From 9d73966976264ac206873c4ef6ee6e5e14181cb5 Mon Sep 17 00:00:00 2001 From: Rudraditya Thakur Date: Fri, 6 Feb 2026 11:58:08 +0530 Subject: [PATCH 1/2] added ATT&CK references to relay and SCCM modules --- modules/auxiliary/admin/sccm/get_naa_credentials.rb | 3 ++- modules/auxiliary/server/relay/esc8.rb | 4 ++++ modules/auxiliary/server/relay/relay_get_naa_credentials.rb | 4 +++- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/admin/sccm/get_naa_credentials.rb b/modules/auxiliary/admin/sccm/get_naa_credentials.rb index 6924b834db..3eaeea3c1d 100644 --- a/modules/auxiliary/admin/sccm/get_naa_credentials.rb +++ b/modules/auxiliary/admin/sccm/get_naa_credentials.rb @@ -25,7 +25,8 @@ class MetasploitModule < Msf::Auxiliary ['URL', 'https://blog.xpnsec.com/unobfuscating-network-access-accounts/'], ['URL', 'https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-2/cred-2_description.md'], ['URL', 'https://github.com/Mayyhem/SharpSCCM'], - ['URL', 'https://github.com/garrettfoster13/sccmhunter'] + ['URL', 'https://github.com/garrettfoster13/sccmhunter'], + ['ATT&CK', Mitre::Attack::Technique::T1552_001_CREDENTIALS_IN_FILES] ], 'License' => MSF_LICENSE, 'Notes' => { diff --git a/modules/auxiliary/server/relay/esc8.rb b/modules/auxiliary/server/relay/esc8.rb index 6e7bfc5cf6..eec1c2d17a 100644 --- a/modules/auxiliary/server/relay/esc8.rb +++ b/modules/auxiliary/server/relay/esc8.rb @@ -21,6 +21,10 @@ class MetasploitModule < Msf::Auxiliary 'jhicks-r7', # query for available certs 'Spencer McIntyre' ], + 'References' => [ + ['ATT&CK', Mitre::Attack::Technique::T1557_ADVERSARY_IN_THE_MIDDLE], + ['ATT&CK', Mitre::Attack::Technique::T1649_STEAL_OR_FORGE_AUTHENTICATION_CERTIFICATES] + ], 'License' => MSF_LICENSE, 'Actions' => [[ 'Relay', { 'Description' => 'Run SMB ESC8 relay server' } ]], 'PassiveActions' => [ 'Relay' ], diff --git a/modules/auxiliary/server/relay/relay_get_naa_credentials.rb b/modules/auxiliary/server/relay/relay_get_naa_credentials.rb index 34d2affec9..539bc7642c 100644 --- a/modules/auxiliary/server/relay/relay_get_naa_credentials.rb +++ b/modules/auxiliary/server/relay/relay_get_naa_credentials.rb @@ -30,7 +30,9 @@ class MetasploitModule < Msf::Auxiliary ['URL', 'https://blog.xpnsec.com/unobfuscating-network-access-accounts/'], ['URL', 'https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-2/cred-2_description.md'], ['URL', 'https://github.com/Mayyhem/SharpSCCM'], - ['URL', 'https://github.com/garrettfoster13/sccmhunter'] + ['URL', 'https://github.com/garrettfoster13/sccmhunter'], + ['ATT&CK', Mitre::Attack::Technique::T1557_ADVERSARY_IN_THE_MIDDLE], + ['ATT&CK', Mitre::Attack::Technique::T1552_UNSECURED_CREDENTIALS] ], 'DefaultOptions' => { 'RPORT' => 80 From 4c1a25198b9088353705b80516c75a71d87c971f Mon Sep 17 00:00:00 2001 From: Rudraditya Thakur Date: Sat, 7 Feb 2026 10:09:31 +0530 Subject: [PATCH 2/2] updated: ATT&CK ID from T1552 to T1552.001 in relay_get_naa_credentials.rb --- modules/auxiliary/server/relay/relay_get_naa_credentials.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/server/relay/relay_get_naa_credentials.rb b/modules/auxiliary/server/relay/relay_get_naa_credentials.rb index 539bc7642c..103ef67178 100644 --- a/modules/auxiliary/server/relay/relay_get_naa_credentials.rb +++ b/modules/auxiliary/server/relay/relay_get_naa_credentials.rb @@ -32,7 +32,7 @@ class MetasploitModule < Msf::Auxiliary ['URL', 'https://github.com/Mayyhem/SharpSCCM'], ['URL', 'https://github.com/garrettfoster13/sccmhunter'], ['ATT&CK', Mitre::Attack::Technique::T1557_ADVERSARY_IN_THE_MIDDLE], - ['ATT&CK', Mitre::Attack::Technique::T1552_UNSECURED_CREDENTIALS] + ['ATT&CK', Mitre::Attack::Technique::T1552_001_CREDENTIALS_IN_FILES] ], 'DefaultOptions' => { 'RPORT' => 80