rtexit-method 0.1.0 → 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (220) hide show
  1. package/package.json +2 -5
  2. package/packaged-assets/.agents/skills/rt-active-recon/SKILL.md +767 -0
  3. package/packaged-assets/.agents/skills/rt-active-recon/workflow.md +68 -0
  4. package/packaged-assets/.agents/skills/rt-agent-breaker/SKILL.md +65 -0
  5. package/packaged-assets/.agents/skills/rt-agent-breaker/customize.toml +76 -0
  6. package/packaged-assets/.agents/skills/rt-agent-commander/SKILL.md +63 -0
  7. package/packaged-assets/.agents/skills/rt-agent-commander/customize.toml +67 -0
  8. package/packaged-assets/.agents/skills/rt-agent-ghost/SKILL.md +65 -0
  9. package/packaged-assets/.agents/skills/rt-agent-ghost/customize.toml +77 -0
  10. package/packaged-assets/.agents/skills/rt-agent-navigator/SKILL.md +62 -0
  11. package/packaged-assets/.agents/skills/rt-agent-navigator/customize.toml +61 -0
  12. package/packaged-assets/.agents/skills/rt-agent-phantom/SKILL.md +62 -0
  13. package/packaged-assets/.agents/skills/rt-agent-phantom/customize.toml +62 -0
  14. package/packaged-assets/.agents/skills/rt-agent-scout/SKILL.md +62 -0
  15. package/packaged-assets/.agents/skills/rt-agent-scout/customize.toml +61 -0
  16. package/packaged-assets/.agents/skills/rt-agent-scribe/SKILL.md +65 -0
  17. package/packaged-assets/.agents/skills/rt-agent-scribe/customize.toml +77 -0
  18. package/packaged-assets/.agents/skills/rt-attack-chain-builder/SKILL.md +476 -0
  19. package/packaged-assets/.agents/skills/rt-attack-chain-builder/workflow.md +68 -0
  20. package/packaged-assets/.agents/skills/rt-attack-surface-map/SKILL.md +1209 -0
  21. package/packaged-assets/.agents/skills/rt-attack-surface-map/template.md +62 -0
  22. package/packaged-assets/.agents/skills/rt-autodoc/SKILL.md +258 -0
  23. package/packaged-assets/.agents/skills/rt-c2-operations/SKILL.md +1072 -0
  24. package/packaged-assets/.agents/skills/rt-c2-operations/workflow.md +68 -0
  25. package/packaged-assets/.agents/skills/rt-compliance-mapper/SKILL.md +773 -0
  26. package/packaged-assets/.agents/skills/rt-create-sead/SKILL.md +74 -0
  27. package/packaged-assets/.agents/skills/rt-create-sead/template.md +89 -0
  28. package/packaged-assets/.agents/skills/rt-create-sead/workflow.md +68 -0
  29. package/packaged-assets/.agents/skills/rt-credential-access/SKILL.md +756 -0
  30. package/packaged-assets/.agents/skills/rt-credential-hunt/SKILL.md +856 -0
  31. package/packaged-assets/.agents/skills/rt-credential-hunt/workflow.md +68 -0
  32. package/packaged-assets/.agents/skills/rt-cvss-calculator/SKILL.md +542 -0
  33. package/packaged-assets/.agents/skills/rt-cvss-calculator/cvss4-matrix.csv +20 -0
  34. package/packaged-assets/.agents/skills/rt-data-exfiltration/SKILL.md +784 -0
  35. package/packaged-assets/.agents/skills/rt-defense-evasion/SKILL.md +987 -0
  36. package/packaged-assets/.agents/skills/rt-evidence-chain/SKILL.md +712 -0
  37. package/packaged-assets/.agents/skills/rt-evidence-chain/template.md +31 -0
  38. package/packaged-assets/.agents/skills/rt-executive-report/SKILL.md +718 -0
  39. package/packaged-assets/.agents/skills/rt-executive-report/template.md +38 -0
  40. package/packaged-assets/.agents/skills/rt-executive-report/workflow.md +68 -0
  41. package/packaged-assets/.agents/skills/rt-exploit-active-directory/SKILL.md +1078 -0
