Decepticon countermeasures A defensive detector for each Decepticon kill-chain phase.
PurpleAILAB/Decepticon is an autonomous red-team agent with 16 specialist agents that span the kill chain (reconnaissance → exploitation → privesc → lateral movement → C2). digger's Counter-offensive detectors are the defender mirror: one detector per Decepticon phase, plus a cross- cutting auto-Sigma export so the rules ship to your SIEM.
Every counter detector is observation-only — they read what other collectors have already captured. No active probing; no exploit verification (P3 of the ethical contract).
Phase-by-phase
| Decepticon phase | digger detector | MITRE | Key signals |
|---|---|---|---|
| Reconnaissance | recon |
T1595.001 / T1592.002 / T1110.001 / T1589.002 | connection-table portscan footprint, SSH brute-force / banner-grab / user-enumeration from auth logs |
| Exploitation | exploitation |
T1190 / T1059 / T1203 | listening service → shell, RCE-classic three-tier chain (service → interpreter → shell), 11 shellcode-shape cmdline patterns, web-server log exploit signatures (Log4Shell, Spring4Shell, path-traversal, inline PHP, Shellshock, Laravel Ignition, SQLi, reflected XSS) |
| Privilege escalation | privesc |
T1548 / T1068 / T1547.006 | world-writable setuid, setuid in scratch / home,
GTFOBins-trivial setuid (perl/python/awk/bash/cp/mv/vi/...),
sudoers NOPASSWD: ALL, Linux file capabilities on
shells, kernel taint bits decoded |
| Lateral movement | lateral |
T1021 / T1550.002 / T1570 | SMB/SSH/WinRM/RDP/VNC outbound to RFC1918 from non-admin processes, credential dumpers (mimikatz / Rubeus / SafetyKatz / secretsdump / LaZagne / Certipy), Impacket / evil-winrm / CrackMapExec / Responder / mitm6 by name, SSH ProxyJump, pass-the-hash markers in Windows 4624 |
| C2 frameworks | c2 (extended) |
T1071 / T1573 / T1095 / T1055 | Cobalt Strike + Sliver + Mythic + Brute Ratel + Havoc + Empire
+ Metasploit + Nighthawk + Merlin + Covenant; named-pipe
patterns (MSSE-*, sliver_*, demon_*),
TLS JA3 hashes, process-injection landing-pad heuristic
(svchost/dllhost/explorer with non-Microsoft outbound) |
| Active Directory | ad_attacks |
T1558.003 / T1558.004 / T1003.006 / T1484.001 | Kerberoasting (4769 RC4-HMAC for non-krbtgt SPN), AS-REP roasting (4768 PreAuthType 0), BloodHound / SharpHound / AzureHound family, DCSync via cmdline or 4662 with replication- rights GUID, AdminSDHolder modification (5136), DCShadow / golden+silver ticket markers |
| Cloud | cloud_attacks |
T1552.005 / T1078.004 / T1611 / T1528 / T1098 | IMDS endpoint (169.254.169.254) hit from non-cloud-agent
processes, cloud-cred env vars in shells, world-readable
~/.aws/credentials, container-escape primitives
(release_agent, /var/run/docker.sock, nsenter PID-1),
kubeconfig read by non-kube clients, cloud-CLI privesc
commands |
| RE-on-us (debugger attached) | counter_re |
T1622 / T1057 | debuggers (gdb / lldb / dtrace / x64dbg / IDA / Ghidra /
radare2 / frida / WindBg / cdb) with target-PID matching digger
itself or an EDR / audit process; self-attribution via
digger.opsec.self_id |
| Persistent sessions | persistent_sessions |
T1546 / T1543.002 | tmux/screen/zellij/dtach parented by network-facing service (sshd explicitly excluded — admin baseline), detached nohup/setsid processes with INET sockets, user-systemd ExecStart pointing to user-writable shell scripts |
| Attacker tooling present | attacker_tooling |
T1588.002 | 60+ tools across c2_framework / lateral / ad_recon /
ad_cs_abuse / network_mitm / creds / cracker / recon /
web_pentest / tunnel categories. Detects RUNNING and INSTALLED
(brew / dpkg / rpm / snap / flatpak / Windows uninstall keys).
Self-attribution downgrades severity for dev-clone / venv
paths ([dev-context] tag in title). |
Auto-Sigma export
Every counter detector implements to_sigma_template(), a
classmethod on digger.detectors.base.Detector that returns a
generic, per-class Sigma rule (independent of any specific finding).
$ digger generate sigma --from-detectors --out-dir out/sigma/
generated 13 per-detector Sigma templates
out: out/sigma
$ ls out/sigma/
digger-ad-attacks-template_AD_attack_tradecraft_Kerberoast_AS-REP_DCSync_BloodHound.yml
digger-attacker-tooling-template_Attacker_red-team_toolkit_running_on_host.yml
digger-cloud-attacks-template_Cloud-attack_tradecraft_IMDS_theft_kubeconfig_read_container_escape.yml
digger-counter-re-template_Debugger_RE_tool_attached_to_defender_process.yml
digger-exploitation-template_Network_service_spawned_an_interactive_shell_post-RCE_pattern_.yml
digger-lateral-template_Lateral_movement_outbound_SMB_SSH_WinRM_RDP_to_internal_IP.yml
digger-persistent-sessions-template_Multiplexer_tmux_screen_zellij_parented_by_a_network_service.yml
digger-privesc-template_Privilege-escalation_primitive_installed_setuid_capability_sudoers_kmod_.yml
digger-recon-template_Inbound_recon_SSH_brute-force_or_port-scan_footprint.yml
Each rule carries proper ATT&CK tags and round-trips cleanly through
digger.exchange.sigma.SigmaLoader. The
tests/test_genrule_detector_templates.py suite enforces this
on every release.
Ethics + counter-offensive
Every counter detector observes; nothing actively probes. The ethical contract contrast table:
| Decepticon does | digger refuses |
|---|---|
| Multi-host engagements with RoE/ConOps | Local-host-only by default; cross-host requires explicit flag |
| Active scanning of targets | Read-only observation of artifacts already collected |
| Verifies exploits to confirm vulnerability | Refuses to send any payload; only matches version ranges |
| Credential brute force / hashcat / rainbow tables | Refuses credential attacks; only detects defensive misconfiguration |
| Lateral movement via psexec/wmiexec/evil-winrm | Detects these tools; never invokes them |
| C2 implant deployment | Detects implants; never installs persistence |