rtexit-method 0.1.0 → 0.1.2

package/packaged-assets/.agents/skills/rt-scenario-library/SKILL.md

@@ -0,0 +1,292 @@
+---
+name: rt-scenario-library
+description: "Pre-built attack scenario library. Browse 30 pre-defined attack scenarios organized by domain (Web, Mobile, Desktop, Network/AD, Cloud, Social Engineering). Each scenario is a complete multi-step attack chain with MITRE mapping. Use to plan attacks, brief junior operators, and demonstrate attack paths to clients. Domains: Web (10), Mobile (5), Desktop (5), Network/AD (5), Cloud (5), Social (5)."
+---
+
+# rt-scenario-library
+
+## Purpose and When to Use
+
+The `rt-scenario-library` skill provides a curated catalog of 30 pre-built attack scenarios spanning six security domains. Each scenario is a complete, ready-to-execute multi-step attack chain annotated with MITRE ATT&CK mappings.
+
+Use this skill when you need to:
+
+- Quickly select and brief an attack path for an engagement without building one from scratch
+- Brief junior operators on standard attack chains before an operation
+- Demonstrate realistic attack paths to clients during debrief or pre-engagement scoping
+- Cross-reference your live TTPs against known scenario baselines
+- Populate engagement reports with structured, MITRE-mapped attack narratives
+
+This skill is read-only and reference-oriented. It does not execute anything. Execution is delegated to companion skills (`rt-recon`, `rt-exploitation`, `rt-lateral-movement`, etc.) after a scenario is selected.
+
+---
+
+## Scenario Library Overview
+
+### Domain Breakdown
+
+| Domain                    | Count | Code Prefix |
+|---------------------------|-------|-------------|
+| Web Application           | 10    | WEB-01..10  |
+| Mobile                    | 5     | MOB-01..05  |
+| Desktop / Endpoint        | 5     | DSK-01..05  |
+| Network / Active Directory| 5     | NET-01..05  |
+| Cloud                     | 5     | CLD-01..05  |
+| Social Engineering        | 5     | SOC-01..05  |
+
+### Scenario Record Structure
+
+Each scenario contains the following fields:
+
+```
+ID:            Unique code (e.g., WEB-03)
+Title:         Short descriptive name
+Domain:        Primary domain
+Difficulty:    Low | Medium | High
+Duration:      Estimated hours for a competent operator
+Objective:     What success looks like
+Chain:         Ordered list of steps (Phase -> Action -> Tool/Technique)
+MITRE:         ATT&CK Tactic and Technique IDs per step
+Prerequisites: Required access level, tooling, or recon data
+Outputs:       Artifacts produced (screenshots, hashes, tokens, etc.)
+Report Tags:   Keywords for auto-tagging in RTExit report engine
+```
+
+---
+
+## Step-by-Step Workflow
+
+### 1. Browse the Library
+
+Ask the skill to list all scenarios, filter by domain, or search by keyword.
+
+```
+User: List all Web scenarios
+User: Show me scenarios involving Kerberoasting
+User: What Social Engineering scenarios are available?
+```
+
+The skill returns a summary table. You then select a scenario by ID.
+
+### 2. Load a Scenario
+
+```
+User: Load scenario NET-02
+```
+
+The skill displays the full scenario record: objective, prerequisites, attack chain with MITRE mappings, estimated duration, and expected outputs.
+
+### 3. Review and Adapt
+
+The skill prompts you to confirm or modify:
+
+- Scope constraints (out-of-scope subnets, excluded accounts)
+- Tool substitutions (swap default tools for client-approved alternatives)
+- Timing adjustments (business hours only, stealth vs. speed)
+
+Modifications are stored as an engagement overlay on top of the base scenario. The base scenario is never mutated.
+
+### 4. Brief the Team
+
+Request a briefing document suitable for junior operators:
+
+```
+User: Generate operator brief for NET-02
+```
+
+Output: A structured markdown brief with step-by-step instructions, expected tool outputs, and decision points for when to escalate or abort.
+
+### 5. Export to Engagement Plan
+
+```
+User: Export NET-02 to engagement plan
+```
+
+The scenario is formatted as a task list and injected into the active RTExit engagement file (`/engagements/<name>/plan.md`), ready for status tracking.
+
+### 6. Post-Execution Debrief
+
+After the operation, re-load the scenario to compare planned vs. actual steps. The skill highlights deviations and generates a gap narrative for the report.
