Skip to content

HTML Report Overview

The enum command generates a self-contained HTML report after every run.

Key properties

  • Single file — all CSS, JavaScript, and data are embedded inline. No server, no external requests.
  • Works offline — share via email or archive. Analysts can open it on air-gapped systems.
  • Dark/light theme — toggle in the top-right corner; preference saved to localStorage.
  • Global search — search bar above tabs highlights matches across all sections. Results appear as clickable tab buttons (e.g. ACL (5) Kerberos (2)). Press Enter to jump to the tab with the most matches, or click any button to navigate directly. Collapsed sections are auto-expanded when they contain a match. The ✕ Clear button appears only when the field has text.
  • D3.js attack path graph — interactive force-directed graph; node size represents path count, red arrows indicate admin-level paths, hover tooltips, zoom/pan, Reset Zoom button. Capped at 80 nodes — privileged nodes (groups, adminCount) are always kept.
  • History tab — load one or more previous morok reports to compare findings over time, track remediation progress, and generate an executive narrative. Works entirely in the browser — no uploads, no server.

Report path

By default the report is saved next to the binary with a timestamp in the name:

corp.local_2026-04-22_10-30-45.html

Override with --report:

morok enum -d corp.local -u jdoe -p 'Password1' --dc 10.0.0.1 \
  --report /tmp/engagement_corp.html

Summary page

The first tab shows an executive summary:

  • Object counts (users, groups, computers)
  • Findings bar chart by severity (Critical / High / Medium / Info)
  • Summary cards — each card is clickable and jumps to the corresponding tab:
  • Attack Paths, Kerberoastable, AS-REP, Dangerous ACLs, Delegation, Stale accounts, ADCS, Shadow Credentials, etc.

Remediation tracking (History tab)

Every morok report generated with v1.1.0+ embeds a compact JSON snapshot of its findings. The History tab reads that snapshot from any previously generated report you load locally — no data ever leaves your machine.

Open the current report, switch to the History tab, and click Load baseline reports… to select one or more older .html reports. The tab then shows:

  • An Executive Verdict sentence you can paste into a slide deck
  • Summary metric cards with delta percentages vs the oldest baseline
  • A risk score trend line across all loaded snapshots
  • A timeline table with grade, score, and severity counts per report
  • A findings comparison split into Regressions / Resolved & Improved / Outstanding

See Tabs reference → History for the full breakdown.

Version requirement

The History tab requires both the current report and every baseline report to be generated by morok v1.1.0 or later. Older reports do not contain the embedded snapshot and will be rejected with an error message.

Scale handling

Large environments are handled gracefully:

  • Tables with more than 100 rows are truncated with a Show all N rows button.
  • The D3 attack path graph is capped at 80 nodes; privileged nodes are always included first.

Exploit / Fix accordion

Every finding card (attack path, ACL, delegation, ADCS, etc.) has a collapsible Exploit / Fix section with:

  • Contextual exploit commands (bloodyAD, GetUserSPNs, getST.py, certipy, etc.) filled with discovered names/hashes
  • Remediation steps

MITRE ATT&CK badges

Section headers include purple T-code badges linking to the corresponding MITRE ATT&CK technique page. In the ACL tab, badges appear on group headers (not repeated per finding row). Click any badge to open the technique on attack.mitre.org.

Section tooltips

Every section header has a ? icon. Hover to get a brief explanation of what the section checks and why it matters.