A reusable library of finding write-ups, in SysReptor finding-template field structure, so you’re not retyping the same findings every engagement. Each entry is seeded from the matching manual page’s 📝 Reporting Trigger and links back to it — one source of truth: technique ↔ finding.

Two SysReptor concepts, don’t confuse them: a Design is the report’s look/structure (HTML/CSS, renders Markdown → PDF). A Finding Template is a reusable finding you insert into a report. This page is finding templates. The exact fields a finding has are defined by your chosen Design — the universal set below maps cleanly onto the built-in demo design and most others.

How to use this library

  1. Pick a design once. To learn the tool, use the free SysReptor Cloud with the built-in demo design (no setup). For a polished structure, import a design from the OffSec-Reporting repo and rename it to taste.
  2. Create the templates once. In SysReptor: Templates → Create, paste the fields below, save. Reuse via Create finding from template in any project. Bulk-loading is possible later via the reptor CLI / REST API.
  3. Per engagement, adapt each finding you use:
    • Rescore CVSS to the real environment — the scores here are baselines, not gospel.
    • Fill Affected Components from your Engagement_Cockpit host tracker.
    • Attach evidence per Reporting_SysReptor.
  4. Extend it. Any manual page with a 📝 Reporting Trigger is a candidate for a new template — see Reporting_Findings_Types for categorization.

Universal field set used below: Title · Severity (CVSS 3.1 baseline) · Summary · Impact · Affected Components · Recommendation · References · Manual.

AD / identity findings

Active Directory ACL Misconfiguration Enables Privilege Escalation

  • Severity: High — CVSS 8.8 baseline (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
  • Summary: Misconfigured DACLs grant low-privileged principals control rights (GenericAll, GenericWrite, WriteDACL, WriteOwner, ForceChangePassword) over higher-privileged users, groups, or the domain object.
  • Impact: A low-privileged attacker can reset passwords, add themselves to privileged groups, or grant replication rights — escalating to Domain Admin with no software exploit, purely via legitimate AD operations.
  • Affected Components: [principals / objects carrying excessive ACEs]
  • Recommendation: Audit ACLs with BloodHound/Purple Knight; remove non-default control rights on sensitive objects; adopt an AD tiering model; alert on ACL changes to Tier 0 objects.
  • References: MITRE ATT&CK T1098, T1222; Microsoft AD DS security best practices.
  • Manual: AD_ACL_Abuse

Kerberoasting — Weak Service Account Passwords

  • Severity: High — CVSS 8.1 baseline (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
  • Summary: Any authenticated domain user can request a TGS for any account with an SPN; the ticket is encrypted with the service account’s password hash and crackable offline.
  • Impact: Service accounts are frequently over-privileged; a cracked password yields account compromise and often a direct path to domain escalation.
  • Affected Components: [SPN-bearing service accounts]
  • Recommendation: Use 25+ character random passwords or gMSAs for service accounts; remove unnecessary SPNs; enforce AES encryption; monitor anomalous TGS request volumes.
  • References: MITRE ATT&CK T1558.003.
  • Manual: AD_Kerberoasting

AS-REP Roasting — Accounts Without Kerberos Pre-Authentication

  • Severity: High — CVSS 7.5 baseline (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
  • Summary: Accounts flagged “do not require Kerberos pre-authentication” return an AS-REP encrypted with the account’s password hash to any requester, enabling offline cracking without credentials.
  • Impact: Crackable hashes lead to account compromise with no prior authentication and minimal logging on the DC.
  • Affected Components: [accounts with DONT_REQ_PREAUTH set]
  • Recommendation: Remove the pre-authentication exemption unless strictly required; enforce strong passwords on any account that keeps it; monitor AS-REP requests.
  • References: MITRE ATT&CK T1558.004.
  • Manual: AD_Misc_Misconfigs

