Reporting
Finding Templates & CVSS
Consistent finding documentation ensures clarity and enables comparison across engagements. Use standardized templates and accurate CVSS scoring.
CVSS 3.1 Scoring
Information
CVSS (Common Vulnerability Scoring System) provides standardized severity ratings.
Use the FIRST CVSS Calculator.
Base Score Metrics
| Metric | Values | Description |
|---|---|---|
| Attack Vector (AV) | N / A / L / P | Network / Adjacent / Local / Physical |
| Attack Complexity (AC) | L / H | Low / High complexity required |
| Privileges Required (PR) | N / L / H | None / Low / High privileges |
| User Interaction (UI) | N / R | None / Required |
| Scope (S) | U / C | Unchanged / Changed (affects other components) |
| Confidentiality (C) | N / L / H | None / Low / High impact |
| Integrity (I) | N / L / H | None / Low / High impact |
| Availability (A) | N / L / H | None / Low / High impact |
Severity Ratings
Critical
9.0 - 10.0
High
7.0 - 8.9
Medium
4.0 - 6.9
Low
0.1 - 3.9
Info
0.0
Common Finding CVSS Examples
text
# Unauthenticated RCE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H = 10.0 (Critical)
# Kerberoasting (weak service password)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N = 6.5 (Medium)
# With privilege escalation path:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H = 8.8 (High)
# LLMNR/NBT-NS Poisoning
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N = 6.5 (Medium)
# SMB Signing Disabled (relay attacks)
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N = 8.1 (High)
# Weak password policy
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N = 5.3 (Medium)
# Missing patches (depends on CVE)
# Use the CVE's official CVSS score
# Sensitive data exposure in share
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N = 6.5 (Medium)Detailed Finding Template
text
================================================================================
FINDING: [Clear, Descriptive Title]
================================================================================
IDENTIFICATION
--------------
Finding ID: CORP-2024-001
Date Discovered: 2024-11-15
Tester: John Smith
Status: Confirmed / Exploited
CLASSIFICATION
--------------
Severity: Critical / High / Medium / Low / Informational
CVSS 3.1 Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-522 (Insufficiently Protected Credentials)
MITRE ATT&CK: T1558.003 (Kerberoasting)
AFFECTED ASSETS
---------------
• DC01.corp.local (10.0.0.10) - Domain Controller
• Service Account: svc_backup
• Service Account: svc_sql
DESCRIPTION
-----------
Multiple Active Directory service accounts were found to be configured with
Service Principal Names (SPNs) and weak passwords. The Kerberoasting attack
allows any authenticated domain user to request service tickets for these
accounts and crack them offline without generating significant logging.
Two service accounts were successfully compromised:
- svc_backup: Member of Backup Operators (can extract NTDS.dit)
- svc_sql: Local admin on SQL01, SQL02, SQL03
TECHNICAL DETAILS
-----------------
The attack was performed using Impacket's GetUserSPNs.py tool:
$ GetUserSPNs.py corp.local/testuser:Password123 -dc-ip 10.0.0.10 -request
ServicePrincipalName Name MemberOf
-------------------------------------- ---------- --------------------------
MSSQLSvc/sql01.corp.local:1433 svc_sql CN=SQL Admins,DC=corp,DC=local
CIFS/backup.corp.local svc_backup CN=Backup Operators,DC=corp,DC=local
The extracted ticket hashes were cracked using Hashcat:
$ hashcat -m 13100 hashes.txt rockyou.txt --rules
svc_backup: Backup2024! (cracked in 3 seconds)
svc_sql: SQLadmin123! (cracked in 12 seconds)
IMPACT
------
BUSINESS IMPACT:
• Domain compromise path via Backup Operators privileges
• Access to all SQL databases via svc_sql account
• Potential data breach of customer information
• Regulatory compliance violation (PCI-DSS, SOX)
TECHNICAL IMPACT:
• svc_backup can backup/restore AD (extract all credentials)
