rtexit-method 0.1.0 → 0.1.2

package/packaged-assets/.agents/skills/rt-mitre-map/SKILL.md

@@ -0,0 +1,668 @@
+---
+name: rt-mitre-map
+description: "Map Red Team findings to MITRE ATT&CK framework tactics and techniques. Identify technique IDs for each finding, create coverage matrix, and generate ATT&CK Navigator layer JSON. Covers all 14 tactics and 200+ techniques. Helps demonstrate adversary simulation depth and aligns with threat intelligence."
+---
+
+# rt-mitre-map — MITRE ATT&CK Mapping Skill
+
+## 1. Overview and Purpose
+
+The `rt-mitre-map` skill translates raw Red Team findings into structured MITRE ATT&CK coverage. It answers the fundamental client question: *"Which adversary behaviors did you simulate, and how does that compare to real-world threat actors targeting our industry?"*
+
+### When to Use This Skill
+
+- After collecting three or more confirmed findings from `finding_tracker.py`
+- Before generating the executive or technical report (gives the report its threat-intelligence anchor)
+- When a client requests ATT&CK Navigator layers for their SOC or purple team
+- When demonstrating adversary simulation depth versus a standard vulnerability assessment
+
+### Position in Engagement Lifecycle
+
+```
+Reconnaissance -> Exploitation -> Post-Exploitation -> [rt-mitre-map] -> Reporting
+```
+
+The mapping step sits between findings collection and final report generation. It enriches each finding with a technique ID, groups findings by tactic, calculates coverage breadth, and exports a Navigator layer the client can import directly.
+
+### What This Skill Produces
+
+1. Per-finding technique annotations (written back to findings-master.csv via `finding_tracker.py`)
+2. A Markdown coverage matrix organized by tactic
+3. An ATT&CK Navigator layer JSON file ready to import at `https://mitre-attack.github.io/attack-navigator/`
+4. A threat actor alignment section mapping your coverage to known APT groups
+
+---
+
+## 2. Step-by-Step Workflow
+
+### Step 1 — Load All Confirmed Findings
+
+Pull the current finding list from the tracker:
+
+```bash
+python3 {project-root}/_rtexit/scripts/finding_tracker.py list
+```
+
+Expected output example:
+
+```
+ID      SEVERITY   CVSS   TITLE                                    ASSET
+F-001   CRITICAL   9.8    SQL Injection in /api/v1/login           api.acmecorp.com
+F-002   HIGH       8.1    NTLM Hash Capture via Responder          192.168.10.0/24
+F-003   HIGH       7.5    Kerberoastable Service Account (svc-sql) ACME\svc-sql
+F-004   MEDIUM     6.5    Insecure Direct Object Reference         portal.acmecorp.com
+F-005   MEDIUM     5.9    Password Spraying — 3 Accounts Locked    ACME AD
+F-006   LOW        3.1    Verbose Error Messages — Stack Traces    api.acmecorp.com
+```
+
+Note the existing `mitre` field in each row. This is the field you will populate.
+
+### Step 2 — Map Each Finding to ATT&CK Technique(s)
+
+For each finding, identify the primary technique ID and, if applicable, a sub-technique. Use the format `TXXXX` for a technique and `TXXXX.XXX` for a sub-technique.
