rtexit-method 0.1.0 → 0.1.1

package/packaged-assets/.agents/skills/rt-help/SKILL.md

@@ -0,0 +1,292 @@
+---
+name: rt-help
+description: "Guide for Red Team operators to determine next steps in any engagement phase. Analyzes current phase, completed activities, and findings to recommend the most valuable next action. Invokes correct skill automatically. Entry point for new operators and context switching. Works like a smart engagement advisor."
+---
+
+# rt-help — Red Team Engagement Advisor
+
+## 1. Purpose and When to Use
+
+**rt-help** is the primary entry point for all RTExit engagements. It acts as a smart engagement advisor that reads where you are in an operation and tells you what to do next — or does it for you by invoking the appropriate skill.
+
+Use rt-help when:
+
+- Starting a new engagement and unsure where to begin
+- Picking up a mid-flight engagement after a context switch or handoff
+- Stuck between phases with no clear next move
+- Wanting a second opinion on whether to escalate, pivot, or conclude
+- Onboarding a new operator who needs situational awareness fast
+- Looking for a gap analysis: what has been done vs. what still needs coverage
+
+rt-help is phase-agnostic. It works across recon, initial access, lateral movement, persistence, exfiltration, and reporting phases. It reads the current state and recommends forward momentum without requiring the operator to remember which skill covers which action.
+
+---
+
+## 2. Step-by-Step Workflow
+
+### Step 1 — Context Capture
+
+rt-help begins by collecting the engagement context. It will ask for or read from the engagement state file:
+
+- Engagement name and target scope
+- Current phase (recon / initial access / post-exploitation / lateral movement / exfiltration / reporting)
+- Completed activities and their outcomes
+- Active findings (vulnerabilities, credentials, footholds, etc.)
+- Constraints (time remaining, rules of engagement, out-of-scope items)
+
+If an engagement state file exists at `.agents/state/engagement.json`, rt-help reads it automatically. Otherwise it prompts the operator interactively.
+
+### Step 2 — Phase and Gap Analysis
+
+rt-help evaluates the current state against the standard red team kill chain:
+
+```
+Recon → Initial Access → Execution → Persistence → Privilege Escalation
+→ Defense Evasion → Credential Access → Discovery → Lateral Movement
+→ Collection → Exfiltration → Reporting
+```
+
+It identifies:
+
+- Which phases are complete, partial, or untouched
+- Which findings have not yet been leveraged
+- Which attack paths are open given current access level
+- Which skills in RTExit cover the identified gaps
+
+### Step 3 — Recommendation
+
+rt-help surfaces a ranked list of recommended next actions. Each recommendation includes:
+
+- What to do
+- Why it is the highest-value move right now
+- Which RTExit skill or script handles it
+- Estimated time investment
+- Risk level to operational security
+
+Example output format:
+
+```
+RECOMMENDED NEXT ACTION
+=======================
+Action : Enumerate local admin accounts on compromised host
+Reason : Current foothold (CORP\svc_backup) has SeBackupPrivilege — high probability of SAM dump success
+Skill  : rt-privesc
+Script : scripts/privesc/backup-privilege-dump.ps1
+Risk   : Low (no AV evasion needed for this technique on this host)
+ETA    : 10–15 minutes
+```
+
+### Step 4 — Skill Invocation (Automatic or Confirmed)
+
+After presenting the recommendation, rt-help offers two modes:
+
+- **Auto mode**: immediately invokes the recommended skill with current context pre-loaded
+- **Advisory mode**: presents the recommendation and waits for operator confirmation before handing off
+
+Operators can override the recommendation and ask rt-help to explain any alternative path instead.
+
+### Step 5 — State Update
+
+After the operator completes the recommended action (or skips it), rt-help updates the engagement state file with:
+
+- Activity completed
+- Outcome (success / partial / failed / skipped)
+- New findings or access gained
+- Timestamp
+
+This keeps the engagement log current for future rt-help queries and final reporting.
+
+---
+
+## 3. Integration with RTExit Scripts and Other Skills
+
+### Engagement State File
+
+rt-help reads and writes `.agents/state/engagement.json`. All other RTExit skills write to this file on completion, so rt-help always has fresh context.