  42. package/packaged-assets/.agents/skills/rt-exploit-active-directory/ad-checklist.csv +12 -0
  43. package/packaged-assets/.agents/skills/rt-exploit-active-directory/workflow.md +68 -0
  44. package/packaged-assets/.agents/skills/rt-exploit-android/SKILL.md +1329 -0
  45. package/packaged-assets/.agents/skills/rt-exploit-android/masvs-checklist.csv +10 -0
  46. package/packaged-assets/.agents/skills/rt-exploit-android/workflow.md +68 -0
  47. package/packaged-assets/.agents/skills/rt-exploit-api/SKILL.md +1547 -0
  48. package/packaged-assets/.agents/skills/rt-exploit-api/workflow.md +68 -0
  49. package/packaged-assets/.agents/skills/rt-exploit-auth/SKILL.md +1949 -0
  50. package/packaged-assets/.agents/skills/rt-exploit-auth/workflow.md +68 -0
  51. package/packaged-assets/.agents/skills/rt-exploit-bec/SKILL.md +69 -0
  52. package/packaged-assets/.agents/skills/rt-exploit-cloud-aws/SKILL.md +865 -0
  53. package/packaged-assets/.agents/skills/rt-exploit-cloud-aws/workflow.md +68 -0
  54. package/packaged-assets/.agents/skills/rt-exploit-cloud-azure/SKILL.md +1258 -0
  55. package/packaged-assets/.agents/skills/rt-exploit-cloud-gcp/SKILL.md +981 -0
  56. package/packaged-assets/.agents/skills/rt-exploit-containers/SKILL.md +55 -0
  57. package/packaged-assets/.agents/skills/rt-exploit-databases/SKILL.md +1374 -0
  58. package/packaged-assets/.agents/skills/rt-exploit-desktop-mac/SKILL.md +834 -0
  59. package/packaged-assets/.agents/skills/rt-exploit-desktop-win/SKILL.md +903 -0
  60. package/packaged-assets/.agents/skills/rt-exploit-desktop-win/workflow.md +68 -0
  61. package/packaged-assets/.agents/skills/rt-exploit-dotnet/SKILL.md +945 -0
  62. package/packaged-assets/.agents/skills/rt-exploit-elasticsearch/SKILL.md +68 -0
  63. package/packaged-assets/.agents/skills/rt-exploit-electron/SKILL.md +1023 -0
  64. package/packaged-assets/.agents/skills/rt-exploit-electron/workflow.md +68 -0
  65. package/packaged-assets/.agents/skills/rt-exploit-file-upload/SKILL.md +1576 -0
  66. package/packaged-assets/.agents/skills/rt-exploit-file-upload/payloads/README.md +4 -0
  67. package/packaged-assets/.agents/skills/rt-exploit-file-upload/workflow.md +68 -0
  68. package/packaged-assets/.agents/skills/rt-exploit-firebase/SKILL.md +54 -0
  69. package/packaged-assets/.agents/skills/rt-exploit-frameworks/SKILL.md +967 -0
  70. package/packaged-assets/.agents/skills/rt-exploit-idor/SKILL.md +1693 -0
  71. package/packaged-assets/.agents/skills/rt-exploit-idor/workflow.md +68 -0
  72. package/packaged-assets/.agents/skills/rt-exploit-injection/SKILL.md +1860 -0
  73. package/packaged-assets/.agents/skills/rt-exploit-injection/payloads/sqlmap-tampers.txt +22 -0
  74. package/packaged-assets/.agents/skills/rt-exploit-injection/workflow.md +68 -0
  75. package/packaged-assets/.agents/skills/rt-exploit-ios/SKILL.md +1214 -0
  76. package/packaged-assets/.agents/skills/rt-exploit-ios/workflow.md +68 -0
  77. package/packaged-assets/.agents/skills/rt-exploit-iot/SKILL.md +91 -0
  78. package/packaged-assets/.agents/skills/rt-exploit-iot/workflow.md +68 -0
  79. package/packaged-assets/.agents/skills/rt-exploit-java/SKILL.md +1009 -0
  80. package/packaged-assets/.agents/skills/rt-exploit-jwt/SKILL.md +1327 -0
  81. package/packaged-assets/.agents/skills/rt-exploit-jwt/workflow.md +68 -0