+
+Reference the 14 ATT&CK Enterprise tactics (in kill-chain order):
+
+| # | Tactic ID | Tactic Name            | TA Code   |
+|---|-----------|------------------------|-----------|
+| 1 | TA0043    | Reconnaissance         | RECON     |
+| 2 | TA0042    | Resource Development   | RESDEV    |
+| 3 | TA0001    | Initial Access         | INITACC   |
+| 4 | TA0002    | Execution              | EXEC      |
+| 5 | TA0003    | Persistence            | PERSIST   |
+| 6 | TA0004    | Privilege Escalation   | PRIVESC   |
+| 7 | TA0005    | Defense Evasion        | DEFEVAS   |
+| 8 | TA0006    | Credential Access      | CREDACC   |
+| 9 | TA0007    | Discovery              | DISCOV    |
+|10 | TA0008    | Lateral Movement       | LATMOV    |
+|11 | TA0009    | Collection             | COLLECT   |
+|12 | TA0011    | Command and Control    | C2        |
+|13 | TA0010    | Exfiltration           | EXFIL     |
+|14 | TA0040    | Impact                 | IMPACT    |
+
+**Mapping Decision Logic:**
+
+Ask these questions for each finding:
+- What did the attacker *do* to exploit this? -> that is the technique
+- What tactic does that action serve? -> that is the tactic
+- Is there a more specific sub-technique that fits? -> prefer sub-techniques when they exist
+
+**Common Finding-to-Technique Mappings (reference table):**
+
+| Finding Type                          | Technique ID      | Technique Name                             | Tactic      |
+|---------------------------------------|-------------------|--------------------------------------------|-------------|
+| SQL Injection (authentication bypass) | T1190             | Exploit Public-Facing Application          | Initial Access |
+| SQL Injection (data extraction)       | T1005             | Data from Local System                     | Collection  |
+| NTLM Hash Capture (Responder)         | T1557.001         | Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning | Credential Access |
+| Kerberoasting                         | T1558.003         | Steal or Forge Kerberos Tickets: Kerberoasting | Credential Access |
+| Password Spraying                     | T1110.003         | Brute Force: Password Spraying             | Credential Access |
+| IDOR                                  | T1078             | Valid Accounts                             | Defense Evasion / Initial Access |
+| Verbose Error Messages                | T1592.002         | Gather Victim Host Information: Software   | Reconnaissance |
+| Pass-the-Hash                         | T1550.002         | Use Alternate Authentication Material: Pass the Hash | Lateral Movement |
+| DCSync                                | T1003.006         | OS Credential Dumping: DCSync             | Credential Access |
+| Scheduled Task Persistence            | T1053.005         | Scheduled Task/Job: Scheduled Task        | Persistence |
+| Registry Run Key                      | T1547.001         | Boot or Logon Autostart Execution: Registry Run Keys | Persistence |
+| LSASS Memory Dump                     | T1003.001         | OS Credential Dumping: LSASS Memory       | Credential Access |
+| Living-off-the-Land (LOLBins)         | T1218             | System Binary Proxy Execution             | Defense Evasion |
+| Phishing with Attachment              | T1566.001         | Phishing: Spearphishing Attachment        | Initial Access |
+| Command-Line Interface                | T1059.001         | Command and Scripting Interpreter: PowerShell | Execution |
+| SMB Lateral Movement                  | T1021.002         | Remote Services: SMB/Windows Admin Shares | Lateral Movement |
+| Data Staged for Exfil                 | T1074.001         | Data Staged: Local Data Staging           | Collection  |
+| Exfil over HTTPS                      | T1048.002         | Exfiltration Over Alternative Protocol: HTTPS | Exfiltration |
+
+### Step 3 — Annotate Findings in the Tracker
+
+Update each finding with its technique ID using the `mitre` field:
+
+```bash
+# Update F-001 with technique T1190
+python3 {project-root}/_rtexit/scripts/finding_tracker.py add \
+  "SQL Injection in /api/v1/login" CRITICAL 9.8 \
+  --asset "api.acmecorp.com" \
+  --mitre "T1190" \
+  --cwe "CWE-89" \
+  --phase "exploitation"
+
+# For existing findings, edit findings-master.csv directly and update the mitre column:
+# F-001 -> T1190
+# F-002 -> T1557.001
+# F-003 -> T1558.003
+# F-004 -> T1078
+# F-005 -> T1110.003
+# F-006 -> T1592.002
+```
+
+Then export the annotated list to confirm changes:
+
+```bash
+python3 {project-root}/_rtexit/scripts/finding_tracker.py export --format csv
+```
+
+Log the mapping activity to the timeline:
+
+```bash
+python3 {project-root}/_rtexit/scripts/autodoc_engine.py log \
+  --skill rt-mitre-map \
+  --phase reporting \
+  --note "MITRE ATT&CK mapping completed — 6 findings mapped across 4 tactics"
+```
+
+### Step 4 — Build the Coverage Matrix
+
+Organize mapped findings by tactic. Count unique techniques per tactic. This becomes Section 3 of your report.