AD CS Certificate Template Misconfiguration (ESC1) Enables Domain Compromise

  • Severity: Critical — CVSS 9.0 baseline (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
  • Summary: A certificate template permits enrollee-supplied subject (SAN), allows client authentication, requires no manager approval or authorized signatures, and grants enrollment to a broad group — letting a low-privileged principal request a certificate that authenticates as any user, including a Domain Admin.
  • Impact: Full domain compromise via certificate-based authentication (PKINIT or Schannel) as a privileged identity.
  • Affected Components: [CA name / vulnerable template name]
  • Recommendation: Remove CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT from client-auth templates; require manager approval; restrict enrollment rights; enforce strong certificate mapping (SID extension); audit with Certipy find -vulnerable.
  • References: SpecterOps “Certified Pre-Owned” (ESC1); MITRE ATT&CK T1649.
  • Manual: Pass_the_Certificate

AD CS Misconfiguration (ESC15 / ESC16) Enables Domain Compromise

  • Severity: Critical — CVSS 9.0 baseline (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
  • Summary: Certificate-services escalation beyond ESC1: ESC16 is a CA-wide misconfiguration where the issuing CA omits the SID security extension, defeating strong certificate mapping for any client-auth template; ESC15 abuses a Schema-Version-1, enrollee-supplies-subject template by injecting application policies into the request. Either lets a low-privileged principal obtain a certificate that authenticates as a privileged user.
  • Impact: Authentication as a Domain Admin (or other privileged identity) via PKINIT/Schannel, leading to full domain compromise with no software vulnerability — and not detected by a per-template find -vulnerable scan in the ESC16 case.
  • Affected Components: [CA name (ESC16) / vulnerable template name (ESC15)]
  • Recommendation: Enable the SID security extension and enforce strong certificate mapping on the CA (ESC16); remove enrollee-supplied-subject and constrain application policies / upgrade schema-v1 templates (ESC15); restrict enrollment rights; audit with Certipy and review CA-level settings, not just templates.
  • References: SpecterOps “Certified Pre-Owned”; TrustedSec EKUwu (ESC15); MITRE ATT&CK T1649.
  • Manual: Pass_the_Certificate

Excessive Replication Rights Permit DCSync

  • Severity: Critical — CVSS 9.1 baseline (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N)
  • Summary: A non-Tier-0 principal holds DS-Replication-Get-Changes / Get-Changes-All on the domain, allowing it to impersonate a DC and replicate password hashes (DCSync).
  • Impact: Extraction of all domain credential material including the krbtgt key — full domain compromise and durable persistence via golden tickets.
  • Affected Components: [principals holding replication rights]
  • Recommendation: Remove replication rights from all non-DC principals; restrict to Domain Controllers / Tier 0; alert on DRSUAPI replication originating from non-DC hosts.
  • References: MITRE ATT&CK T1003.006.
  • Manual: AD_DCSync

Excessive Machine Account Quota Enables Delegation Abuse

  • Severity: Medium — CVSS 6.5 baseline (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
  • Summary: ms-DS-MachineAccountQuota lets standard users create computer accounts. Combined with delegation misconfigurations (RBCD) or vulnerable certificate templates, a controllable computer account becomes an escalation primitive.
  • Impact: Provides an attacker-controlled principal enabling RBCD impersonation or computer-based certificate enrollment — a frequent contributor to domain escalation chains.
  • Affected Components: [domain]
  • Recommendation: Set MachineAccountQuota to 0 and delegate machine-join to a controlled group; restrict who can configure delegation (msDS-AllowedToActOnBehalfOfOtherIdentity); monitor computer-account creation.
  • References: MITRE ATT&CK T1098.
  • Manual: AD_Privileged_Access

Excessive Delegation-Configuration Rights (SeEnableDelegationPrivilege) Enable Domain Compromise

  • Severity: Critical — CVSS 9.0 baseline (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
  • Summary: A non-Tier-0 principal holds SeEnableDelegationPrivilege together with write control over a computer object, allowing it to enable constrained delegation with protocol transition (TRUSTED_TO_AUTH_FOR_DELEGATION + msDS-AllowedToDelegateTo) on that computer and impersonate any user to a Domain Controller service via S4U — even when MachineAccountQuota is 0.
  • Impact: Impersonation of a privileged identity to the DC’s CIFS/HOST service yields DCSync and full domain compromise, with no software vulnerability and no ability to create new computer accounts required.
  • Affected Components: [principal holding SeEnableDelegationPrivilege / controllable computer object]
  • Recommendation: Remove SeEnableDelegationPrivilege from all non-administrative principals; restrict write access to computer objects’ delegation attributes (userAccountControl, msDS-AllowedToDelegateTo); avoid constrained delegation with protocol transition where possible; alert on changes to delegation attributes and on the privilege assignment.
  • References: MITRE ATT&CK T1558.003, T1134.001; SpecterOps “Wagging the Dog” (S4U / constrained delegation).
  • Manual: AD_Privileged_Access