  82. package/packaged-assets/.agents/skills/rt-exploit-mongodb/SKILL.md +67 -0
  83. package/packaged-assets/.agents/skills/rt-exploit-mssql/SKILL.md +52 -0
  84. package/packaged-assets/.agents/skills/rt-exploit-mysql/SKILL.md +53 -0
  85. package/packaged-assets/.agents/skills/rt-exploit-network/SKILL.md +118 -0
  86. package/packaged-assets/.agents/skills/rt-exploit-network/workflow.md +68 -0
  87. package/packaged-assets/.agents/skills/rt-exploit-nodejs/SKILL.md +852 -0
  88. package/packaged-assets/.agents/skills/rt-exploit-osticket/SKILL.md +63 -0
  89. package/packaged-assets/.agents/skills/rt-exploit-phishing/SKILL.md +173 -0
  90. package/packaged-assets/.agents/skills/rt-exploit-phishing/templates/README.md +4 -0
  91. package/packaged-assets/.agents/skills/rt-exploit-phishing/workflow.md +68 -0
  92. package/packaged-assets/.agents/skills/rt-exploit-php/SKILL.md +1119 -0
  93. package/packaged-assets/.agents/skills/rt-exploit-physical/SKILL.md +63 -0
  94. package/packaged-assets/.agents/skills/rt-exploit-physical/workflow.md +68 -0
  95. package/packaged-assets/.agents/skills/rt-exploit-postgresql/SKILL.md +67 -0
  96. package/packaged-assets/.agents/skills/rt-exploit-python/SKILL.md +986 -0
  97. package/packaged-assets/.agents/skills/rt-exploit-redis/SKILL.md +68 -0
  98. package/packaged-assets/.agents/skills/rt-exploit-ruby/SKILL.md +61 -0
  99. package/packaged-assets/.agents/skills/rt-exploit-scada/SKILL.md +1091 -0
  100. package/packaged-assets/.agents/skills/rt-exploit-ssrf/SKILL.md +1528 -0
  101. package/packaged-assets/.agents/skills/rt-exploit-ssrf/payloads.txt +23 -0
  102. package/packaged-assets/.agents/skills/rt-exploit-ssrf/workflow.md +68 -0
  103. package/packaged-assets/.agents/skills/rt-exploit-vishing/SKILL.md +121 -0
  104. package/packaged-assets/.agents/skills/rt-exploit-vishing/scripts.md +4 -0
  105. package/packaged-assets/.agents/skills/rt-exploit-web/SKILL.md +1902 -0
  106. package/packaged-assets/.agents/skills/rt-exploit-web/owasp-checklist.csv +14 -0
  107. package/packaged-assets/.agents/skills/rt-exploit-web/workflow.md +68 -0
  108. package/packaged-assets/.agents/skills/rt-exploit-wireless/SKILL.md +71 -0
  109. package/packaged-assets/.agents/skills/rt-exploit-wordpress/SKILL.md +1565 -0
  110. package/packaged-assets/.agents/skills/rt-exploit-wordpress/cves.csv +7 -0
  111. package/packaged-assets/.agents/skills/rt-exploit-wordpress/workflow.md +68 -0
  112. package/packaged-assets/.agents/skills/rt-exploit-xss/SKILL.md +1526 -0
  113. package/packaged-assets/.agents/skills/rt-exploit-xss/payloads.txt +18 -0
  114. package/packaged-assets/.agents/skills/rt-exploit-xss/workflow.md +68 -0
  115. package/packaged-assets/.agents/skills/rt-finding-document/SKILL.md +687 -0
  116. package/packaged-assets/.agents/skills/rt-finding-document/template.md +71 -0
  117. package/packaged-assets/.agents/skills/rt-finding-document/workflow.md +68 -0
  118. package/packaged-assets/.agents/skills/rt-finding-tracker/SKILL.md +216 -0
  119. package/packaged-assets/.agents/skills/rt-finding-tracker/workflow.md +68 -0
  120. package/packaged-assets/.agents/skills/rt-help/SKILL.md +292 -0
  121. package/packaged-assets/.agents/skills/rt-help/workflow.md +68 -0
  122. package/packaged-assets/.agents/skills/rt-js-analysis/SKILL.md +639 -0
  123. package/packaged-assets/.agents/skills/rt-js-analysis/patterns.txt +27 -0