+
+**Template format:**
+
+```markdown
+## ATT&CK Coverage Matrix — ACME Corporation Red Team
+**Engagement:** RT-2025-031
+**Date:** 2025-05-31
+**Techniques Demonstrated:** 6 unique techniques across 4 tactics
+
+### TA0001 — Initial Access
+| Technique ID | Technique Name                        | Finding Ref | Severity | Validated |
+|--------------|---------------------------------------|-------------|----------|-----------|
+| T1190        | Exploit Public-Facing Application     | F-001       | CRITICAL | Yes       |
+
+### TA0006 — Credential Access
+| Technique ID | Technique Name                                            | Finding Ref | Severity | Validated |
+|--------------|-----------------------------------------------------------|-------------|----------|-----------|
+| T1557.001    | LLMNR/NBT-NS Poisoning and SMB Relay                     | F-002       | HIGH     | Yes       |
+| T1558.003    | Steal or Forge Kerberos Tickets: Kerberoasting           | F-003       | HIGH     | Yes       |
+| T1110.003    | Brute Force: Password Spraying                           | F-005       | MEDIUM   | Yes       |
+
+### TA0005 — Defense Evasion
+| Technique ID | Technique Name      | Finding Ref | Severity | Validated |
+|--------------|---------------------|-------------|----------|-----------|
+| T1078        | Valid Accounts      | F-004       | MEDIUM   | Yes       |
+
+### TA0043 — Reconnaissance
+| Technique ID | Technique Name                                  | Finding Ref | Severity | Validated |
+|--------------|-------------------------------------------------|-------------|----------|-----------|
+| T1592.002    | Gather Victim Host Information: Software        | F-006       | LOW      | Yes       |
+```
+
+### Step 5 — Generate ATT&CK Navigator Layer JSON
+
+Create the JSON layer file. Save it to `{project-root}/_rtexit-output/docs/reports/attack-navigator-layer.json`.
+
+The layer format for ATT&CK Navigator v4.9:
+
+```json
+{
+  "name": "ACME Corporation Red Team — RT-2025-031",
+  "versions": {
+    "attack": "16",
+    "navigator": "4.9",
+    "layer": "4.5"
+  },
+  "domain": "enterprise-attack",
+  "description": "Red Team engagement findings mapped to MITRE ATT&CK Enterprise v16. Engagement conducted 2025-05-15 through 2025-05-31.",
+  "filters": {
+    "platforms": ["Windows", "Linux", "Network", "PRE", "SaaS"]
+  },
+  "sorting": 0,
+  "layout": {
+    "layout": "side",
+    "aggregateFunction": "average",
+    "showID": true,
+    "showName": true,
+    "showAggregateScores": false,
+    "countUnscored": false
+  },
+  "hideDisabled": false,
+  "techniques": [
+    {
+      "techniqueID": "T1190",
+      "tactic": "initial-access",
+      "color": "#ff0000",
+      "comment": "F-001: SQL Injection in /api/v1/login — CVSS 9.8 — CRITICAL",
+      "enabled": true,
+      "metadata": [],
+      "links": [],
+      "showSubtechniques": false,
+      "score": 100
+    },
+    {
+      "techniqueID": "T1557",
+      "subtechniqueOf": "",
+      "tactic": "credential-access",
+      "color": "#ff6600",
+      "comment": "F-002: NTLM Hash Capture via Responder — CVSS 8.1 — HIGH",
+      "enabled": true,
+      "metadata": [],
+      "links": [],
+      "showSubtechniques": true,
+      "score": 80
+    },
+    {
+      "techniqueID": "T1557.001",
+      "tactic": "credential-access",
+      "color": "#ff6600",
+      "comment": "F-002: NTLM Hash Capture via Responder (LLMNR Poisoning) — CVSS 8.1 — HIGH",
+      "enabled": true,
+      "metadata": [],
+      "links": [],
+      "showSubtechniques": false,
+      "score": 80
+    },
+    {
