Keypoints
- AI and LLMs help teams process large volumes of unstructured security data to surface actionable insights.
- Efficient data parsing and structured outputs are critical to identifying threats and supporting analysis.
- Real-world case studies demonstrate using LLMs across initial reconnaissance, credential discovery, and internal reconnaissance phases.
- Guardrails-ai is introduced as a Python library to enforce structure on LLM outputs for easier downstream analysis.
- Tools such as Snaffler, TruffleHog, and Nosey Parker are effective at finding exposed credentials in files and repositories.
- BloodHound is used to analyze Active Directory and identify attack paths and high-value targets.
- Combining multiple tools and LLM outputs improves credential and target identification; future work will refine models and expand data sources.
MITRE Techniques
- [T1078] Valid Accounts – Use of valid accounts to gain access to systems. [‘Use of valid accounts to gain access to systems.’]
- [T1003] Credential Dumping – Extracting account login credentials from operating systems and software to escalate access. [‘Extracting account login credentials from operating systems and software.’]
- [T1068] Exploitation for Privilege Escalation – Exploiting a vulnerability to gain elevated access to resources during engagements. [‘Exploiting a vulnerability to gain elevated access to resources.’]
- [T1087] Account Discovery / Active Directory Enumeration – Gathering information about Active Directory users and groups to map attack paths. [‘Gathering information about Active Directory users and groups.’]
- [T1213] Data from Information Repositories – Accessing and extracting data from file shares and repositories as a source of credentials and intelligence. [‘Accessing and extracting data from file shares and repositories.’]
Indicators of Compromise
- [Tool Name] tooling referenced – guardrails-ai, BloodHound, and 3 more tools (Snaffler, TruffleHog, Nosey Parker) used to locate credentials and analyze AD.
————
The article shows how LLMs and AI can streamline adversarial emulation by turning messy, unstructured sources into structured intelligence that both red and blue teams can use. Through case studies, the authors demonstrate using LLMs for reconnaissance, extracting people and role data from social sources, locating credentials with specialized scanners, and feeding structured outputs into analysis tools like BloodHound to identify attack paths.
Practical recommendations include using libraries such as guardrails-ai to enforce consistent LLM output formats, combining multiple credential-finding tools to increase coverage, and iterating on models and data sources to improve accuracy. The overall message is that AI augments manual tooling and analysis, making it faster to find high-value targets and prioritize defensive actions.