  124. package/packaged-assets/.agents/skills/rt-js-analysis/workflow.md +68 -0
  125. package/packaged-assets/.agents/skills/rt-kill-chain-map/SKILL.md +393 -0
  126. package/packaged-assets/.agents/skills/rt-lateral-movement/SKILL.md +1032 -0
  127. package/packaged-assets/.agents/skills/rt-lateral-movement/workflow.md +68 -0
  128. package/packaged-assets/.agents/skills/rt-methodology-selector/SKILL.md +69 -0
  129. package/packaged-assets/.agents/skills/rt-methodology-selector/frameworks.csv +10 -0
  130. package/packaged-assets/.agents/skills/rt-methodology-selector/workflow.md +68 -0
  131. package/packaged-assets/.agents/skills/rt-mitre-map/SKILL.md +668 -0
  132. package/packaged-assets/.agents/skills/rt-mitre-map/tactics.csv +16 -0
  133. package/packaged-assets/.agents/skills/rt-mitre-map/workflow.md +68 -0
  134. package/packaged-assets/.agents/skills/rt-osint/SKILL.md +775 -0
  135. package/packaged-assets/.agents/skills/rt-osint/osint-sources.csv +12 -0
  136. package/packaged-assets/.agents/skills/rt-osint/workflow.md +68 -0
  137. package/packaged-assets/.agents/skills/rt-party-mode/SKILL.md +249 -0
  138. package/packaged-assets/.agents/skills/rt-party-mode/workflow.md +68 -0
  139. package/packaged-assets/.agents/skills/rt-persistence/SKILL.md +1146 -0
  140. package/packaged-assets/.agents/skills/rt-persistence/workflow.md +68 -0
  141. package/packaged-assets/.agents/skills/rt-poc-writer/SKILL.md +640 -0
  142. package/packaged-assets/.agents/skills/rt-post-exploitation/SKILL.md +998 -0
  143. package/packaged-assets/.agents/skills/rt-post-exploitation/linux-checklist.csv +10 -0
  144. package/packaged-assets/.agents/skills/rt-post-exploitation/windows-checklist.csv +10 -0
  145. package/packaged-assets/.agents/skills/rt-post-exploitation/workflow.md +68 -0
  146. package/packaged-assets/.agents/skills/rt-privilege-escalation/SKILL.md +1027 -0
  147. package/packaged-assets/.agents/skills/rt-privilege-escalation/linux-checklist.csv +10 -0
  148. package/packaged-assets/.agents/skills/rt-privilege-escalation/win-checklist.csv +10 -0
  149. package/packaged-assets/.agents/skills/rt-privilege-escalation/workflow.md +68 -0
  150. package/packaged-assets/.agents/skills/rt-remediation-roadmap/SKILL.md +665 -0
  151. package/packaged-assets/.agents/skills/rt-remediation-roadmap/template.md +28 -0
  152. package/packaged-assets/.agents/skills/rt-risk-matrix/SKILL.md +232 -0
  153. package/packaged-assets/.agents/skills/rt-rules-of-engagement/SKILL.md +62 -0
  154. package/packaged-assets/.agents/skills/rt-rules-of-engagement/workflow.md +68 -0
  155. package/packaged-assets/.agents/skills/rt-scenario-c001/SKILL.md +71 -0
  156. package/packaged-assets/.agents/skills/rt-scenario-c002/SKILL.md +69 -0
  157. package/packaged-assets/.agents/skills/rt-scenario-c003/SKILL.md +71 -0
  158. package/packaged-assets/.agents/skills/rt-scenario-c004/SKILL.md +71 -0
  159. package/packaged-assets/.agents/skills/rt-scenario-c005/SKILL.md +72 -0
  160. package/packaged-assets/.agents/skills/rt-scenario-d001/SKILL.md +378 -0
  161. package/packaged-assets/.agents/skills/rt-scenario-d002/SKILL.md +392 -0
  162. package/packaged-assets/.agents/skills/rt-scenario-d003/SKILL.md +522 -0
  163. package/packaged-assets/.agents/skills/rt-scenario-d004/SKILL.md +373 -0
  164. package/packaged-assets/.agents/skills/rt-scenario-d005/SKILL.md +458 -0