+      "techniqueID": "T1558",
+      "subtechniqueOf": "",
+      "tactic": "credential-access",
+      "color": "#ff6600",
+      "comment": "F-003: Kerberoastable Service Account (svc-sql) — CVSS 7.5 — HIGH",
+      "enabled": true,
+      "metadata": [],
+      "links": [],
+      "showSubtechniques": true,
+      "score": 80
+    },
+    {
+      "techniqueID": "T1558.003",
+      "tactic": "credential-access",
+      "color": "#ff6600",
+      "comment": "F-003: Kerberoastable Service Account (svc-sql) — CVSS 7.5 — HIGH",
+      "enabled": true,
+      "metadata": [],
+      "links": [],
+      "showSubtechniques": false,
+      "score": 80
+    },
+    {
+      "techniqueID": "T1078",
+      "tactic": "defense-evasion",
+      "color": "#ffaa00",
+      "comment": "F-004: IDOR — Accessing other users records via valid session token — CVSS 6.5 — MEDIUM",
+      "enabled": true,
+      "metadata": [],
+      "links": [],
+      "showSubtechniques": false,
+      "score": 60
+    },
+    {
+      "techniqueID": "T1110",
+      "subtechniqueOf": "",
+      "tactic": "credential-access",
+      "color": "#ffaa00",
+      "comment": "F-005: Password Spraying — 3 accounts temporarily locked — CVSS 5.9 — MEDIUM",
+      "enabled": true,
+      "metadata": [],
+      "links": [],
+      "showSubtechniques": true,
+      "score": 60
+    },
+    {
+      "techniqueID": "T1110.003",
+      "tactic": "credential-access",
+      "color": "#ffaa00",
+      "comment": "F-005: Password Spraying — 3 accounts temporarily locked — CVSS 5.9 — MEDIUM",
+      "enabled": true,
+      "metadata": [],
+      "links": [],
+      "showSubtechniques": false,
+      "score": 60
+    },
+    {
+      "techniqueID": "T1592",
+      "subtechniqueOf": "",
+      "tactic": "reconnaissance",
+      "color": "#aaaaaa",
+      "comment": "F-006: Verbose Error Messages expose stack traces — CVSS 3.1 — LOW",
+      "enabled": true,
+      "metadata": [],
+      "links": [],
+      "showSubtechniques": true,
+      "score": 30
+    },
+    {
+      "techniqueID": "T1592.002",
+      "tactic": "reconnaissance",
+      "color": "#aaaaaa",
+      "comment": "F-006: Verbose Error Messages expose stack traces — CVSS 3.1 — LOW",
+      "enabled": true,
+      "metadata": [],
+      "links": [],
+      "showSubtechniques": false,
+      "score": 30
+    }
+  ],
+  "gradient": {
+    "colors": ["#ffffff", "#ffaa00", "#ff0000"],
+    "minValue": 0,
+    "maxValue": 100
+  },
+  "legendItems": [
+    {"label": "CRITICAL (score 100)", "color": "#ff0000"},
+    {"label": "HIGH (score 80)", "color": "#ff6600"},
+    {"label": "MEDIUM (score 60)", "color": "#ffaa00"},
+    {"label": "LOW (score 30)", "color": "#aaaaaa"}
+  ],
+  "metadata": [
+    {"name": "Engagement", "value": "RT-2025-031"},
+    {"name": "Client", "value": "ACME Corporation"},
+    {"name": "Operator", "value": "Red Team"},
+    {"name": "ATT&CK Version", "value": "Enterprise v16"}
+  ],
+  "links": [],
+  "showTacticRowBackground": true,
+  "tacticRowBackground": "#1a1a2e",
+  "selectTechniquesAcrossTactics": false,
+  "selectSubtechniquesWithParent": false
+}
+```
+
+**Score-to-color mapping guide:**
+- CRITICAL findings: score 100, color `#ff0000`
+- HIGH findings: score 80, color `#ff6600`
+- MEDIUM findings: score 60, color `#ffaa00`
+- LOW findings: score 30, color `#aaaaaa`
+- INFO findings: score 10, color `#dddddd`
+
+### Step 6 — Threat Actor Alignment (Optional but High-Value)
+
+Map your coverage against known APT groups relevant to the client's industry. Pull this data from MITRE ATT&CK Groups (https://attack.mitre.org/groups/).
+
+**Example — Financial Sector Client:**
+
+```markdown
+## Threat Actor Alignment
+
+The following APT groups are known to target the Financial Services sector.
+This table compares the techniques demonstrated during the engagement against
+techniques attributed to each threat actor.
+
+| Threat Actor  | Known Techniques (relevant subset)           | Demonstrated in Engagement |
+|---------------|----------------------------------------------|---------------------------|
+| FIN7          | T1190, T1566.001, T1078, T1059.001, T1074    | T1190, T1078 (2/5 = 40%)  |
+| Lazarus Group | T1110, T1557, T1059, T1021, T1041            | T1110, T1557 (2/5 = 40%)  |
+| APT41         | T1190, T1558, T1003, T1021, T1074            | T1190, T1558 (2/5 = 40%)  |
+
+### Key Finding
+The engagement demonstrated techniques used by all three APT groups known to target
+the financial sector. The organization's current detective controls failed to alert
+on T1557.001 (LLMNR Poisoning) and T1558.003 (Kerberoasting), both of which are
+primary techniques in Lazarus Group and APT41 playbooks respectively.
+```
+
+---
+
+## 3. Templates
+
+### 3.1 — Coverage Summary Block (for executive report)
+
+```markdown
+## 4. MITRE ATT&CK Coverage Summary
+
+During this engagement, the Red Team successfully demonstrated **6 MITRE ATT&CK
+techniques** spanning **4 of the 14 enterprise tactics**. This reflects a realistic
+adversary simulation targeting the organization's external perimeter and internal
+Active Directory environment.
+
+| Tactic              | Techniques Demonstrated | Highest Severity |
+|---------------------|------------------------|------------------|
+| Reconnaissance      | 1                      | LOW              |
+| Initial Access      | 1                      | CRITICAL         |
+| Credential Access   | 3                      | HIGH             |
+| Defense Evasion     | 1                      | MEDIUM           |
+
+**Coverage breadth:** 6 techniques out of 200+ in the ATT&CK Enterprise matrix.
+This is consistent with a focused, targeted engagement rather than a broad simulation.
+
+A full ATT&CK Navigator layer has been provided as a separate deliverable
+(attack-navigator-layer.json) for import into the client's security operations platform.
+```
+
+### 3.2 — Per-Finding ATT&CK Block (for technical report finding section)
+
+```markdown
+### F-003: Kerberoastable Service Account (svc-sql)
+
+**Severity:** HIGH | **CVSS:** 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
+**Asset:** ACME\svc-sql
+**Phase:** Post-Exploitation
+
+#### MITRE ATT&CK Mapping
+- **Tactic:** Credential Access (TA0006)
+- **Technique:** Steal or Forge Kerberos Tickets (T1558)
+- **Sub-technique:** Kerberoasting (T1558.003)
+- **ATT&CK URL:** https://attack.mitre.org/techniques/T1558/003/
+
+#### Technique Description
+Kerberoasting abuses the Kerberos authentication protocol to request service tickets
+for service principal names (SPNs) associated with domain accounts. The encrypted
+ticket can be extracted and cracked offline without any special privileges. The
+`svc-sql` account was configured with SPN `MSSQLSvc/dbserver.acme.local:1433` and
+had a 12-character password that was cracked in 4 hours using a targeted wordlist.
