[pull] master from rapid7:master

db/modules_metadata_base.json

@@ -842,7 +842,9 @@
       "URL-https://github.com/GhostPack/Certify",
       "URL-https://github.com/ly4k/Certipy",
       "URL-https://medium.com/@offsecdeer/adcs-exploitation-series-part-2-certificate-mapping-esc15-6e19a6037760",
-      "URL-https://www.thehacker.recipes/ad/movement/adcs/certificate-templates#esc16-a-compatibility-mode"
+      "URL-https://www.thehacker.recipes/ad/movement/adcs/certificate-templates#esc16-a-compatibility-mode",
+      "ATT&CK-T1098",
+      "ATT&CK-T1649"
     ],
     "platform": "",
     "arch": "",
@@ -856,7 +858,7 @@
       "microsoft-ds"
     ],
     "targets": null,
-    "mod_time": "2025-10-06 10:39:20 +0000",
+    "mod_time": "2026-02-07 10:12:36 +0000",
     "path": "/modules/auxiliary/admin/dcerpc/esc_update_ldap_object.rb",
     "is_install_path": true,
     "ref_name": "admin/dcerpc/esc_update_ldap_object",
@@ -903,7 +905,8 @@
     "references": [
       "URL-https://posts.specterops.io/certified-pre-owned-d95910965cd2",
       "URL-https://github.com/GhostPack/Certify",
-      "URL-https://github.com/ly4k/Certipy"
+      "URL-https://github.com/ly4k/Certipy",
+      "ATT&CK-T1649"
     ],
     "platform": "",
     "arch": "",
@@ -917,7 +920,7 @@
       "microsoft-ds"
     ],
     "targets": null,
-    "mod_time": "2025-05-30 13:54:35 +0000",
+    "mod_time": "2026-02-07 10:12:36 +0000",
     "path": "/modules/auxiliary/admin/dcerpc/icpr_cert.rb",
     "is_install_path": true,
     "ref_name": "admin/dcerpc/icpr_cert",
@@ -7246,15 +7249,17 @@
     "references": [
       "URL-https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution",
       "URL-https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd",
-      "URL-https://github.com/SecureAuthCorp/impacket/blob/3c6713e309cae871d685fa443d3e21b7026a2155/examples/rbcd.py"
+      "URL-https://github.com/SecureAuthCorp/impacket/blob/3c6713e309cae871d685fa443d3e21b7026a2155/examples/rbcd.py",
+      "ATT&CK-T1098",
+      "ATT&CK-T1558"
     ],
     "platform": "",
     "arch": "",
     "rport": 389,
     "autofilter_ports": [],
     "autofilter_services": [],
     "targets": null,
-    "mod_time": "2025-06-23 18:39:19 +0000",
+    "mod_time": "2026-02-06 10:38:56 +0000",
     "path": "/modules/auxiliary/admin/ldap/rbcd.rb",
     "is_install_path": true,
     "ref_name": "admin/ldap/rbcd",
@@ -7305,15 +7310,16 @@
     "description": "This module can read and write the necessary LDAP attributes to configure a particular account with a\n          Key Credential Link. This allows weaponising write access to a user account by adding a certificate\n          that can subsequently be used to authenticate. In order for this to succeed, the authenticated user\n          must have write access to the target object (the object specified in TARGET_USER).",
     "references": [
       "URL-https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab",
-      "URL-https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/shadow-credentials"
+      "URL-https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/shadow-credentials",
+      "ATT&CK-T1098"
     ],
     "platform": "",
     "arch": "",
     "rport": 389,
     "autofilter_ports": [],
     "autofilter_services": [],
     "targets": null,
-    "mod_time": "2025-05-13 09:23:28 +0000",
+    "mod_time": "2026-02-09 22:52:31 +0000",
     "path": "/modules/auxiliary/admin/ldap/shadow_credentials.rb",
     "is_install_path": true,
     "ref_name": "admin/ldap/shadow_credentials",
@@ -24634,15 +24640,16 @@
     ],
     "description": "This module will try to find Service Principal Names that are associated with normal user accounts.\n          Since normal accounts' passwords tend to be shorter than machine accounts, and knowing that a TGS request\n          will encrypt the ticket with the account the SPN is running under, this could be used for an offline\n          bruteforcing attack of the SPNs account NTLM hash if we can gather valid TGS for those SPNs.\n          This is part of the kerberoast attack research by Tim Medin (@timmedin).",
     "references": [
-      "URL-https://github.com/CoreSecurity/impacket/blob/master/examples/GetUserSPNs.py"
+      "URL-https://github.com/CoreSecurity/impacket/blob/master/examples/GetUserSPNs.py",
+      "ATT&CK-T1558.003"
     ],
     "platform": "",
     "arch": "",
     "rport": 389,
     "autofilter_ports": [],
     "autofilter_services": [],
     "targets": null,
-    "mod_time": "2025-05-19 14:40:12 +0000",
+    "mod_time": "2026-02-06 10:46:53 +0000",
     "path": "/modules/auxiliary/gather/kerberoast.rb",
     "is_install_path": true,
     "ref_name": "gather/kerberoast",
@@ -24843,15 +24850,16 @@
       "URL-https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7",
       "URL-https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53",
       "URL-https://trustedsec.com/blog/ekuwu-not-just-another-ad-cs-esc",
-      "URL-https://github.com/ly4k/Certipy/wiki/06-%E2%80%90-Privilege-Escalation"
+      "URL-https://github.com/ly4k/Certipy/wiki/06-%E2%80%90-Privilege-Escalation",
+      "ATT&CK-T1649"
     ],
     "platform": "",
     "arch": "",
     "rport": 389,
     "autofilter_ports": [],
     "autofilter_services": [],
     "targets": null,
-    "mod_time": "2025-10-06 10:39:20 +0000",
+    "mod_time": "2026-02-06 10:38:56 +0000",
     "path": "/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb",
     "is_install_path": true,
     "ref_name": "gather/ldap_esc_vulnerable_cert_finder",

modules/auxiliary/admin/dcerpc/esc_update_ldap_object.rb

@@ -43,7 +43,9 @@ def initialize(info = {})
           [ 'URL', 'https://github.com/GhostPack/Certify' ],
           [ 'URL', 'https://github.com/ly4k/Certipy' ],
           [ 'URL', 'https://medium.com/@offsecdeer/adcs-exploitation-series-part-2-certificate-mapping-esc15-6e19a6037760' ],
-          [ 'URL', 'https://www.thehacker.recipes/ad/movement/adcs/certificate-templates#esc16-a-compatibility-mode' ]
+          [ 'URL', 'https://www.thehacker.recipes/ad/movement/adcs/certificate-templates#esc16-a-compatibility-mode' ],
+          [ 'ATT&CK', Mitre::Attack::Technique::T1098_ACCOUNT_MANIPULATION ],
+          [ 'ATT&CK', Mitre::Attack::Technique::T1649_STEAL_OR_FORGE_AUTHENTICATION_CERTIFICATES ]
         ],
         'Notes' => {
           'Reliability' => [],

modules/auxiliary/admin/dcerpc/icpr_cert.rb

@@ -34,7 +34,8 @@ def initialize(info = {})
         'References' => [
           [ 'URL', 'https://posts.specterops.io/certified-pre-owned-d95910965cd2' ],
           [ 'URL', 'https://github.com/GhostPack/Certify' ],
-          [ 'URL', 'https://github.com/ly4k/Certipy' ]
+          [ 'URL', 'https://github.com/ly4k/Certipy' ],
+          [ 'ATT&CK', Mitre::Attack::Technique::T1649_STEAL_OR_FORGE_AUTHENTICATION_CERTIFICATES ]
         ],
         'Notes' => {
           'Reliability' => [],

modules/auxiliary/admin/ldap/rbcd.rb

@@ -29,7 +29,9 @@ def initialize(info = {})
         'References' => [
           ['URL', 'https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution'],
           ['URL', 'https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd'],
-          ['URL', 'https://github.com/SecureAuthCorp/impacket/blob/3c6713e309cae871d685fa443d3e21b7026a2155/examples/rbcd.py']
+          ['URL', 'https://github.com/SecureAuthCorp/impacket/blob/3c6713e309cae871d685fa443d3e21b7026a2155/examples/rbcd.py'],
+          ['ATT&CK', Mitre::Attack::Technique::T1098_ACCOUNT_MANIPULATION],
+          ['ATT&CK', Mitre::Attack::Technique::T1558_STEAL_OR_FORGE_KERBEROS_TICKETS]
         ],
         'License' => MSF_LICENSE,
         'Actions' => [

modules/auxiliary/admin/ldap/shadow_credentials.rb

@@ -28,7 +28,8 @@ def initialize(info = {})
         ],
         'References' => [
           ['URL', 'https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab'],
-          ['URL', 'https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/shadow-credentials']
+          ['URL', 'https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/shadow-credentials'],
+          ['ATT&CK', Mitre::Attack::Technique::T1098_ACCOUNT_MANIPULATION]
         ],
         'License' => MSF_LICENSE,
         'Actions' => [

modules/auxiliary/gather/kerberoast.rb

@@ -30,7 +30,8 @@ def initialize(info = {})
           'smashery', # MSF Module
         ],
         'References' => [
-          ['URL', 'https://github.com/CoreSecurity/impacket/blob/master/examples/GetUserSPNs.py']
+          ['URL', 'https://github.com/CoreSecurity/impacket/blob/master/examples/GetUserSPNs.py'],
+          ['ATT&CK', Mitre::Attack::Technique::T1558_003_KERBEROASTING]
         ],
         'Notes' => {
           'Stability' => [CRASH_SAFE],

modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb

@@ -78,7 +78,9 @@ def initialize(info = {})
           'Spencer McIntyre', # ESC13 and ESC15 updates
           'jheysel-r7' # ESC4, ESC9 and ESC10 update
         ],
-        'References' => REFERENCES.values.flatten.map { |r| [ r.ctx_id, r.ctx_val ] }.uniq,
+        'References' => (REFERENCES.values.flatten.map { |r| [ r.ctx_id, r.ctx_val ] }.uniq + [
+          ['ATT&CK', Mitre::Attack::Technique::T1649_STEAL_OR_FORGE_AUTHENTICATION_CERTIFICATES]
+        ]).uniq,
         'DisclosureDate' => '2021-06-17',
         'License' => MSF_LICENSE,
         'DefaultOptions' => {