  165. package/packaged-assets/.agents/skills/rt-scenario-library/SKILL.md +292 -0
  166. package/packaged-assets/.agents/skills/rt-scenario-library/scenarios.csv +32 -0
  167. package/packaged-assets/.agents/skills/rt-scenario-m001/SKILL.md +796 -0
  168. package/packaged-assets/.agents/skills/rt-scenario-m002/SKILL.md +723 -0
  169. package/packaged-assets/.agents/skills/rt-scenario-m003/SKILL.md +463 -0
  170. package/packaged-assets/.agents/skills/rt-scenario-m004/SKILL.md +449 -0
  171. package/packaged-assets/.agents/skills/rt-scenario-m005/SKILL.md +505 -0
  172. package/packaged-assets/.agents/skills/rt-scenario-n001/SKILL.md +573 -0
  173. package/packaged-assets/.agents/skills/rt-scenario-n002/SKILL.md +112 -0
  174. package/packaged-assets/.agents/skills/rt-scenario-n003/SKILL.md +100 -0
  175. package/packaged-assets/.agents/skills/rt-scenario-n004/SKILL.md +90 -0
  176. package/packaged-assets/.agents/skills/rt-scenario-n005/SKILL.md +71 -0
  177. package/packaged-assets/.agents/skills/rt-scenario-w001/SKILL.md +635 -0
  178. package/packaged-assets/.agents/skills/rt-scenario-w002/SKILL.md +612 -0
  179. package/packaged-assets/.agents/skills/rt-scenario-w003/SKILL.md +449 -0
  180. package/packaged-assets/.agents/skills/rt-scenario-w004/SKILL.md +648 -0
  181. package/packaged-assets/.agents/skills/rt-scenario-w005/SKILL.md +479 -0
  182. package/packaged-assets/.agents/skills/rt-scenario-w006/SKILL.md +443 -0
  183. package/packaged-assets/.agents/skills/rt-scenario-w007/SKILL.md +494 -0
  184. package/packaged-assets/.agents/skills/rt-scenario-w008/SKILL.md +576 -0
  185. package/packaged-assets/.agents/skills/rt-scenario-w009/SKILL.md +518 -0
  186. package/packaged-assets/.agents/skills/rt-scenario-w010/SKILL.md +574 -0
  187. package/packaged-assets/.agents/skills/rt-scope-definition/SKILL.md +79 -0
  188. package/packaged-assets/.agents/skills/rt-scope-definition/workflow.md +68 -0
  189. package/packaged-assets/.agents/skills/rt-shodan-recon/SKILL.md +880 -0
  190. package/packaged-assets/.agents/skills/rt-status/SKILL.md +64 -0
  191. package/packaged-assets/.agents/skills/rt-subdomain-enum/SKILL.md +906 -0
  192. package/packaged-assets/.agents/skills/rt-subdomain-enum/workflow.md +68 -0
  193. package/packaged-assets/.agents/skills/rt-technical-report/SKILL.md +710 -0
  194. package/packaged-assets/.agents/skills/rt-technical-report/template.md +41 -0
  195. package/packaged-assets/.agents/skills/rt-technical-report/workflow.md +68 -0
  196. package/packaged-assets/.agents/skills/rt-threat-model/SKILL.md +59 -0
  197. package/packaged-assets/.agents/skills/rt-threat-model/template.md +32 -0
  198. package/packaged-assets/.agents/skills/rt-threat-model/workflow.md +68 -0
  199. package/packaged-assets/.agents/skills/rt-timeline/SKILL.md +338 -0
  200. package/packaged-assets/RTEXIT.md +127 -0
  201. package/tools/installer/lib/asset-manifest.js +10 -5
  202. package/tools/installer/lib/copy-assets.js +5 -2
  203. /package/{_rtexit → packaged-assets/_rtexit}/config.toml +0 -0
  204. /package/{_rtexit → packaged-assets/_rtexit}/config.user.toml +0 -0
  205. /package/{_rtexit → packaged-assets/_rtexit}/custom/config.toml +0 -0
  206. /package/{_rtexit → packaged-assets/_rtexit}/scripts/autodoc_engine.py +0 -0
  207. /package/{_rtexit → packaged-assets/_rtexit}/scripts/finding_tracker.py +0 -0