+
+#### Detection Opportunity
+- Windows Event ID 4769 (Kerberos Service Ticket Request) with Encryption Type 0x17 (RC4)
+- Anomalous volume of TGS requests from a single user account
+- SIEM rule: `EventID=4769 AND TicketEncryptionType=0x17 AND NOT AccountName=machine$`
+```
+
+---
+
+## 4. Integration with Scripts
+
+### 4.1 — finding_tracker.py Integration
+
+The `mitre` field in `findings-master.csv` accepts a comma-separated list of technique IDs. When a finding maps to multiple techniques (e.g., a pivot that used both Pass-the-Hash and SMB lateral movement), list all:
+
+```bash
+# Single technique
+python3 _rtexit/scripts/finding_tracker.py add \
+  "Kerberoastable Service Account" HIGH 7.5 \
+  --asset "ACME\svc-sql" \
+  --mitre "T1558.003" \
+  --phase "post-exploitation"
+
+# Multiple techniques (comma-separated, no spaces)
+# Edit findings-master.csv directly for this:
+# mitre field: "T1550.002,T1021.002"
+```
+
+Pull stats after mapping to confirm coverage:
+
+```bash
+python3 _rtexit/scripts/finding_tracker.py stats
+```
+
+Expected output after mapping:
+
+```
+=== Engagement Statistics ===
+Total Findings : 6
+  CRITICAL     : 1
+  HIGH         : 2
+  MEDIUM       : 2
+  LOW          : 1
+
+Findings with MITRE mapping : 6/6 (100%)
+Tactics covered             : 4
+Unique techniques           : 6
+```
+
+### 4.2 — autodoc_engine.py Integration
+
+Log every significant mapping action:
+
+```bash
+# Log start of mapping session
+python3 _rtexit/scripts/autodoc_engine.py log \
+  --skill rt-mitre-map \
+  --phase reporting \
+  --note "Started MITRE ATT&CK mapping — 6 findings to process"
+
+# Log completion with layer file creation
+python3 _rtexit/scripts/autodoc_engine.py log \
+  --skill rt-mitre-map \
+  --phase reporting \
+  --note "ATT&CK Navigator layer generated — attack-navigator-layer.json"
+
+# Log the layer file as evidence
+python3 _rtexit/scripts/autodoc_engine.py custody \
+  --finding "ALL" \
+  --evidence "_rtexit-output/docs/reports/attack-navigator-layer.json"
+```
+
+### 4.3 — Output File Locations
+
+| Artifact                      | Path                                                           |
+|-------------------------------|----------------------------------------------------------------|
+| Coverage matrix (Markdown)    | `_rtexit-output/docs/reports/mitre-coverage-matrix.md`        |
+| Navigator layer JSON          | `_rtexit-output/docs/reports/attack-navigator-layer.json`     |
+| Annotated findings CSV        | `_rtexit-output/docs/findings/findings-master.csv`            |
+| Timeline entry                | `_rtexit-output/docs/engagement/timeline.md`                  |
+
+---
+
+## 5. Quality Checklist
+
+Before finalizing the MITRE mapping deliverable, verify each item:
+
+### Mapping Accuracy
+- [ ] Every confirmed finding (status=CONFIRMED) has at least one technique ID
+- [ ] All technique IDs are verified against ATT&CK Enterprise v16 (not v14 or earlier)
+- [ ] Sub-techniques are used where they exist and fit (e.g., T1110.003 not just T1110)
+- [ ] Tactic assignment matches the technique's listed tactic in the ATT&CK matrix
+- [ ] Findings mapped to multiple techniques list each one (comma-separated in CSV)
+
+### Navigator Layer Quality
+- [ ] All technique IDs appear both as parent technique and sub-technique entries
+- [ ] Colors correctly reflect severity (red=critical, orange=high, amber=medium, grey=low)
+- [ ] Comments in each technique entry reference the finding ID and title
+- [ ] Layer metadata includes engagement reference, client name, and ATT&CK version
+- [ ] JSON is valid (no trailing commas, all brackets closed)
+
+### Coverage Matrix Quality
