Skip to main content

Reports

BlackRainbow produces structured reports from engagement results. Every finding links back to raw evidence, maps to ATT&CK techniques, and includes remediation guidance.

What Reports Include

Executive Summary

High-level overview for stakeholders. Total findings by severity, attack path summary, overall risk assessment.

Findings

Each finding includes:

SectionWhat It Contains
TitleWhat was found
SeverityCritical, High, Medium, Low, Info
DescriptionWhat the vulnerability is and why it matters
EvidenceRaw tool output, screenshots, configuration snippets
Attack pathHow this finding was reached (which kill chain stage, which plugin)
ATT&CK mappingMITRE technique IDs and tactic categories
RemediationHow to fix it
DetectionHow to detect exploitation attempts

Example Finding

## Finding: SMB Signing Disabled

**Severity:** High
**ATT&CK:** T1557.001 (LLMNR/NBT-NS Poisoning and SMB Relay)

### Description
SMB signing is not required on 3 hosts in the target environment.
This allows relay attacks where captured authentication can be forwarded
to other hosts without detection.

### Evidence
Discovered during recon stage (plugin: recon, sequence: nmap-smb-scan):
​```
Host: 192.168.1.20 - SMB signing: disabled
Host: 192.168.1.21 - SMB signing: disabled
Host: 192.168.1.25 - SMB signing: disabled
​```

### Remediation
1. Enable SMB signing via Group Policy:
   Computer Configuration → Policies → Windows Settings →
   Security Settings → Local Policies → Security Options →
   "Microsoft network server: Digitally sign communications (always)" = Enabled

2. Apply to all domain-joined systems via the Default Domain Policy.

3. Test with: `nmap --script smb2-security-mode -p 445 <host>`

### Detection
Monitor for SMB relay indicators:
- Multiple authentication attempts from the same source to different targets
- NTLM authentication from unexpected source IPs
- Sigma rule: `win_smb_relay_detection`

Artifact Collection

BlackRainbow captures everything during execution:

Artifact TypeWhat It Captures
Tool outputstdout and stderr from every executed command
Output filesXML reports, JSON output, screenshots
Timing dataDuration of every step
ConfigurationThe exact config used for the engagement
Context stateDiscovered services, credentials, grades at each stage

Artifacts are stored in the captures/ directory (configurable in your YAML):

captures/
├── recon/
│   ├── nmap-full-scan.xml
│   ├── nmap-vuln-scan.xml
│   └── stdout-recon-001.txt
├── credential-access/
│   ├── kerberoast-hashes.txt
│   └── stdout-cred-001.txt
└── engagement-context.json

Every finding in the report links to its source artifacts. Reviewers can trace any claim back to the raw evidence.

Remediation Suite

Findings do not just say "this is broken." Each remediation section includes:

What was exploited. The specific vulnerability, misconfiguration, or weakness.

Why it was vulnerable. Root cause analysis: missing patch, default configuration, architectural flaw.

How to fix it. Step-by-step remediation with exact commands, Group Policy paths, or configuration changes.

Detection rules. How to detect exploitation attempts in the future:

  • Sigma rules for SIEM detection
  • Snort/Suricata rules for network detection
  • Log queries for specific indicators
  • Monitoring recommendations
# Example detection rule in report output
detection:
  sigma:
    title: "Kerberoasting Activity Detected"
    status: experimental
    logsource:
      category: security
      product: windows
    detection:
      selection:
        EventID: 4769
        TicketEncryptionType: "0x17"
        TicketOptions: "0x40810000"
      condition: selection
    level: high

MITRE ATT&CK Mapping

Every attack sequence maps to ATT&CK techniques. Reports include:

Technique coverage matrix. Which techniques were tested and their results.

Tactic summary. Findings grouped by ATT&CK tactic (Initial Access, Execution, Persistence, etc.).

Heat map. Visual representation of technique coverage across the engagement.

ATT&CK Coverage
  Initial Access:     2 techniques tested, 1 exploited
  Execution:          3 techniques tested, 2 exploited
  Persistence:        1 technique tested, 0 exploited
  Privilege Escalation: 2 techniques tested, 1 exploited
  Credential Access:  4 techniques tested, 3 exploited
  Lateral Movement:   2 techniques tested, 2 exploited

Export Formats

# Markdown (default)
br report --format markdown

# Structured JSON
br report --format json

# Standalone HTML
br report --format html

# PDF for stakeholder delivery
br report --format pdf
FormatUse Case
markdownInternal review, Git-friendly, CI/CD pipelines
jsonProgrammatic consumption, dashboard integration, data analysis
htmlSelf-contained report with styling, shareable without tooling
pdfStakeholder delivery, formal documentation

Report Configuration

Control report output in your engagement config:

output:
  report: ./reports/
  capture: ./captures/
  format: markdown

Or override at generation time:

br report --format pdf --output ./deliverables/