Credential & network findings

Weak and Reused Passwords Permit Credential Attacks

  • Severity: High — CVSS 8.0 baseline (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N)
  • Summary: Accounts use weak, guessable, or reused passwords, enabling password spraying and credential stuffing within the lockout policy.
  • Impact: Initial access or lateral movement using valid credentials; password reuse across accounts and hosts multiplies the blast radius.
  • Affected Components: [affected accounts]
  • Recommendation: Enforce a strong password policy with length requirements and a banned-password list; deploy MFA; ensure unique passwords per account; monitor for spraying patterns.
  • References: MITRE ATT&CK T1110.003, T1078.
  • Manual: AD_Password_Spraying_AD

LLMNR/NBT-NS/mDNS Poisoning Allows Credential Interception

  • Severity: High — CVSS 8.1 baseline (AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N)
  • Summary: Broadcast name-resolution protocols (LLMNR, NBT-NS, mDNS) are enabled, letting an attacker on the local segment spoof responses and capture NetNTLM hashes or relay authentication.
  • Impact: Captured hashes are cracked offline or relayed to authenticate to other systems, enabling lateral movement and escalation.
  • Affected Components: [affected subnets / hosts]
  • Recommendation: Disable LLMNR and NBT-NS via GPO; disable mDNS where not required; enforce SMB signing to block relay; segment networks.
  • References: MITRE ATT&CK T1557.001.
  • Manual: AD_LLMNR_Poisoning

Anonymous SMB Access Exposes Sensitive Data

  • Severity: High — CVSS 7.5 baseline (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
  • Summary: SMB permits null-session/anonymous or guest access, and one or more shares disclose sensitive files (automation, scripts, configuration, credentials).
  • Impact: Unauthenticated disclosure of secrets that enable authenticated access and onward compromise.
  • Affected Components: [host / share names]
  • Recommendation: Disable anonymous and guest SMB access; restrict share and NTFS permissions to least privilege; remove secrets from shares; set RestrictAnonymous.
  • References: MITRE ATT&CK T1135, T1078.
  • Manual: SMB_Ports_139_445

Cleartext Credentials in Files and Group Policy Preferences

  • Severity: High — CVSS 8.0 baseline (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
  • Summary: Credentials are stored in cleartext or reversibly encrypted in files, scripts, configuration, or GPP cpassword in SYSVOL (Microsoft published the AES key).
  • Impact: Recovery of valid credentials enabling authenticated access, lateral movement, and escalation.
  • Affected Components: [file paths / GPO names]
  • Recommendation: Remove cleartext secrets; remediate GPP cpassword; adopt LAPS, gMSAs, or a secrets vault; tighten SYSVOL and file-share permissions.
  • References: MITRE ATT&CK T1552.001, T1552.006; MS14-025.
  • Manual: AD_Misc_Misconfigs

KeePass Vault with Weak Master Password Exposes Stored Credentials

  • Severity: High — CVSS 8.0 baseline (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
  • Summary: A .kdbx vault stored in a location accessible to a lower-privileged user (open share, anonymous FTP, backup, home directory) is protected by a weak/guessable master password and cracked offline (keepass2john → John/hashcat 13400), disclosing every stored credential.
  • Impact: A single cracked master password yields many reusable credentials — frequently including service and administrator accounts — enabling lateral movement and privilege escalation through credential reuse.
  • Affected Components: [vault file path / accounts disclosed]
  • Recommendation: Enforce a strong, unique KeePass master password (add a key file for high-value vaults); restrict access to vault files; avoid storing .kdbx on shared/world-readable locations; rotate any credentials exposed by this finding.
  • References: MITRE ATT&CK T1555.005, T1110.002.
  • Manual: Attacking_KeePass