+
+```json
+{
+  "engagement": "ACME Corp External Assessment",
+  "phase": "post-exploitation",
+  "scope": ["10.10.0.0/16", "*.acmecorp.internal"],
+  "completed": [
+    { "activity": "external recon", "outcome": "success", "findings": ["VPN portal at vpn.acmecorp.com", "3 valid email addresses"] },
+    { "activity": "phishing campaign", "outcome": "success", "findings": ["foothold on CORP\\jsmith workstation"] }
+  ],
+  "active_findings": [
+    { "type": "credential", "value": "CORP\\jsmith:P@ssw0rd123", "host": "WKS-JSMITH" },
+    { "type": "access", "level": "local_admin", "host": "WKS-JSMITH" }
+  ],
+  "constraints": {
+    "roe": "no destructive actions, no production databases",
+    "time_remaining_hours": 18
+  }
+}
+```
+
+### Skill Routing Map
+
+rt-help maps engagement gaps to RTExit skills:
+
+| Gap Detected | Skill Invoked |
+|---|---|
+| No recon completed | `rt-recon` |
+| No initial access | `rt-access` |
+| Foothold exists, no privesc attempted | `rt-privesc` |
+| Local admin gained, no lateral movement | `rt-lateral` |
+| Domain access, no credential harvest | `rt-creds` |
+| Findings logged, no report started | `rt-report` |
+| Persistence not established | `rt-persist` |
+| C2 not configured | `rt-c2` |
+
+### Script Integration
+
+RTExit scripts live under `scripts/` and are organized by phase. rt-help references scripts by relative path so operators can copy the exact command to run:
+
+```
+scripts/
+  recon/
+  access/
+  privesc/
+  lateral/
+  creds/
+  persist/
+  exfil/
+  evasion/
+```
+
+When rt-help recommends a script, it provides the full invocation with relevant parameters substituted from the engagement state.
+
+---
+
+## 4. Example Outputs and Interactions
+
+### Example A — New Engagement, No Context
+
+```
+Operator: /rt-help
+
+rt-help: No engagement state found. Let's set one up.
+
+  Engagement name: ACME Corp Q3 Red Team
+  Target scope   : 10.10.0.0/16, *.acmecorp.internal
+  Current phase  : Not started
+  Time budget    : 40 hours
+
+RECOMMENDED STARTING POINT
+===========================
+You have no completed recon. External reconnaissance is always the
+first move — it defines your attack surface before any active testing.
+
+Skill  : rt-recon
+Action : Run passive OSINT and active port discovery against scope
+ETA    : 2–4 hours
+
+Invoke rt-recon now? [Y/n]
+```
+
+### Example B — Mid-Engagement, Foothold Exists
+
+```
+Operator: /rt-help
+
+rt-help: Engagement state loaded. Reading context...
+
+  Phase    : Post-exploitation (initial access complete)
+  Foothold : CORP\jsmith on WKS-JSMITH (local admin)
+  Privesc  : Not attempted
+  Lateral  : Not attempted
+  Time left: 18 hours
+
+RECOMMENDED NEXT ACTION
+=======================
+Action : Attempt privilege escalation from local admin to SYSTEM or domain user
+Reason : Local admin on a domain-joined host is a strong position.
+         Token impersonation and SAM dump are both viable with current access.
+Skill  : rt-privesc
+Script : scripts/privesc/invoke-tokenimpersonation.ps1 -Target WKS-JSMITH -User CORP\\jsmith
+
+Risk   : Low — technique is stable, AV evasion not required per prior evasion scan
+ETA    : 20–30 minutes
+
+Alternative paths available:
+  [1] Enumerate network shares for sensitive data (rt-lateral)
+  [2] Check for unpatched local CVEs (rt-privesc --vuln-scan)
+  [3] Harvest browser credentials from jsmith profile (rt-creds)
+
+Choose an alternative or press Enter to proceed with recommendation:
+```
+
+### Example C — Reporting Phase Trigger
+
+```
+Operator: /rt-help
+
+rt-help: Engagement state loaded.
+
+  Phase       : Post-exploitation
+  Time left   : 3 hours
+  Findings    : 12 logged (4 critical, 5 high, 3 medium)
+  Lateral     : 3 hosts compromised
+  Domain admin: Yes (CORP\DA obtained)
+  Report      : Not started
+
+WARNING: 3 hours remaining is insufficient to expand further.
+Pivoting to reporting is the highest-value action now.
+
+RECOMMENDED NEXT ACTION
+=======================
+Action : Generate executive and technical report from engagement findings
+Skill  : rt-report
+Script : scripts/report/generate-report.py --state .agents/state/engagement.json --format docx
+
+ETA    : 2–3 hours
+Risk   : None
+
+Start rt-report? [Y/n]
+```
+
+### Example D — Operator Asks for Explanation
+
+```
+Operator: Why aren't you recommending exfiltration?
+
+rt-help: Good question. Two reasons:
+
+  1. The rules of engagement flag production databases as out-of-scope.
+     The only data stores rt-creds found are on DB-PROD-01, which is excluded.
+
+  2. With 3 hours left, generating a report that demonstrates domain admin
+     compromise delivers more client value than a partial exfil attempt
+     that may trigger alerts and consume your remaining window.
+
+  If you want to demonstrate exfil capability without touching out-of-scope
+  systems, rt-exfil can stage a controlled exfil from WKS-JSMITH using
+  synthetic data. This satisfies the objective without RoE risk.