+
+```
+User: Debrief NET-02 against actual steps
+```
+
+---
+
+## Integration with RTExit Scripts and Other Skills
+
+### Companion Skills
+
+| Skill                  | Integration Point                                           |
+|------------------------|-------------------------------------------------------------|
+| `rt-recon`             | Supplies target data required by scenario prerequisites     |
+| `rt-exploitation`      | Executes the initial access steps of the chain              |
+| `rt-lateral-movement`  | Executes lateral steps (pivoting, credential relay)         |
+| `rt-persistence`       | Executes persistence steps at the end of the chain          |
+| `rt-reporting`         | Consumes exported scenario + debrief for report generation  |
+| `rt-mitre-mapper`      | Cross-references scenario MITRE IDs against coverage gaps   |
+
+### RTExit Script Hooks
+
+- `scripts/scenario-export.ps1` - Exports a loaded scenario to the engagement plan format
+- `scripts/brief-gen.ps1` - Generates the operator brief markdown from a scenario record
+- `scripts/debrief-diff.ps1` - Diffs planned chain against operator-logged actual steps
+- `scripts/report-tag-inject.ps1` - Pushes scenario report tags into the report engine index
+
+### File Paths
+
+```
+.agents/skills/rt-scenario-library/
+  SKILL.md                      <- This file
+  scenarios/
+    web/                        <- WEB-01 through WEB-10
+    mobile/                     <- MOB-01 through MOB-05
+    desktop/                    <- DSK-01 through DSK-05
+    network-ad/                 <- NET-01 through NET-05
+    cloud/                      <- CLD-01 through CLD-05
+    social/                     <- SOC-01 through SOC-05
+  overlays/                     <- Per-engagement adaptations (gitignored)
+  templates/
+    operator-brief.md
+    debrief-diff.md
+```
+
+---
+
+## Example Outputs and Interactions
+
+### Example 1 - Domain Listing
+
+```
+User: List Network/AD scenarios
+
+Skill:
+| ID     | Title                              | Difficulty | Duration |
+|--------|------------------------------------|------------|----------|
+| NET-01 | LLMNR/NBT-NS Poisoning to DA       | Medium     | 4h       |
+| NET-02 | Kerberoasting to Lateral Movement  | Medium     | 3h       |
+| NET-03 | AS-REP Roasting + Pass-the-Hash    | Medium     | 3h       |
+| NET-04 | BloodHound Path to Domain Admin    | High       | 6h       |
+| NET-05 | DCSync Credential Harvest          | High       | 2h       |
+```
+
+### Example 2 - Full Scenario Load
+
+```
+User: Load scenario WEB-04
+
+Skill:
+ID:          WEB-04
+Title:       Broken Object Level Authorization to Account Takeover
+Domain:      Web Application
+Difficulty:  Medium
+Duration:    3h
+Objective:   Access another user's data via BOLA, escalate to account takeover
+
+Chain:
+  Step 1  | Recon         | Enumerate API endpoints via JS file analysis
+            MITRE: T1595.002 - Active Scanning: Vulnerability Scanning
+  Step 2  | Discovery     | Intercept authenticated requests, identify object IDs
+            MITRE: T1190 - Exploit Public-Facing Application
+  Step 3  | Exploitation  | Swap object ID in request to access victim account
+            MITRE: T1078 - Valid Accounts
+  Step 4  | Escalation    | Use victim session token to change email/password
+            MITRE: T1098 - Account Manipulation
+  Step 5  | Exfiltration  | Export PII via victim account API access
+            MITRE: T1530 - Data from Cloud Storage
+
+Prerequisites:
+  - Valid low-privilege application account
+  - Burp Suite or equivalent HTTP proxy
+  - API documentation or JS source access
+
+Outputs:
+  - Proof-of-concept request/response screenshots
+  - Victim account data sample (anonymized)
+  - Session token demonstrating escalation
+
+Report Tags: bola, idor, api, account-takeover, pii-exfil
+```
+
+### Example 3 - Operator Brief Excerpt
+
+```
+User: Generate operator brief for SOC-02
+
+Skill:
+## Operator Brief - SOC-02: Phishing to Credential Harvest
+
+Objective: Obtain valid VPN credentials via spear-phishing campaign.