Disclosed Dynamic DNS Update Key Permits Unauthorized Zone Manipulation

  • Severity: High — CVSS 8.1 baseline (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
  • Summary: A DNS dynamic-update key (RNDC/TSIG) is disclosed (e.g. via a readable or LFI-exposed named.conf), and the zone is configured to accept authenticated updates with it. Any party holding the key can add, change, or delete records (nsupdate).
  • Impact: An attacker can repoint records — including the mail server — to infrastructure they control, intercepting traffic the environment trusts (password-reset emails, tokens), enabling account takeover and onward compromise without exploiting the application.
  • Affected Components: [DNS server / zone name / key name]
  • Recommendation: Treat update keys as secrets — never store them in files reachable by web apps or low-privileged users; rotate any disclosed key; scope allow-update to specific authenticated sources; segregate the key per zone; monitor for anomalous dynamic updates.
  • References: RFC 2136 (Dynamic Updates); RFC 2845 (TSIG); MITRE ATT&CK T1565.002, T1557.
  • Manual: Attacking_DNS

Web / application & source-control findings

XML External Entity (XXE) Injection in a File Parser Discloses Local Files

  • Severity: High — CVSS 7.7 baseline (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L); rescore to network/unauth when the parser is reachable remotely
  • Summary: An XML parser resolves external entities from attacker-supplied input. The vector is not limited to web request bodies — file-format parsers that embed XML (e.g. an outdated ClamAV scanning a crafted DMG plist) expand SYSTEM entities and disclose their contents, especially when run with elevated privileges.
  • Impact: Disclosure of arbitrary local files readable by the parser’s process — including credentials and SSH private keys when the parser runs as root — enabling privilege escalation or further compromise; can also enable SSRF/DoS.
  • Affected Components: [parser / product+version / invocation context]
  • Recommendation: Disable external entity and DTD processing in all XML parsers; patch the affected component to a fixed version; avoid running file scanners/parsers as root over attacker-controlled input; constrain privileged automation with least privilege.
  • References: OWASP A05 (XXE); MITRE ATT&CK T1059, T1552.001; the specific parser CVE.
  • Manual: XXE_Injection

Server-Side Code Injection via Unsafe eval() / Expression Evaluation

  • Severity: Critical — CVSS 9.8 baseline when unauthenticated (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H); ~8.8 when the endpoint requires authentication
  • Summary: User-controlled input is interpolated into a server-side evaluation sink (eval, template engine, deserialization) and executed as code.
  • Impact: Remote code execution in the application context — full compromise of the app/container and a pivot to internal services and the host.
  • Affected Components: [endpoint / parameter]
  • Recommendation: Never pass user input to eval/dynamic evaluation; parse and validate types explicitly (e.g. cast to a number); use safe parsers and sandboxing; remove dynamic evaluation from request handling.
  • References: MITRE ATT&CK T1059; OWASP A03 Injection.
  • Manual: Command_Injection_Fundamentals

Sensitive Credentials Exposed in Source Control

  • Severity: High — CVSS 8.6 baseline (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)
  • Summary: Credentials, tokens, or keys are committed to a reachable repository — including in historical commits, which persist after being “removed” from the current files.
  • Impact: Recovery of valid secrets enabling authenticated access and onward compromise.
  • Affected Components: [repository / file / commit]
  • Recommendation: Remove secrets from code and rewrite history (deletion alone leaves them in git history); rotate all exposed secrets; adopt a secrets manager and pre-commit secret scanning; restrict repository visibility to least privilege.
  • References: MITRE ATT&CK T1552.001; OWASP A07.
  • Manual: Common_Apps_GitLab_osTicket

ASP.NET ViewState Deserialization (Leaked machineKey) Enables Remote Code Execution

  • Severity: Critical — CVSS 9.8 baseline when the keys are recoverable unauthenticated (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H); ~8.8 when key disclosure requires authentication
  • Summary: The ASP.NET machineKey (validation and decryption keys) is disclosed — typically via an exposed or LFI-readable web.config — allowing an attacker to forge a correctly signed and encrypted __VIEWSTATE that the server deserializes into attacker-controlled objects.
  • Impact: Remote code execution as the IIS application-pool identity, providing a foothold on the web server and a pivot into the internal network.
  • Affected Components: [host / application / page]
  • Recommendation: Treat machineKey as a secret — never expose web.config; rotate any disclosed keys immediately; enable ViewState MAC and per-user/auto-generated keys; patch the application; deploy WAF rules for known ViewState gadget patterns.
  • References: MITRE ATT&CK T1190, T1059.003; ysoserial.net ViewState plugin.
  • Manual: Common_Apps_IIS_Tilde_LDAP_ThickClient

