Ansible Lateral Movement & Abuse
Detects abuse of Ansible-specific features for lateral movement, pivoting, and unauthorized host targeting
15 rules in lateral_movement.yml
CRITICAL: 3 | HIGH: 10 | MEDIUM: 2
| Rule ID | Severity | Title | Description | Refs |
|---|---|---|---|---|
ad_ | CRITICAL | AD Constrained/Unconstrained Delegation Modification | Modifies msDS-AllowedToDelegateTo, msDS-AllowedToActOnBehalfOfOtherIdentity, userAccountControl=TRUSTED_FOR_DELEGATION, or TrustedToAuthForDelegation on a computer or service account. These attributes control Kerberos delegation; writes let an attacker abuse S4U2Self/S4U2Proxy (Resource-Based Constrained Delegation attack) to impersonate arbitrary users against a target service. | |
ansible_ | CRITICAL | Python Interpreter Override | Overrides ansible_python_interpreter to point to a custom Python binary, potentially executing malicious code | |
psexec_ | CRITICAL | PsExec-Style Remote Service Install | ansible.windows.win_service installs a service whose path points at a remote SMB share (\host\share\binary.exe) or an HTTP(S) URL. This mirrors the PsExec / Impacket lateral movement primitive where a binary is fetched from an attacker-controlled location and started as SYSTEM on the target. | |
add_ | HIGH | Dynamic Host Injection via add_host | Dynamically adds a host to the inventory, potentially injecting attacker-controlled targets | |
ansible_ | HIGH | Ansible Configuration Override | Sets ANSIBLE_CONFIG to load a custom configuration that may disable security features or load malicious plugins | |
ansible_ | HIGH | Vault Password via Environment Variable | Passes Ansible Vault password through an environment variable which may be logged or leaked | |
custom_ | HIGH | Custom Callback Plugin Registration | Registers a custom callback plugin which executes Python code on every task event | |
custom_ | HIGH | Custom Filter/Lookup Plugin Path | Sets custom filter or lookup plugin paths which allow arbitrary code execution during template rendering | |
delegate_ | HIGH | delegate_to with External/Dynamic Host | Uses delegate_to with a variable or IP to pivot execution to an arbitrary host | |
facts_ | HIGH | Custom facts.d Script Injection | Deploys scripts to /etc/ansible/facts.d which execute automatically during fact gathering | |
include_ | HIGH | Role Include from Untrusted Source | Includes a role from a URL or git repository that may contain malicious code | |
local_ | HIGH | local_action with Shell Execution | Executes shell commands on the Ansible controller via local_action, which has access to CI/CD secrets | |
winrm_ | HIGH | WinRM Configured With Unencrypted Transport | Ansible WinRM connection configured with ansible_winrm_transport=basic over HTTP, ansible_winrm_message_encryption=never, or ansible_port=5985 without transport=ssl - sends credentials and task output in cleartext across the network and enables relay/credential-capture attacks. | |
connection_ | MEDIUM | connection: local with Shell Module | Task sets connection: local and then runs shell/command/raw. The commands execute on the Ansible controller, not the target host; this is the textbook shape for accidentally leaking controller secrets. | |
wait_ | MEDIUM | wait_for Used for Port Scanning | Uses ansible wait_for module to probe multiple ports, which can be used for network reconnaissance |