+
+Pre-op Checklist:
+  [ ] Confirm phishing domain is live and SSL cert valid
+  [ ] Verify GoPhish/Evilginx listener is up on attack infra
+  [ ] Confirm target email list is scoped and approved
+  [ ] Brief point-of-contact on campaign window
+
+Step 1 - Send phishing email (T1566.001)
+  Tool: GoPhish
+  Action: Deploy template "IT Password Reset" to target list
+  Success: Email delivered, no bounce
+  Abort if: >5% bounce rate (domain may be blocked)
+
+Step 2 - Capture credentials (T1056.003)
+  Tool: Evilginx2
+  Action: Monitor phishlet for session token capture
+  Success: Valid credential pair logged in creds.json
+  Abort if: Target lands on real corp page (proxy misconfigured)
+
+Step 3 - Validate credentials (T1078)
+  Tool: rt-exploitation / manual VPN test
+  Action: Authenticate to VPN with captured creds
+  Success: VPN session established
+  Escalate to lead if: MFA prompt encountered
+
+Decision Points:
+  - If MFA is present: pause, notify lead, assess MFA bypass options
+  - If credentials invalid after 3 attempts: stop, avoid lockout
+```
+
+### Example 4 - Debrief Comparison
+
+```
+User: Debrief NET-02 against actual steps
+
+Skill:
+Debrief: NET-02 - Kerberoasting to Lateral Movement
+
+| Step | Planned                        | Actual                         | Status   |
+|------|--------------------------------|--------------------------------|----------|
+| 1    | SPN enumeration via PowerView  | SPN enum via BloodHound        | Deviated |
+| 2    | Request TGS for target SPNs    | Completed as planned           | Match    |
+| 3    | Offline crack with Hashcat      | Completed, 2/4 cracked         | Partial  |
+| 4    | PTH to target host              | Completed as planned           | Match    |
+| 5    | Dump local admin hashes         | Not reached (time constraint)  | Skipped  |
+
+Narrative: Tool substitution in Step 1 had no impact on outcome. Partial cracking
+in Step 3 is a finding for the report (weak service account passwords). Step 5
+was not executed; recommend follow-up in a subsequent session.
+
+Report Tags Added: kerberoasting, spn-enum, weak-passwords, lateral-movement
+```
+
+---
+
+## Practical Usage Tips
+
+**Start with prerequisites.** Before loading a scenario, verify you have the prerequisites. Missing recon data or tool access will stall the operation mid-chain. Use `rt-recon` to fill gaps before committing to a scenario.
+
+**Use overlays for scope changes.** Never edit base scenario files to accommodate scope. Create an overlay file in `overlays/<engagement-id>/NET-02.overlay.md`. This preserves the original chain for comparison in debrief.
+
+**Match difficulty to available time.** High difficulty scenarios are accurate but assume 6+ hours. In short-window engagements (4h pentest), bias toward Low or Medium scenarios with clear abort conditions.
+
+**MITRE IDs drive the report.** Every step in a scenario carries a MITRE technique ID. When the report engine is engaged via `rt-reporting`, these IDs auto-populate the findings matrix. Do not skip MITRE fields in custom scenarios you add to the library.
+
+**Adding custom scenarios.** Drop a new markdown file in the appropriate domain subfolder following the scenario record structure. The library auto-indexes on next skill load. Use the same ID prefix convention and increment the count (e.g., WEB-11 if you add an 11th web scenario).
+
+**Combine scenarios for advanced chains.** Complex engagements may require chaining scenarios across domains. For example: SOC-01 (phishing for initial access) feeding into NET-04 (BloodHound path to DA). Reference both IDs in the engagement plan and note the handoff point between chains.
+
+**Junior operator briefings.** The operator brief template (`templates/operator-brief.md`) is written at a level appropriate for operators with 6-12 months experience. For more senior operators, use the raw scenario chain directly and skip the brief generation step.
+
+**Client demonstrations.** When presenting to clients, use the scenario chain view with MITRE IDs visible. This grounds the narrative in industry-standard taxonomy and avoids jargon disputes. The report tags also allow filtering findings by scenario in client-facing report exports.

package/packaged-assets/.agents/skills/rt-scenario-library/scenarios.csv

@@ -0,0 +1,32 @@
+id,domain,title
+W001,Web,Unauthenticated admin exposure
+W002,Web,SQL injection impact chain
+W003,Web,Stored XSS session risk
+W004,Web,SSRF cloud metadata risk
+W005,Web,File upload RCE risk
+W006,Web,IDOR data exposure
+W007,Web,JWT verification weakness
+W008,Web,WordPress plugin risk
+W009,Web,DMARC spoofing risk
+W010,Web,API key exposure
+M001,Mobile,APK secret extraction
+M002,Mobile,TLS interception risk
+M003,Mobile,Exported component risk
+M004,Mobile,Insecure local storage
+M005,Mobile,Deep link auth risk
+D001,Desktop,Electron XSS to native risk
+D002,Desktop,.NET reverse engineering risk
+D003,Desktop,DLL hijacking risk
+D004,Desktop,Cleartext traffic risk
+D005,Desktop,SQLite data exposure
+N001,Network,Kerberoasting risk
+N002,Network,LLMNR/NBNS risk
+N003,Network,AD attack path mapping
+N004,Network,Hash reuse lateral risk
+N005,Network,Kerberos persistence risk
+C001,Cloud,IAM escalation path
+C002,Cloud,Object storage exposure
+C003,Cloud,Metadata exposure risk
+C004,Cloud,Serverless code injection risk
+C005,Cloud,Container isolation risk
+