rtexit-method 0.1.0 → 0.1.1

package/packaged-assets/.agents/skills/rt-exploit-active-directory/ad-checklist.csv

@@ -0,0 +1,12 @@
+category,control,check,status,evidence,notes
+Identity,Privileged groups,Review Domain Admins Enterprise Admins Administrators,TODO,,
+Identity,Stale privileged users,Identify disabled/inactive privileged principals,TODO,,
+Identity,Service accounts,Review SPNs privilege and password age,TODO,,
+Delegation,Unconstrained delegation,Identify systems/accounts with unconstrained delegation,TODO,,
+Delegation,Constrained delegation,Review protocol transition and target services,TODO,,
+ACLs,Dangerous rights,Review GenericAll GenericWrite WriteDACL WriteOwner AddMember,TODO,,
+Local Admin,Admin sprawl,Map local administrator rights across servers/workstations,TODO,,
+Kerberos,KRBTGT hygiene,Review rotation history and ticket policy,TODO,,
+Protocols,Legacy auth,Review NTLM LLMNR NBNS SMB signing posture,TODO,,
+Monitoring,Detection,Review alerts for group changes delegation and Kerberos anomalies,TODO,,
+

package/packaged-assets/.agents/skills/rt-exploit-active-directory/workflow.md

@@ -0,0 +1,68 @@
+# Workflow - rt-exploit-active-directory
+
+## Purpose
+
+This workflow standardizes how $skill is executed inside RTExit. It is designed for authorized engagements, evidence-first documentation, and consistent handoff into reporting.
+
+## Authorization Gate
+
+Before execution, confirm:
+
+- SEAD exists and explicitly covers the target asset or activity.
+- Rules of Engagement define allowed techniques, rate limits, and stop conditions.
+- The operator knows the evidence handling rules.
+- Any active or sensitive validation has client approval.
+
+If any item is unclear, pause and invoke 
+
+## Required Inputs
+
+| Input | Source | Notes |
+|---|---|---|
+| Engagement reference | _rtexit/config.toml or SEAD | Used in output names. |
+| Target asset(s) | Scope document | Must be explicitly approved. |
+| Operator name | Config/user context | Used in timeline entries. |
+| Evidence directory | _rtexit-output/docs/evidence/ | Store logs, screenshots, and artifacts. |
+| Finding tracker | _rtexit-output/docs/findings/ | Create/update findings when confirmed. |
+
+## Execution Steps
+
+1. Load current engagement configuration.
+2. Read scope, exclusions, and current findings.
+3. Build a small test plan for this skill with target, expected control, and evidence type.
+4. Run the lowest-risk validation first.
+5. Capture baseline behavior before proof behavior.
+6. Record exact timestamp, account/role used, and affected asset.
+7. Stop when evidence is sufficient; avoid unnecessary data access.
+8. Create or update findings through the RTExit finding tracker.
+9. Map remediation owner and recommended timeline.
+10. Add a timeline entry and evidence chain entry.
+
+## Evidence Requirements
+
+| Evidence | Required? | Notes |
+|---|---|---|
+| Command or action summary | Yes | Redact secrets and tokens. |
+| Screenshot or transcript | If useful | Store under evidence folder. |
+| Request/response pair | For web/API | Redact cookies and bearer tokens. |
+| Config excerpt | For cloud/infra | Include only relevant lines. |
+| Business impact note | Yes | Explain why it matters. |
+
+## Autodoc Commands
+
+`ash
+python _rtexit/scripts/autodoc_engine.py log --skill rt-exploit-active-directory --phase auto --cmd "workflow execution" --output "summary"
+python _rtexit/scripts/finding_tracker.py list
+`
+
+## Completion Criteria
+
+- Scope and authorization are referenced.
+- Evidence is stored and redacted.
+- Findings are added or explicitly marked as not found.
+- Remediation guidance is actionable.
+- Timeline and chain of custody are updated where applicable.
+
+## Handoff
+
+Send confirmed findings to