• svc_sql has local admin on database servers
• Both accounts have non-expiring passwords
• No detection mechanism for offline cracking
LIKELIHOOD: HIGH
• Attack requires only low-privileged domain access
• Tickets can be requested without detection
• Weak passwords crack in seconds
EVIDENCE
--------
• Screenshot 1: GetUserSPNs output (finding001_spns.png)
• Screenshot 2: Hashcat cracking results (finding001_cracked.png)
• Screenshot 3: svc_backup group membership (finding001_groups.png)
• Log file: getuserspns_output.txt
REMEDIATION
-----------
IMMEDIATE (0-7 days):
1. Reset passwords for svc_backup and svc_sql to 25+ character random strings
2. Monitor for suspicious logon events from these accounts
3. Audit recent activity of compromised accounts
SHORT-TERM (1-4 weeks):
1. Implement Group Managed Service Accounts (gMSA) where possible
2. Enable AES256 encryption for Kerberos (disable RC4)
3. Reduce service account privileges to minimum required
LONG-TERM (1-3 months):
1. Quarterly SPN audit and password rotation
2. Implement privileged access monitoring
3. Deploy honeypot SPNs for detection
REFERENCES
----------
• MITRE ATT&CK: https://attack.mitre.org/techniques/T1558/003/
• Microsoft gMSA: https://docs.microsoft.com/en-us/windows-server/security/
• Detection: https://adsecurity.org/?p=3458
================================================================================Quick Finding Templates
LLMNR/NBT-NS Poisoning
text
FINDING: LLMNR/NBT-NS Poisoning Enabled
SEVERITY: Medium-High
CVSS: 6.5-8.1 (depending on crackability)
CVSS VECTOR: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AFFECTED: Network-wide (all Windows systems)
DESCRIPTION:
Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS)
are enabled on the network. These protocols broadcast name resolution requests
that can be captured and responded to by attackers, capturing NTLMv2 hashes.
EVIDENCE:
- Responder captured 47 unique hashes in 4 hours
- 12 hashes cracked successfully
- Credentials include: jsmith, admin.helpdesk, svc_print
REMEDIATION:
1. Disable LLMNR via GPO: Computer Configuration > Administrative Templates >
Network > DNS Client > Turn off multicast name resolution = Enabled
2. Disable NBT-NS via GPO or DHCP Option 001/002
3. Implement network segmentation
4. Monitor for unusual broadcast traffic
MITRE ATT&CK: T1557.001SMB Signing Disabled
text
FINDING: SMB Signing Not Required
SEVERITY: High
CVSS: 8.1
CVSS VECTOR: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
AFFECTED:
- 10.0.0.50-100 (47 workstations)
- 10.0.0.200 (FILE01 - File Server)
DESCRIPTION:
SMB signing is not required on multiple systems, enabling SMB relay attacks.
An attacker can intercept SMB authentication and relay it to other systems
to gain unauthorized access.
EVIDENCE:
- crackmapexec scan identified 47 systems with signing disabled
- ntlmrelayx successfully relayed jsmith credentials to FILE01
- Achieved local admin access on FILE01
REMEDIATION:
1. Enable SMB signing via GPO:
Computer Configuration > Policies > Windows Settings > Security Settings >
Local Policies > Security Options:
- Microsoft network client: Digitally sign communications (always) = Enabled
- Microsoft network server: Digitally sign communications (always) = Enabled
2. Enable SMB signing on all servers immediately
3. Roll out to workstations in phases
MITRE ATT&CK: T1557.001Risk Rating Matrix
flowchart TD
subgraph Likelihood
L1[Certain]
L2[Likely]
L3[Possible]
L4[Unlikely]
end
subgraph Impact
I1[Critical]
I2[Major]
I3[Moderate]
I4[Minor]
end
L1 --> |Critical Impact| R1[CRITICAL]
L2 --> |Critical Impact| R1
L1 --> |Major Impact| R2[HIGH]
L2 --> |Major Impact| R2
L3 --> |Critical Impact| R2
L3 --> |Major Impact| R3[MEDIUM]
L4 --> |Major Impact| R4[LOW]
style R1 fill:#dc2626,stroke:#000,color:#fff
style R2 fill:#f97316,stroke:#000,color:#000
style R3 fill:#eab308,stroke:#000,color:#000
style R4 fill:#3b82f6,stroke:#000,color:#fff