chore(companion): mirror htpx Google Workspace pairs#76
Merged
Conversation
Sync the 3 new companion-only red↔blue pairs from htpx (source of truth): - gws-oauth-grant ↔ gws-oauth-audit (T1528) - gws-super-admin ↔ gws-admin-audit (T1098.003) - gws-mail-forward ↔ gws-mail-forward-audit (T1114.003) Cloud IdP pairs, so no flat-view generation — gen-views.sh --check confirms PURPLE-TEAM.md / hacktheplanet stay untouched. Entries + README byte-identical to htpx; companion.lock left alone. Co-Authored-By: Claude <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_011spYcGfeP4a3RNQQVDrGtW
There was a problem hiding this comment.
Pull request overview
Mirrors three new Google Workspace companion-only red↔blue entry pairs into offensive/companion/ and updates the companion corpus README to include the new Workspace coverage.
Changes:
- Adds three new Google Workspace red entries: illicit OAuth grant, super-admin grant, and external mail forwarding.
- Adds the three paired blue detections using Google Workspace audit/token log SPL examples.
- Updates
offensive/companion/README.mdcorpus counts/coverage text and appends the three new pairs to the corpus table.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| offensive/companion/README.md | Updates corpus summary text and adds the three new Workspace pairs to the corpus table. |
| offensive/companion/entries/red/gws-super-admin.md | New red entry describing super-admin/admin-role grant persistence in Google Workspace. |
| offensive/companion/entries/red/gws-oauth-grant.md | New red entry describing consent-phishing/malicious OAuth grant behavior. |
| offensive/companion/entries/red/gws-mail-forward.md | New red entry describing external auto-forwarding for mail collection/exfil. |
| offensive/companion/entries/blue/gws-oauth-audit.md | New blue entry with SPL for detecting token-audit authorize events. |
| offensive/companion/entries/blue/gws-mail-forward-audit.md | New blue entry with SPL for detecting email_forwarding_out_of_domain events. |
| offensive/companion/entries/blue/gws-admin-audit.md | New blue entry with SPL for detecting admin-role grants via admin audit events. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Mirror the htpx label fix (gws-admin-log → gws-audit-log across the three Google Workspace blue entries). Entries byte-identical to htpx; gen-views.sh --check clean. Co-Authored-By: Claude <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_011spYcGfeP4a3RNQQVDrGtW
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Google Workspace (Kali mirror)
Mirrors the 3 new companion-only red↔blue pairs from htpx (source of truth) into the vendored
offensive/companion/tree, plus the refreshedcompanion/README.md.New entries:
gws-oauth-grant↔gws-oauth-audit(T1528)gws-super-admin↔gws-admin-audit(T1098.003)gws-mail-forward↔gws-mail-forward-audit(T1114.003)Cloud IdP pairs, so no flat-view generation —
./offensive/companion/gen-views.sh --checkconfirmsPURPLE-TEAM.mdandhacktheplanetstay untouched. Entries + README byte-identical to htpx (verified withdiff).companion.lockleft alone.🤖 Generated with Claude Code
Generated by Claude Code