.md) — phish-resistance bench methodology. diff --git a/docs/methodology/bof-loading-and-safety.md b/docs/methodology/bof-loading-and-safety.md index 928471b..9b96973 100644 --- a/docs/methodology/bof-loading-and-safety.md +++ b/docs/methodology/bof-loading-and-safety.md @@ -16,7 +16,7 @@ Operator → C2 API POST /api/sessions/{id}/bof (bof_name) ## Symbol allowlist -The allowlist in `tools/rust/bof-loader/src/symbol_table.rs` is the primary safety +The allowlist in [`tools/rust/bof-loader/src/symbol_table.rs`](../../tools/rust/bof-loader/src/symbol_table.rs) is the primary safety boundary. Only these API categories are permitted: - **Process info (read-only):** `GetCurrentProcessId`, `GetCurrentThreadId`, `OpenProcess` @@ -45,7 +45,7 @@ On non-Windows platforms, `execute()` returns `Err(BofError::UnsupportedPlatform ## Writing BOFs -See `tools/bofs/` for example BOFs (`whoami.c`, `ls.c`, `env.c`). +See [`tools/bofs/`](../../tools/bofs/) for example BOFs (`whoami.c`, `ls.c`, `env.c`). Compile with: ```bash @@ -56,9 +56,9 @@ The output `.o` file is a COFF object that the loader can execute. ## Detection -- `tools/rust/bof-loader/detection/sigma/bof_coff_execution.yml` — Sigma: RWX heap +- [`tools/rust/bof-loader/detection/sigma/bof_coff_execution.yml`](../../tools/rust/bof-loader/detection/sigma/bof_coff_execution.yml) — Sigma: RWX heap allocation followed by execution without preceding VirtualProtect -- `tools/rust/bof-loader/detection/kql/anomalous_heap_execution.kql` — KQL: MDE +- [`tools/rust/bof-loader/detection/kql/anomalous_heap_execution.kql`](../../tools/rust/bof-loader/detection/kql/anomalous_heap_execution.kql) — KQL: MDE DeviceMemoryEvents with RWX allocation in beacon address range ## References diff --git a/docs/methodology/browser-extension-supply-chain.md b/docs/methodology/browser-extension-supply-chain.md index ed07083..0401808 100644 --- a/docs/methodology/browser-extension-supply-chain.md +++ b/docs/methodology/browser-extension-supply-chain.md @@ -2,7 +2,6 @@ **Date:** 2026-04-20 **Author:** Security Research Lab -**Workstream:** WS-G — Browser Extension Supply-Chain Attacks --- @@ -190,7 +189,7 @@ monitoring catches actual exploitation: ### Chrome DevTools Protocol (CDP) Monitoring -`tools/browser-ext-attacks/eval/runtime_monitor.py` connects to Chrome's remote +[`tools/browser-ext-attacks/eval/runtime_monitor.py`](../../tools/browser-ext-attacks/eval/runtime_monitor.py) connects to Chrome's remote debugging port and monitors extension service workers for: - Outbound POST requests to unusual destinations @@ -266,5 +265,5 @@ Tier 1 or Tier 2, hold the update until manual review is complete. - Cyberhaven incident report: https://www.cyberhaven.com/blog/cyberhavens-chrome-extension-was-compromised-and-what-were-doing-about-it - Google Chrome Browser Cloud Management: https://chromeenterprise.google/browser/management/ - CRXcavator (extension security analysis): https://crxcavator.io/ -- `docs/analysis/manifest-v3-capabilities.md` — Technical capability analysis -- `tools/browser-ext-attacks/` — Lab extension catalog and defender tools +- [`docs/analysis/manifest-v3-capabilities.md`](../analysis/manifest-v3-capabilities.md) — Technical capability analysis +- [`tools/browser-ext-attacks/`](../../tools/browser-ext-attacks/) — Lab extension catalog and defender tools diff --git a/docs/methodology/browser-native-postex.md b/docs/methodology/browser-native-postex.md index f38d420..cc1271a 100644 --- a/docs/methodology/browser-native-postex.md +++ b/docs/methodology/browser-native-postex.md @@ -21,7 +21,7 @@ A WASM binary: ## Capabilities -The `tools/browser-native-postex/wasm-payload/` module (Rust + wasm-bindgen) implements: +The [`tools/browser-native-postex/wasm-payload/`](../../tools/browser-native-postex/wasm-payload/) module (Rust + wasm-bindgen) implements: | Function | What it collects | |----------|-----------------| @@ -42,7 +42,7 @@ Modeled on the Cyberhaven December 2024 incident: 35+ Chrome extensions were upd malicious content scripts after attackers phished the extension developers' Google OAuth credentials. The extension's auto-update mechanism silently installed the malicious version. -See `tools/browser-native-postex/delivery/via_mv3_extension/`. +See [`tools/browser-native-postex/delivery/via_mv3_extension/`](../../tools/browser-native-postex/delivery/via_mv3_extension/). ### Compromised service worker @@ -50,7 +50,7 @@ A service worker with `fetch` event interception can modify every HTML response Injecting a `