Automating Lateral Movement with Graph-Based Decision Engines

TLDR: This research introduces a framework for automating complex lateral movement and privilege escalation paths by modeling network environments as graphs. By combining a YAML-based domain-specific language with the Kuzu graph database, testers can programmatically execute TTPs based on real-time environment state. This approach moves beyond static scripts, allowing for dynamic, state-aware decision-making during red team engagements.

Most penetration testing automation relies on rigid, linear scripts. You run a scanner, parse the output, and trigger a payload if a specific condition is met. If the environment doesn't behave exactly as your script expects, the automation breaks. This is the "stochastic parrot" problem in security tooling: tools that blindly repeat pre-programmed sequences without understanding the state of the target network. The real-world risk is that these tools are easily detected and often fail to adapt when they encounter non-standard configurations or unexpected defensive controls.

Modeling the Network as a State Machine

The core of this research is the application of Markov Decision Processes (MDP) to the problem of lateral movement. Instead of treating a network as a flat list of targets, you model it as a graph where nodes are systems or user accounts and edges represent potential movement paths. When you have complete knowledge of the environment, you can use a standard MDP to calculate the optimal path to your objective.

However, in a real engagement, you are operating in a Partially Observable Markov Decision Process (POMDP). You don't know what is on the next subnet until you land on a box and run your reconnaissance. The framework presented at DEF CON addresses this by using a graph database to maintain the "known" state of the environment. As you perform actions like T1046-network-service-discovery or T1003-os-credential-dumping, the graph updates, and the engine re-evaluates the next best move.

Implementing the Logic with YAML and Cypher

The researchers built a domain-specific language (DSL) in YAML that maps TTPs to preconditions and postconditions. This allows you to define an attack flow that is modular and reusable. When the engine runs, it translates these YAML definitions into Cypher queries, which are then executed against the Kuzu database to determine if the prerequisites for a specific technique are met.

For example, if you want to perform credential harvesting on a Windows Server, your YAML definition would look something like this:

- name: dump_lsass
  preconditions:
    - node_type: windows_server
    - has_privilege: SeDebugPrivilege
  actions:
    - command: "procdump.exe -ma lsass.exe lsass.dmp"
  postconditions:
    - credential_dumped: true

The engine checks the graph for any node matching windows_server that also has the SeDebugPrivilege attribute. If the graph shows a match, the engine queues the command. If not, it might trigger a different TTP—perhaps a privilege escalation technique—to reach the required state. This is a massive upgrade over hard-coded bash or PowerShell scripts that assume the environment is already in the desired state.

Real-World Engagement Flow

During a red team engagement, this framework acts as a force multiplier. You start by priming the pump with manual reconnaissance, feeding the output into the graph. Once the initial topology is mapped, the engine takes over. It can manage multiple concurrent attack threads, handling the "decision-making" of which box to pivot to next while you focus on higher-level objectives or manual exploitation of complex vulnerabilities.

The demo shown at the conference used Nmap for initial discovery and Responder for LLMNR/NBT-NS poisoning. By piping the output of these tools directly into the graph, the framework automatically identified new targets and updated the attack graph in real-time. When a hash was captured, the engine immediately recognized it as a new "credential" node and updated the available paths for lateral movement. This level of automation is particularly effective against A01-broken-access-control and A07-identification-authentication-failures in Active Directory environments.

Defensive Considerations

From a defensive perspective, this research highlights the importance of graph-based threat hunting. If an attacker is using a graph database to model your network, they are looking for the most efficient path to your crown jewels. Defenders should be doing the same. By mapping your own network as a graph and identifying "high-centrality" nodes—systems or accounts that provide access to the most other systems—you can prioritize hardening and monitoring efforts where they will have the most impact. If you can break the edges in the attacker's graph, you stop the movement.

Moving Forward

The code and the YAML DSL are available on the project's GitHub repository. If you are tired of writing custom scripts for every engagement, this is a project worth cloning. The real power here isn't just the automation of the tools themselves, but the automation of the strategy. Stop thinking about individual commands and start thinking about the state of the network. The next time you find yourself manually mapping out a pivot path, ask yourself if you can define that path as a graph pattern instead.