Skip to content

chore(companion): mirror htpx Google Workspace pairs#76

Merged
Gerrrt merged 2 commits into
mainfrom
claude/dotfiles-round-7-github-b8nut0
Jul 2, 2026
Merged

chore(companion): mirror htpx Google Workspace pairs#76
Gerrrt merged 2 commits into
mainfrom
claude/dotfiles-round-7-github-b8nut0

Conversation

@Gerrrt

@Gerrrt Gerrrt commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

Google Workspace (Kali mirror)

Mirrors the 3 new companion-only red↔blue pairs from htpx (source of truth) into the vendored offensive/companion/ tree, plus the refreshed companion/README.md.

New entries:

  • gws-oauth-grantgws-oauth-audit (T1528)
  • gws-super-admingws-admin-audit (T1098.003)
  • gws-mail-forwardgws-mail-forward-audit (T1114.003)

Cloud IdP pairs, so no flat-view generation./offensive/companion/gen-views.sh --check confirms PURPLE-TEAM.md and hacktheplanet stay untouched. Entries + README byte-identical to htpx (verified with diff). companion.lock left alone.

🤖 Generated with Claude Code


Generated by Claude Code

Sync the 3 new companion-only red↔blue pairs from htpx (source of truth):

- gws-oauth-grant ↔ gws-oauth-audit (T1528)
- gws-super-admin ↔ gws-admin-audit (T1098.003)
- gws-mail-forward ↔ gws-mail-forward-audit (T1114.003)

Cloud IdP pairs, so no flat-view generation — gen-views.sh --check confirms
PURPLE-TEAM.md / hacktheplanet stay untouched. Entries + README byte-identical to
htpx; companion.lock left alone.

Co-Authored-By: Claude <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_011spYcGfeP4a3RNQQVDrGtW
Copilot AI review requested due to automatic review settings July 2, 2026 15:13

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Mirrors three new Google Workspace companion-only red↔blue entry pairs into offensive/companion/ and updates the companion corpus README to include the new Workspace coverage.

Changes:

  • Adds three new Google Workspace red entries: illicit OAuth grant, super-admin grant, and external mail forwarding.
  • Adds the three paired blue detections using Google Workspace audit/token log SPL examples.
  • Updates offensive/companion/README.md corpus counts/coverage text and appends the three new pairs to the corpus table.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.

Show a summary per file
File Description
offensive/companion/README.md Updates corpus summary text and adds the three new Workspace pairs to the corpus table.
offensive/companion/entries/red/gws-super-admin.md New red entry describing super-admin/admin-role grant persistence in Google Workspace.
offensive/companion/entries/red/gws-oauth-grant.md New red entry describing consent-phishing/malicious OAuth grant behavior.
offensive/companion/entries/red/gws-mail-forward.md New red entry describing external auto-forwarding for mail collection/exfil.
offensive/companion/entries/blue/gws-oauth-audit.md New blue entry with SPL for detecting token-audit authorize events.
offensive/companion/entries/blue/gws-mail-forward-audit.md New blue entry with SPL for detecting email_forwarding_out_of_domain events.
offensive/companion/entries/blue/gws-admin-audit.md New blue entry with SPL for detecting admin-role grants via admin audit events.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Mirror the htpx label fix (gws-admin-log → gws-audit-log across the three Google
Workspace blue entries). Entries byte-identical to htpx; gen-views.sh --check clean.

Co-Authored-By: Claude <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_011spYcGfeP4a3RNQQVDrGtW
@Gerrrt Gerrrt merged commit b63ccd4 into main Jul 2, 2026
4 checks passed
@Gerrrt Gerrrt deleted the claude/dotfiles-round-7-github-b8nut0 branch July 2, 2026 17:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants