# ARM-B CARD LAYER — S2: Domain credential harvesting via secretsdump on a DC
> Doctrine reference. Maneuver space + control inventory + coverage relations for this environment. No incident content. Every statement below is a **standing type-altitude relation or conditional** ("*if/when* status X, *then* verdict Y") — none asserts that anything happened, in what order, or whether it was observed. All identifiers trace to `mc-core/0.2.1` (TBox `mc.ttl`, policy `mc-policy.ttl`, worked ABox `blackbasta.abox.ttl`). Vocabulary is canonical MC: **maneuver** (atomic unit, identified by its invariant-core effect) · **robustness** (evasion-resistance, StP L1–L5, a *ceiling* on the observable) · **detect-face** (`mc:Detectability`, four-valued health live/degraded/blind/uncertain) · **control** (`mc:Control`) · **coverage** (derived verdict covered/notCovered, never asserted).

---

## A. Maneuver cards

### A1 — Domain credential access by process-memory read (LSASS) — **MODELED**
**Identifying observable effect:** a running process **reads the virtual memory of another process** (LSASS) to lift admin credential material out of it. The maneuver is named by *this effect* — "harvest admin credential material via a process-memory read" — **not** by any tool, API, or acquisition path. (Invariant core `coreCred`; ATT&CK annotation `T1003.001`; objective `objCredentialAccess` / TA0006.)

**Behavior (Hoare triple):**

| Slot | Content (glossed) | Ontology term |
|---|---|---|
| **Precondition** | The executing process/token holds **≥ user integrity** (a foothold at user level or above). | `pIntegUserReq` — `rProc.integrity ⊒ userIntegrity` (op `opDominates`) |
| **Mechanism (invariant core)** | **Read another process's virtual memory** — the credential store (LSASS) is read out. This is the identity-bearing, unavoidable core. | `coreCred` *via* primitive `pReadProcMem` "read process memory" (MBC `C0049`) |
| **Postcondition** | The account's held-credential set now **subsumes {admin}** — admin credential material is in hand. | `pCredAdmin` — `rAccount.credentialHeld ⊇ credAdmin` (op `opSubsumes`) |

**Invariant core + variants (one core; the read is the intersection across all variants):**
- **Invariant core `coreCred`** — "harvest admin credential material." Its discriminating content is the **shared primitive intersection**: every variant composes `pReadProcMem` (read-another-process's-memory). That read is what no variant can drop without abandoning the goal.
- Base-instantiated variants: `varLsass` (direct LSASS memory dump; composes `pReadProcMem` + `pOpenProcess` = OpenProcess+PROCESS_VM_READ) · `varHandleDup` (handle-duplication read; composes `pReadProcMem` + `pDupHandle`, bypasses SeDebug).
- **Remote/network-acquisition variant — AUTHORED (Arm-B, content-gap closure, not framework-gap).** A read performed from a remote/service-execution context still executes the same kernel effect on the DC — a process on the DC reads LSASS memory — so it **realizes the same `coreCred` and composes the same `pReadProcMem`**. Its acquisition/trigger differs (remote), which by the P/Q-individuation rule is a *distinct* acquisition primitive, but the **invariant `pReadProcMem` is preserved**. Consequence: coverage and the spanning observable transfer to the remote variant unchanged. *(This variant is not instantiated in the base ABox — logged in D4.)*

**Robustness of the key observable(s):**
- **`obsInvariant`** "process writes then executes remote memory" — **stpL5 (invariant / chokepoint), role `spanning`.** *Why L5:* it is grounded in the invariant core, so it **fires regardless of which variant** (local dump, handle-dup, or remote) realizes the read — the adversary cannot evade it without abandoning the credential-read goal. This is the variant-independent key a detection should sit on; under the reference coverage-admission policy (rank ≥ 4 = StP L4+) an L5 observable qualifies a covered edge.
- *Ceiling note:* a detection keyed instead on a variant-discriminating artifact (a specific dumping tool's name/hash, a fixed API sequence) would be capped far lower on the axis (L1–L3) and is **not** the authored key. The base authors no such graded discriminating observable — none is fabricated here.

**Linked detect-face(s):** `dfCred` "LSASS access detection" (combinator `required`), which **`triggerDependsOn` `dfEdrTelemetry`** (EDR endpoint telemetry, `sourcedFrom` the EDR control). Single-sourced. See B1 and C.

---

### A2 — SAM / registry-hive credential dump — **UNMODELED (stub)**
**Intended observable effect (what a full card would name):** remote-registry open + read of the `HKLM\SAM` / `SECURITY` / `SYSTEM` hives to recover local secrets. ATT&CK `T1003.002`.

> **no authored coverage record — unmodeled path.**

The TBox holds **no maneuver, no invariant core, no primitive for a registry-hive read/save, and no detect-face keyed on remote-registry** for this effect. A registry-hive read is **not** a process-memory read, so it **cannot** reuse `coreCred` / `pReadProcMem`. No Hoare triple, no robustness grade, and **no coverage verdict** may be authored or derived. Do **not** infer coverage from the fact that the EDR happens to emit registry/file telemetry (see B1, C, D2). Cross-reference **D2**.

---

### A3 — DCSync / domain-replication credential pull — **UNMODELED (stub)**
**Intended observable effect (what a full card would name):** a directory-replication request (`DRSUAPI GetNCChanges`, DS-Replication-Get-Changes / -All) pulling NTDS secrets — including `krbtgt` — from the DC. ATT&CK `T1003.006`.

> **no authored coverage record — unmodeled path.**

The TBox holds **no maneuver, no observable for the replication request, no directory-service-access `mc:Control`, and no robustness grade for the replication control-access-right signal.** The invariant here is a *legitimate replication RPC*, **not** a memory read, so it **cannot** reuse `coreCred` / `pReadProcMem`. No Hoare triple, no robustness level, **no coverage verdict** may be authored or derived. *(A security-true robustness intuition — the replication right is protocol-forced and near-invariant — is explicitly **unstateable and ungradable** from these cards; do not record one.)* Cross-reference **D1**.

---

### A4 — Defensive-sensor impairment (adjacent enabling maneuver) — **MODELED**
Carried because a maximal doctrine library holds it and because its postcondition is what **drives the coverage collapse of A1** (a standing conditional, not an event). Invariant core `coreImpair`; ATT&CK `T1562.001`; objective `objDefenseImpairment`.

**Identifying observable effect:** the endpoint sensor is driven to a **telemetry-degrading control status**.

| Slot | Content (glossed) | Ontology term |
|---|---|---|
| **Precondition** | Holds admin credential. | `pCredAdminReq` — `rAccount.credentialHeld ⊇ credAdmin` |
| **Mechanism (invariant core)** | **Disable the endpoint sensor.** Base variant `varBYOVD` (bring-your-own-vulnerable-driver). | `coreImpair` |
| **Postcondition** | The control's status drops to a **telemetry-severing value** (`impaired` or `killed`) → `degradesTelemetry true`. | `pEdrKilled` — `rEdr.controlStatus` set to a `degradesTelemetry=true` value |

**Robustness of key observable(s):** **none authored — do not fabricate.** The base grades no observable for the impairment mechanism. The only modeled detection path is the **out-of-band investigation** `invEdr` "check EDR service state via secondary telemetry" (answers `qWasEdrKilled`, source = service-control log, confidence 0.9) — *not* the EDR itself.

**Linked detect-face(s):** the maneuver's own face `dfEdrTelemetry` is `sourcedFrom` the very EDR being impaired — self-referential and therefore self-blinding (see D6). Reliable confirmation is the out-of-band investigation, not an EDR-sourced face.

---

## B. Defensive control cards

### B1 — EDR on DC01 (`mc:Control`) — the sole authored source for the one covered path
- **What it is:** endpoint sensor on the DC; `mc:Control` whose own `controlStatus` (`enforcing` > `impaired` > `killed`) flows through the graph as a condition.
- **What it observes:** LSASS process-memory read (the A1 signal) **and** remote-registry / file-access telemetry.
- **Detect-faces it sources:**
  - `dfEdrTelemetry` "EDR endpoint telemetry" — **trigger** substrate (`sourcedFrom` EDR).
  - `dfCred` "LSASS access detection" — **`triggerDependsOn dfEdrTelemetry`** → EDR is `dfCred`'s trigger source. (Also `dfExploit` in the base library.)
  - *Asymmetry (critical):* the EDR **emits** remote-registry/file telemetry, but **no authored detect-face keys on it** — the SAM-hive observable (A2) is *visible* yet **unfaceted**, so no coverage can be derived from it. (D2.)
- **Failure mode:** any status that sets `degradesTelemetry true` (**`impaired` OR `killed`**) severs the telemetry `dfEdrTelemetry` supplies. Because `dfCred` **trigger-**depends on it, `dfCred` → **blind** (trigger lost, no longer fires), and A1 → **notCovered** (C). This is the environment's headline residual: the one covered path is **single-sourced** from this control.

### B2 — Network egress monitor / netmon (`mc:Control`) — peripheral to the credential family
- **What it is:** perimeter/network sensor; `mc:Control` `netmon1`.
- **What it observes:** egress flows.
- **Detect-faces it sources:** `dfExfil` "exfil detection" — `sourcedFrom netmon1`, combinator `triggerPlusEnrichment`, with `enrichmentDependsOn dfEdrTelemetry`.
- **Failure mode / contrast:** because the EDR is only an **enrichment** dependency here, an impaired EDR leaves `dfExfil` **degraded (still fires)**, not blind — the trigger (netmon) survives. This illustrates trigger-loss→blind vs enrichment-loss→degraded. **Out of the credential-access family** and carried only for control-inventory completeness; it sources **no** face for A1–A4.

### B3 — AD/DS directory-service access auditing — **PRESENT telemetry, NOT an `mc:Control`** *(framework gap)*
- **What it is:** Windows audit subcategory + SACL on the domain root covering the replication rights; emits 4662 directory-service-access events including the replication control-access-right GUIDs.
- **Modeling status:** **not represented as an `mc:Control`; no detect-face `sourcedFrom` it.** The environment *has* the observable; the model has **nothing to attach a verdict to**. Because coverage is derived only over authored Controls, **no coverage/robustness verdict for the DCSync path (A3) is derivable.** (D1, D3.)

### B4 — Windows Security event log on DC01 — **PRESENT telemetry, NOT an `mc:Control`** *(framework gap)*
- **What it is:** host audit log (network logons 4624 type 3, service installs 7045, remote-registry when audited).
- **Modeling status:** **not an `mc:Control`; no detect-face `sourcedFrom` it.** Present as raw telemetry; sources **no** authored face and therefore contributes **no** derivable coverage. (D3.)

---

## C. Coverage relations
*(Coverage is DERIVED from detect-face health + control status + any prevent/react defender maneuver — never asserted. Where the graph cannot derive a verdict, the honest projection is SILENT.)*

| Maneuver | Covering control(s) / face | Derived verdict | Robustness of the key | Residual-gap note |
|---|---|---|---|---|
| **A1 — LSASS memory read** (incl. remote variant) | EDR → `dfEdrTelemetry` → `dfCred` (single-sourced) | **covered *iff* EDR `enforcing`** (`dfCred` live); **notCovered** the moment EDR is `impaired`/`killed` | **L5** via `obsInvariant` (spanning, variant-independent) | Trigger-loss path: EDR `degradesTelemetry true` → `dfCred` **trigger severed → blind → notCovered** for the remainder of that state. Absence of alerts under an impaired EDR is **not** evidence of absence. **Prevent-locus defender maneuver: NONE** in this environment (prevent-side empty — D5), so there is no fallback if the single face blinds. Coverage **transfers to the remote variant** unchanged (same `coreCred`/`pReadProcMem`, same L5 spanning observable). |
| **A2 — SAM / registry-hive dump** | — none authored — | **no authored coverage record — unmodeled path (SILENT)** | not gradable | EDR *emits* registry/file telemetry, but no face keys on it → **underivable**. Do not read the raw observable as coverage. Escalate to modeling. (D2.) |
| **A3 — DCSync / domain replication** | — none authored — | **no authored coverage record — unmodeled path (SILENT)** | not gradable | AD/DS 4662 telemetry exists in the environment but its source is **not an `mc:Control`** → no face → **underivable**. Malicious-vs-legitimate replication is decided from an **environment fact** (request source is a workstation, not a replication-partner DC), **not** from any card. Escalate. (D1.) |
| **A4 — Sensor impairment** | out-of-band investigation `invEdr` (service-control log, conf. 0.9) | detectable **only out-of-band**; the EDR-self-sourced `dfEdrTelemetry` self-blinds | none authored | The face that would detect impairment is `sourcedFrom` the impaired control itself (circular — D6). Confirm control status via the secondary telemetry `invEdr` reads, never via the EDR's own silence. |

**Consolidated authored-coverage inventory (the whole covered set):** **exactly one** path — A1's `dfCred`/EDR face, and that one **blinds** under an impaired/killed EDR. Of the three credential-access maneuvers in this environment's threat model, the cards can produce a verdict for **1 of 3**; **A2 and A3 carry no coverage record at all**. Any residual spanning the SAM-hive and DCSync paths (up to full domain-hash exposure) is **not derivable from this card layer** and must be scoped from outside the model.

---

## D. Card-authorability report (framework-gap channel)

**D1 — DCSync / domain-replication maneuver is unauthorable (T1003.006).**
*Needed:* a maneuver for the replication pull, an observable for the `DRSUAPI GetNCChanges` request, an `mc:Control` sourcing the 4662 directory-service-access telemetry, and a robustness grade for the replication control-access-right GUID.
*Why the TBox can't carry it:* the credential-access invariant is a **process-memory read** (`pReadProcMem`); a legitimate replication RPC is not a memory read, so it cannot reuse `coreCred`. Coverage is derived from a face graph over **authored Controls**, and **no Control sources the 4662 telemetry** — so no face can exist and no verdict can be derived.
*Consequence for a responder:* they can *describe* DCSync from general knowledge but get **no card-backed coverage or robustness verdict**, and the model cannot represent that this path exfiltrates the full NTDS set including `krbtgt` — the largest scoping miss.

**D2 — SAM / registry-hive dump is unauthorable (T1003.002).**
*Needed:* a maneuver, a primitive for registry-hive read/save, an observable/robustness for the hive read, and a face keyed on remote-registry.
*Why the TBox can't carry it:* none of these exist; the one telemetry that *is* present (EDR registry/file access) sources **no authored face**, so coverage-is-derived cannot fire on it.
*Consequence:* a responder sees the raw registry observable but has **no verdict**; the temptation is to over-read the EDR telemetry as coverage — which the cards must refuse.

**D3 — Present-but-unmodeled telemetry (the core asymmetry).**
*Needed:* verdicts grounded in AD/DS directory-service-access auditing and the Windows Security log.
*Why the TBox can't carry it:* both are **environment telemetry but not `mc:Control`s**; only EDR + netmon are authored Controls, and coverage derives strictly over authored Controls.
*Consequence:* the environment can *show* the observable (registry read, 4662 with replication GUIDs) while the cards return **no verdict** — an "observable present, coverage absent" asymmetry a responder must recognize as a *modeling* gap, not a *quiet-means-clean* signal.

**D4 — Remote-LSASS variant is a content-gap, not a framework-gap.**
*Needed:* a remote/network acquisition variant of A1.
*Why it's different:* the base ABox instantiates **only local variants** (`varLsass`, `varHandleDup`); the remote path is not an instantiated `ImplementationVariant`. But it **is authorable** — it realizes the same `coreCred` and composes `pReadProcMem` (authored here in A1). Flagged so a base-only reading (which lists only local variants) is not mistaken for the model's ceiling.
*Consequence:* a responder working from an un-extended base could wrongly treat the remote read as a new/uncovered technique; the L5 spanning observable in fact carries coverage across it.

**D5 — Prevent-side is empty.**
*Needed:* prevent-locus defender maneuvers (Credential Guard / RunAsPPL-LSA protection / RPC-DRSUAPI filtering / replication-ACL hardening) to invalidate a precondition of A1/A2/A3.
*Why the TBox can't carry it:* the TBox *has slots* (`prevent` function, `invalidates`, `hardeningAbsence` clauses) but **no instances populate them** in this environment.
*Consequence:* a "harden the DC to prevent the dump/replication" deliverable is **not projectable**, and A1 has **no fallback** when its single detect-face blinds.

**D6 — Self-referential impairment detection.**
*Needed:* a faithful way to express "the sensor detects its own impairment."
*Why the TBox can't carry it cleanly:* the impairment maneuver's face `dfEdrTelemetry` is `sourcedFrom` the very control being impaired — once `degradesTelemetry true`, that face is itself blind. The model routes confirmation through an **out-of-band investigation** (`invEdr`), but cannot express the circularity as a first-class coverage fact.
*Consequence:* a responder must know to confirm control status from secondary telemetry and never trust the impaired sensor's silence — a reasoning step the coverage graph itself does not enforce.

**D7 — Robustness ceilings are unstateable for the unmodeled paths.**
*Needed:* a robustness grade for the SAM-hive read and (especially) the DCSync replication signal.
*Why the TBox can't carry it:* robustness is a property of an **authored observable**; with no observable authored for A2/A3, there is nothing to grade — even where the security-true grade is intuitively high (the replication right is protocol-forced, near-invariant).
*Consequence:* a responder cannot obtain a card-backed evadability judgment for two of the three paths, so any "how hard to evade / can they retime-rename around it" question on A2/A3 is **unanswerable from this layer** — identical inability across both arms, by construction.

---

**SHACL self-check:** one invariant core per maneuver (A1→`coreCred`, A4→`coreImpair`; A2/A3 author no core — no maneuver, no violation) ✓ · robustness stated only **on observables** as a ceiling (`obsInvariant` L5), never on maneuvers or on the unmodeled paths ✓ · coverage **derived** from face-health + control-status, never asserted; SILENT where underivable ✓ · no occurrences / stepIndex / timeline authored (type altitude only — firewall-clean) ✓ · no retired constructs (no AMC/ORTG/forcedness/chokepointCoupling/"transition"-as-unit/six-fork/`covers`-as-relation/`react`) ✓.