Host & service findings

Weak Local Privilege Configuration Enables Local Privilege Escalation

  • Severity: High — CVSS 7.8 baseline (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
  • Summary: Host misconfigurations — dangerous token privileges (SeImpersonate/SeDebug), weak service/file permissions, unquoted service paths, permissive sudo/SUID — allow a local user to escalate to SYSTEM or root.
  • Impact: Full control of the host, enabling credential theft from memory and lateral movement.
  • Affected Components: [hosts]
  • Recommendation: Remove unnecessary privileges; correct service/file ACLs and unquoted paths; restrict sudo and SUID binaries; apply hardening baselines (CIS).
  • References: MITRE ATT&CK T1548, T1068.
  • Manual: Windows_PrivEsc_Token_Privileges (Windows) · Linux_PrivEsc_Methodology (Linux)

Missing Security Updates / Known-Vulnerable Services

  • Severity: High–Critical — CVSS varies (rescore to the specific CVE)
  • Summary: Hosts run software missing security updates or exposing services with public exploits (e.g., unpatched SMB, web applications, network services).
  • Impact: Remote code execution or privilege escalation via known exploits, frequently pre-authentication.
  • Affected Components: [host / service+version / CVE]
  • Recommendation: Apply vendor patches; define a patch-management SLA prioritized by exposure and severity; decommission unsupported software; reduce exposed attack surface.
  • References: MITRE ATT&CK T1190, T1210; the specific CVE advisory.
  • Manual: Service_Attack_Methodology

PAM Authentication Stack Permits Cleartext Credential Interception

  • Severity: High — CVSS 7.8 baseline (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N)
  • Summary: An attacker with root (or write access to /etc/pam.d/*) can insert a pam_exec.so … expose_authtok directive into the common authentication stack. PAM then pipes every submitted password — for SSH, su, and sudo — in cleartext to an attacker-controlled script, harvesting credentials at authentication time and bypassing the need to crack /etc/shadow.
  • Impact: Persistent, low-noise capture of plaintext credentials for every user and service account that authenticates on the host, including automated/service logins. Recovered credentials frequently enable lateral movement and, because the hook survives reboots, durable persistence.
  • Affected Components: [hosts with a modifiable PAM stack]
  • Recommendation: Restrict and monitor write access to /etc/pam.d/ and PAM modules; deploy file-integrity monitoring (AIDE/auditd) on the auth stack and alert on changes; centralize and review authentication logs; reduce the number of accounts with root. Treat any unexpected pam_exec/expose_authtok directive as a compromise indicator.
  • References: MITRE ATT&CK T1556.003 (Modify Authentication Process: Pluggable Authentication Modules), T1003.008.
  • Manual: Linux_Auth_Process

Unauthenticated Redis Instance Permits File Write and Remote Code Execution

  • Severity: Critical — CVSS 9.8 baseline (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
  • Summary: A Redis service is reachable without authentication (no requirepass, protected mode off), exposing administrative commands. CONFIG SET dir/dbfilename plus a crafted key turns the data store into an arbitrary file-write primitive (e.g. writing authorized_keys or a web shell); newer versions also allow MODULE LOAD RCE.
  • Impact: An unauthenticated attacker gains an interactive foothold (SSH or web shell) on the host, plus full read/write of all cached data.
  • Affected Components: [host:6379]
  • Recommendation: Require authentication (requirepass/ACLs); bind Redis to localhost or a trusted segment; keep protected mode enabled; disable or restrict CONFIG/MODULE; run Redis as an unprivileged user with a non-writable working directory; patch to a current version.
  • References: MITRE ATT&CK T1190, T1505; Redis security guidance.
  • Manual: Attacking_Redis

🔗 Related Nodes