+
+  Add synthetic exfil demo to the plan? [Y/n]
+```
+
+---
+
+## 5. Practical Usage Tips
+
+**Always run rt-help at the start of each session.** Even if you know what you are doing, rt-help will catch if the engagement state has changed (e.g., a teammate completed a step during your downtime) and will prevent duplicated effort.
+
+**Use rt-help as a handoff tool.** When rotating operators, the incoming operator runs `/rt-help` and gets a full situational briefing in under 60 seconds. No verbal handoff needed.
+
+**Trust the risk ratings.** rt-help calculates operational security risk based on target environment profile (EDR present, logging level, network segmentation) stored in the engagement state. Low-risk recommendations can usually be executed immediately. High-risk recommendations prompt a checklist before proceeding.
+
+**Override the recommendation when you have human context it lacks.** rt-help does not know about out-of-band intelligence (a teammate who overheard something on a physical assessment, a client tip, etc.). Feed that context back by updating the engagement state and rerunning rt-help.
+
+**Keep the engagement state file accurate.** rt-help is only as good as the state it reads. If you run a script manually without going through a skill, log the outcome in the state file manually or use:
+
+```
+scripts/utils/log-activity.py --activity "manual SAM dump" --outcome "success" --finding "CORP\\administrator NTLM hash obtained"
+```
+
+**Use advisory mode when training junior operators.** Set `mode: advisory` in the engagement state so rt-help always asks for confirmation before invoking skills. This lets the trainer observe the operator's decision-making and correct it in real time.
+
+**Time-box awareness.** rt-help tracks time remaining and will automatically shift recommendations toward high-impact, low-time actions as the engagement window closes. If you disagree with a time-pressure recommendation, you can extend the time budget in the engagement state.
+
+**Chain rt-help with other skills using auto mode.** For automated engagements or CI-style red team pipelines, set `auto_invoke: true` in the engagement state. rt-help will execute the full recommended chain without operator prompts, logging everything to the state file for post-run review.

package/packaged-assets/.agents/skills/rt-help/workflow.md

@@ -0,0 +1,68 @@
+# Workflow - rt-help
+
+## Purpose
+
+This workflow standardizes how $skill is executed inside RTExit. It is designed for authorized engagements, evidence-first documentation, and consistent handoff into reporting.
+
+## Authorization Gate
+
+Before execution, confirm:
+
+- SEAD exists and explicitly covers the target asset or activity.
+- Rules of Engagement define allowed techniques, rate limits, and stop conditions.
+- The operator knows the evidence handling rules.
+- Any active or sensitive validation has client approval.
+
+If any item is unclear, pause and invoke 
+
+## Required Inputs
+
+| Input | Source | Notes |
+|---|---|---|
+| Engagement reference | _rtexit/config.toml or SEAD | Used in output names. |
+| Target asset(s) | Scope document | Must be explicitly approved. |
+| Operator name | Config/user context | Used in timeline entries. |
+| Evidence directory | _rtexit-output/docs/evidence/ | Store logs, screenshots, and artifacts. |
+| Finding tracker | _rtexit-output/docs/findings/ | Create/update findings when confirmed. |
+
+## Execution Steps
+
+1. Load current engagement configuration.
+2. Read scope, exclusions, and current findings.
+3. Build a small test plan for this skill with target, expected control, and evidence type.
+4. Run the lowest-risk validation first.
+5. Capture baseline behavior before proof behavior.
+6. Record exact timestamp, account/role used, and affected asset.
+7. Stop when evidence is sufficient; avoid unnecessary data access.
+8. Create or update findings through the RTExit finding tracker.
+9. Map remediation owner and recommended timeline.
+10. Add a timeline entry and evidence chain entry.
+
+## Evidence Requirements
+
+| Evidence | Required? | Notes |
+|---|---|---|
+| Command or action summary | Yes | Redact secrets and tokens. |
+| Screenshot or transcript | If useful | Store under evidence folder. |
+| Request/response pair | For web/API | Redact cookies and bearer tokens. |
+| Config excerpt | For cloud/infra | Include only relevant lines. |
+| Business impact note | Yes | Explain why it matters. |
+
+## Autodoc Commands
+
+`ash
+python _rtexit/scripts/autodoc_engine.py log --skill rt-help --phase auto --cmd "workflow execution" --output "summary"
+python _rtexit/scripts/finding_tracker.py list
+`
+
+## Completion Criteria
+
+- Scope and authorization are referenced.
+- Evidence is stored and redacted.
+- Findings are added or explicitly marked as not found.
+- Remediation guidance is actionable.
+- Timeline and chain of custody are updated where applicable.
+
+## Handoff
+
+Send confirmed findings to