  208. /package/{_rtexit → packaged-assets/_rtexit}/scripts/resolve_config.py +0 -0
  209. /package/{_rtexit → packaged-assets/_rtexit}/scripts/resolve_customization.py +0 -0
  210. /package/{resources → packaged-assets/resources}/certifications.md +0 -0
  211. /package/{resources → packaged-assets/resources}/payloads.md +0 -0
  212. /package/{resources → packaged-assets/resources}/tools.md +0 -0
  213. /package/{resources → packaged-assets/resources}/wordlists.md +0 -0
  214. /package/{templates → packaged-assets/templates}/attack-chain-template.md +0 -0
  215. /package/{templates → packaged-assets/templates}/executive-report-template.md +0 -0
  216. /package/{templates → packaged-assets/templates}/executive-report.md +0 -0
  217. /package/{templates → packaged-assets/templates}/finding-template.md +0 -0
  218. /package/{templates → packaged-assets/templates}/remediation-roadmap.md +0 -0
  219. /package/{templates → packaged-assets/templates}/sead-template.md +0 -0
  220. /package/{templates → packaged-assets/templates}/technical-report.md +0 -0
package/packaged-assets/.agents/skills/rt-scenario-n003/SKILL.md ADDED
@@ -0,0 +1,100 @@
1
+ ---
2
+ name: rt-scenario-n003
3
+ description: "N-003: Active Directory attack-path mapping with BloodHound-style relationship analysis. Domain: network. Authorized scenario for identifying privilege paths, validating control gaps, and building remediation plans."
4
+ ---
5
+
6
+ # N-003: Active Directory Attack Path Mapping
7
+
8
+ ## Overview
9
+
10
+ This scenario evaluates whether normal or low-privileged domain relationships can create a path to high-value assets such as Domain Admins, server admins, backup systems, or sensitive file shares. It emphasizes graph analysis, safe validation, and remediation.
11
+
12
+ | Field | Value |
13
+ |---|---|
14
+ | Domain | Active Directory |
15
+ | Objective | Identify and prioritize privilege paths |
16
+ | Required Access | Domain user or approved directory data export |
17
+ | Detection Risk | Low to Medium |
18
+ | Primary Impact | Privilege escalation and domain compromise path |
19
+
20
+ ## Prerequisites
21
+
22
+ - Domain scope approved.
23
+ - Collection method approved.
24
+ - Account used for collection documented.
25
+ - Sensitive group list agreed with client.
26
+ - No privilege modification unless explicitly approved.
27
+
28
+ ## Attack Chain Model
29
+
30
+ 1. Collect directory relationship data.
31
+ 2. Import graph into analysis tooling.
32
+ 3. Identify paths from low privilege to high-value principals.
33
+ 4. Validate each edge with read-only evidence where possible.
34
+ 5. Recommend changes that break the path earliest.
35
+
36
+ ## Workflow
37
+
38
+ ### Step 1 - Define Crown Jewels
39
+
40
+ Examples:
41
+
42
+ - Domain Admins.
43
+ - Enterprise Admins.
44
+ - Backup operators.
45
+ - Tier 0 servers.
46
+ - CI/CD service accounts.
47
+ - Sensitive file shares.
48
+
49
+ ### Step 2 - Collect Relationship Data
50
+
51
+ Use the collection method approved by the client. Record collection time, account, domain, and data retention plan.
52
+
53
+ ### Step 3 - Analyze Paths
54
+
55
+ Prioritize paths involving:
56
+
57
+ - GenericAll / GenericWrite.
58
+ - WriteDACL / WriteOwner.
59
+ - AddMember rights.
60
+ - Unconstrained or risky delegation.
61
+ - Local admin paths to servers.