+- [ ] Matrix is organized by tactic in kill-chain order (not alphabetically)
+- [ ] Each row includes: Technique ID, Technique Name, Finding Ref, Severity, Validated
+- [ ] Tactics with zero findings are omitted (do not list empty tactic sections)
+- [ ] Summary statistics match the actual finding count
+
+### Report Integration
+- [ ] Executive summary references the number of tactics and techniques demonstrated
+- [ ] Each finding's technical write-up includes the ATT&CK mapping block
+- [ ] Navigator layer JSON file is referenced and included as a deliverable
+- [ ] Threat actor alignment section names at least one APT group relevant to the client's sector
+
+### Documentation
+- [ ] Timeline updated via `autodoc_engine.py log`
+- [ ] Navigator layer logged to chain of custody via `autodoc_engine.py custody`
+
+---
+
+## 6. Example Finished Output
+
+### Example: Coverage Matrix Section (Markdown, full)
+
+```markdown
+# MITRE ATT&CK Coverage Matrix
+**Engagement:** RT-2025-031 — ACME Corporation External + Internal Red Team
+**Period:** 2025-05-15 to 2025-05-31
+**ATT&CK Version:** Enterprise v16
+**Techniques Demonstrated:** 6 unique across 4 tactics
+
+---
+
+## TA0043 — Reconnaissance
+
+| Technique ID | Technique Name                             | Finding | Severity | Validated |
+|--------------|--------------------------------------------|---------|----------|-----------|
+| T1592.002    | Gather Victim Host Information: Software   | F-006   | LOW      | Yes       |
+
+> **Tactic Total:** 1 technique | Highest severity: LOW
+
+---
+
+## TA0001 — Initial Access
+
+| Technique ID | Technique Name                          | Finding | Severity | Validated |
+|--------------|-----------------------------------------|---------|----------|-----------|
+| T1190        | Exploit Public-Facing Application       | F-001   | CRITICAL | Yes       |
+
+> **Tactic Total:** 1 technique | Highest severity: CRITICAL
+
+---
+
+## TA0006 — Credential Access
+
+| Technique ID | Technique Name                                                  | Finding | Severity | Validated |
+|--------------|-----------------------------------------------------------------|---------|----------|-----------|
+| T1557.001    | Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay  | F-002   | HIGH     | Yes       |
+| T1558.003    | Steal or Forge Kerberos Tickets: Kerberoasting                  | F-003   | HIGH     | Yes       |
+| T1110.003    | Brute Force: Password Spraying                                  | F-005   | MEDIUM   | Yes       |
+
+> **Tactic Total:** 3 techniques | Highest severity: HIGH
+
+---
+
+## TA0005 — Defense Evasion
+
+| Technique ID | Technique Name  | Finding | Severity | Validated |
+|--------------|-----------------|---------|----------|-----------|
+| T1078        | Valid Accounts  | F-004   | MEDIUM   | Yes       |
+
+> **Tactic Total:** 1 technique | Highest severity: MEDIUM
+
+---
+
+## Coverage Summary
+
+| Metric                          | Value               |
+|---------------------------------|---------------------|
+| Total findings mapped           | 6                   |
+| Unique techniques demonstrated  | 6                   |
+| Tactics covered                 | 4 of 14 (29%)       |
+| Techniques with sub-technique   | 3 (T1557.001, T1558.003, T1110.003) |
+| Findings with no mapping        | 0                   |
+| ATT&CK Navigator layer          | attack-navigator-layer.json |
+```
+
+### Example: Executive Summary Paragraph (drop-in)
+
+```
+The Red Team demonstrated six adversary techniques across four MITRE ATT&CK tactics,
+including Initial Access, Credential Access, Defense Evasion, and Reconnaissance.