62
+ - Kerberoastable privileged service accounts.
63
+ - Stale privileged users.
64
+
65
+ ### Step 4 - Validate Safely
66
+
67
+ For each edge, capture configuration evidence instead of changing privileges:
68
+
69
+ | Edge | Safe Proof |
70
+ |---|---|
71
+ | Group membership control | ACL screenshot/export |
72
+ | Local admin path | Client-approved admin mapping |
73
+ | Delegation | AD attribute evidence |
74
+ | Service account risk | SPN and privilege context |
75
+
76
+ ## MITRE ATT&CK Mapping
77
+
78
+ | Phase | Tactic | Technique |
79
+ |---|---|---|
80
+ | Discovery | Discovery | Account Discovery |
81
+ | Privilege Path | Privilege Escalation | Domain Policy Modification |
82
+ | Access | Defense Evasion / Persistence | Valid Accounts |
83
+
84
+ ## Evidence
85
+
86
+ - Path screenshot.
87
+ - Edge details.
88
+ - Affected principals.
89
+ - Business owner if known.
90
+ - Recommended break point.
91
+
92
+ ## Remediation
93
+
94
+ - Remove unnecessary delegated rights.
95
+ - Apply tiered administration.
96
+ - Clean stale groups and users.
97
+ - Limit local admin sprawl.
98
+ - Review service account privileges.
99
+ - Monitor changes to privileged ACLs and groups.
100
+
package/packaged-assets/.agents/skills/rt-scenario-n004/SKILL.md ADDED
@@ -0,0 +1,90 @@
1
+ ---
2
+ name: rt-scenario-n004
3
+ description: "N-004: Hash reuse and pass-the-hash risk assessment. Domain: network. Authorized scenario for evaluating credential hygiene, lateral movement controls, SMB protections, and remediation."
4
+ ---
5
+
6
+ # N-004: Hash Reuse and Lateral Movement Risk
7
+
8
+ ## Overview
9
+
10
+ This scenario assesses whether credential material from one host could enable access to other hosts due to local admin reuse, weak endpoint protections, missing SMB signing, or insufficient segmentation. Production credential use requires explicit authorization.
11
+
12
+ | Field | Value |
13
+ |---|---|
14
+ | Domain | Network / Windows |
15
+ | Objective | Evaluate lateral movement risk from credential reuse |
16
+ | Required Access | Compromised test host or client-provided evidence |
17
+ | Detection Risk | Medium |
18
+ | Primary Impact | Lateral movement and sensitive data access |
19
+
20
+ ## Prerequisites
21
+
22
+ - Host scope approved.
23
+ - Credential testing rules approved.
24
+ - Test credentials or lab evidence preferred.
25
+ - SOC notification completed where required.
26
+ - Cleanup and reporting process defined.
27
+
28
+ ## Attack Chain Model
29
+
30
+ 1. Initial endpoint access exposes credential material or local admin context.
31
+ 2. Same credential or hash works on other hosts.
32
+ 3. Attacker reaches file servers, admin servers, or management tools.
33
+ 4. Sensitive data or broader administrative access becomes available.
34
+
35
+ ## Safe Validation Workflow
36
+
37
+ ### Step 1 - Control Review
38
+
39
+ Review:
40
+
41
+ - Windows LAPS coverage.
42
+ - Credential Guard.
43
+ - LSASS protection.
44
+ - Local admin group membership.
45
+ - SMB signing.
46
+ - Admin tiering.
47
+ - Remote administration restrictions.
48
+
49
+ ### Step 2 - Reuse Analysis
50
+
51
+ Prefer client-provided configuration or test credentials. Build a matrix:
52
+
53
+ | Credential Class | Reused? | Host Count | Business Risk |
54
+ |---|---|---:|---|
55
+ | Local admin | [yes/no] | [count] | [risk] |
56
+ | Service account | [yes/no] | [count] | [risk] |
57
+
58
+ ### Step 3 - Segmentation and Access Review
59
+
60
+ Map which host classes can authenticate to which network zones.
61
+
62
+ ### Step 4 - Impact Statement
63
+
64
+ State what a real attacker could reach if one endpoint is compromised.