+The most critical path involved exploiting a SQL injection vulnerability to gain
+initial access (T1190), followed by credential theft via LLMNR poisoning (T1557.001)
+and Kerberoasting (T1558.003) to obtain domain credentials. These techniques are
+actively used by FIN7 and APT41, both of which have a documented history of targeting
+organizations in the financial services sector. A full ATT&CK Navigator layer is
+provided as a companion deliverable for integration with the client's SOC detection
+engineering workflow.
+```
+
+---
+
+## 7. Common Mistakes to Avoid
+
+### Mistake 1: Mapping to the tactic, not the technique
+**Wrong:** Listing "Credential Access" as the technique identifier.
+**Right:** List the specific technique `T1558.003` and note that it belongs to tactic `TA0006 — Credential Access`.
+
+### Mistake 2: Using outdated technique IDs
+ATT&CK retires and renumbers techniques across versions. For example, `T1003` (Credential Dumping) was restructured into sub-techniques in v7. Always verify against the current version (v16 as of this writing).
+**Check:** https://attack.mitre.org/techniques/enterprise/ before finalizing any ID.
+
+### Mistake 3: Mapping information disclosure as "Collection"
+Verbose error messages, banner grabbing, and directory listings feed the attacker's knowledge but are not Collection (TA0009). They belong to Reconnaissance (TA0043) — specifically T1592 or T1590 depending on what information is gathered.
+
+### Mistake 4: Omitting the parent technique from the Navigator layer
+Navigator uses both parent and sub-technique entries. If you add `T1558.003` without also adding `T1558`, the parent row will be blank in the Navigator and clients will see an incomplete visualization. Always add both.
+
+### Mistake 5: Using the wrong tactic for Valid Accounts (T1078)
+T1078 appears under four tactics: Initial Access, Persistence, Privilege Escalation, and Defense Evasion. Choose the tactic that matches how it was used in the finding. Using stolen credentials to log into a portal is Initial Access. Using them to avoid detection by blending into legitimate traffic is Defense Evasion.
+
+### Mistake 6: Generating the Navigator layer manually without verifying JSON validity
+A single misplaced comma makes the entire layer unimportable. Always validate the JSON:
+```bash
+python3 -m json.tool attack-navigator-layer.json > /dev/null && echo "JSON valid" || echo "JSON invalid"
+```
+
+### Mistake 7: Mapping unvalidated findings
+Only map findings with status `CONFIRMED` in the tracker. Suspected or unconfirmed findings should not appear in the ATT&CK matrix, as clients and threat intelligence teams treat this data as factual adversary behavior evidence.
+
+### Mistake 8: Skipping the threat actor alignment section
+The mapping exercise without threat actor alignment leaves value on the table. Even a one-paragraph comparison to a known APT group relevant to the client's sector transforms the deliverable from a technical artifact into a business risk narrative.

package/packaged-assets/.agents/skills/rt-mitre-map/tactics.csv

@@ -0,0 +1,16 @@
+tactic,enterprise_id,description,example_rtexit_skills
+Reconnaissance,TA0043,Gather target information,rt-osint;rt-subdomain-enum
+Resource Development,TA0042,Establish resources for operations,rt-rules-of-engagement
+Initial Access,TA0001,Gain initial foothold,rt-exploit-web;rt-exploit-phishing
+Execution,TA0002,Run attacker-controlled logic,rt-exploit-injection;rt-scenario-d001
+Persistence,TA0003,Maintain access,rt-persistence
+Privilege Escalation,TA0004,Gain higher privileges,rt-privilege-escalation;rt-exploit-active-directory
+Defense Evasion,TA0005,Avoid detection,rt-defense-evasion
+Credential Access,TA0006,Obtain credentials,rt-credential-access;rt-credential-hunt
+Discovery,TA0007,Understand environment,rt-post-exploitation
+Lateral Movement,TA0008,Move across systems,rt-lateral-movement
+Collection,TA0009,Gather target data,rt-data-exfiltration
+Command and Control,TA0011,Maintain communication,rt-c2-operations
+Exfiltration,TA0010,Remove data,rt-data-exfiltration
+Impact,TA0040,Disrupt or manipulate,rt-risk-matrix
+