65
+
66
+ ## MITRE ATT&CK Mapping
67
+
68
+ | Phase | Tactic | Technique |
69
+ |---|---|---|
70
+ | Credential Use | Lateral Movement | Pass the Hash |
71
+ | Remote Access | Lateral Movement | SMB/Windows Admin Shares |
72
+ | Collection | Collection | Data from Network Shared Drive |
73
+
74
+ ## Evidence
75
+
76
+ - LAPS coverage export.
77
+ - Local admin inventory.
78
+ - SMB signing status.
79
+ - Test credential validation result if approved.
80
+ - Network path matrix.
81
+
82
+ ## Remediation
83
+
84
+ - Deploy Windows LAPS.
85
+ - Remove shared local admins.
86
+ - Enforce SMB signing.
87
+ - Enable Credential Guard where possible.
88
+ - Restrict lateral admin protocols.
89
+ - Monitor lateral logons and admin share access.
90
+
package/packaged-assets/.agents/skills/rt-scenario-n005/SKILL.md ADDED
@@ -0,0 +1,71 @@
1
+ ---
2
+ name: rt-scenario-n005
3
+ description: "N-005: Kerberos trust and ticket-lifetime persistence risk assessment. Domain: network. Authorized Active Directory scenario focused on KRBTGT hygiene, delegation, privileged accounts, detection, and remediation."
4
+ ---
5
+
6
+ # N-005: Kerberos Privilege Persistence Risk
7
+
8
+ ## Overview
9
+
10
+ This scenario evaluates whether Kerberos configuration and privileged account hygiene could allow long-lived domain persistence. It does not require creating forged tickets in production; most value comes from configuration review, rotation history, and detection readiness.
11
+
12
+ | Field | Value |
13
+ |---|---|
14
+ | Domain | Active Directory |
15
+ | Objective | Assess Kerberos persistence risk |
16
+ | Required Access | Directory read access or admin-provided exports |
17
+ | Detection Risk | Low for review, High for active validation |
18
+ | Primary Impact | Long-lived privileged access |
19
+
20
+ ## Prerequisites
21
+
22
+ - Domain scope approved.
23
+ - Read-only review preferred.
24
+ - KRBTGT rotation history available if possible.
25
+ - SIEM/detection contacts identified.
26
+ - No forged ticket activity unless explicitly approved in lab.
27
+
28
+ ## Risk Areas
29
+
30
+ | Area | Why It Matters |
31
+ |---|---|
32
+ | KRBTGT Rotation | Stale KRBTGT secrets can extend persistence risk. |
33
+ | Ticket Lifetime | Long lifetimes increase abuse window. |
34
+ | Privileged Groups | Excess members increase credential exposure. |
35
+ | Delegation | Misconfigured delegation can enable privilege paths. |
36
+ | Logging | Weak Kerberos monitoring delays detection. |
37
+
38
+ ## Workflow
39
+
40
+ 1. Collect domain policy and Kerberos settings.
41
+ 2. Review KRBTGT rotation date and process.
42
+ 3. Review privileged group membership.
43
+ 4. Review delegation settings and service accounts.
44
+ 5. Review detection coverage for unusual tickets and privileged logons.
45
+ 6. Produce a rotation and monitoring roadmap.
46
+
47
+ ## MITRE ATT&CK Mapping
48
+
49
+ | Phase | Tactic | Technique |
50
+ |---|---|---|
51
+ | Persistence | Persistence | Golden Ticket |
52
+ | Credential Use | Defense Evasion | Use Alternate Authentication Material |
53
+ | Privilege | Privilege Escalation | Valid Accounts |
54
+
55
+ ## Evidence
56
+
57
+ - Domain policy export.
58
+ - KRBTGT password last set date.
59
+ - Privileged group review.
60
+ - Delegation review.
61
+ - Detection rule inventory.
62
+
63
+ ## Remediation
64
+
65
+ - Rotate KRBTGT safely using a staged process.
66
+ - Reduce ticket lifetimes where appropriate.
67
+ - Clean privileged group membership.
68
+ - Remove risky delegation.
69
+ - Monitor anomalous TGT/TGS behavior.
70
+ - Tier administrative accounts.
71
+