chainreactors
diff --git a/‎skills/iom-opsec/SKILL.md‎
Lines changed: 102 additions & 0 deletions b/‎skills/iom-opsec/SKILL.md‎
Lines changed: 102 additions & 0 deletions
diff --git a/‎skills/iom-opsec/reference/case-template.md‎
Lines changed: 72 additions & 0 deletions b/‎skills/iom-opsec/reference/case-template.md‎
Lines changed: 72 additions & 0 deletions
diff --git a/‎skills/iom-opsec/reference/cases/cred-dump-defender.md‎
Lines changed: 71 additions & 0 deletions b/‎skills/iom-opsec/reference/cases/cred-dump-defender.md‎
Lines changed: 71 additions & 0 deletions
diff --git a/‎skills/iom-pentest/SKILL.md‎
Lines changed: 140 additions & 0 deletions b/‎skills/iom-pentest/SKILL.md‎
Lines changed: 140 additions & 0 deletions
@@ -0,0 +1,102 @@
+---
+name: iom-opsec
+description: >
+  IoM Operational Security (OPSEC) advisor. Provides OPSEC methodology guidance,
+  helps users understand operational risks, build secure operating habits, and
+  accumulate experience through a case library. Does not execute commands directly;
+  serves as decision support. Concrete technical specifications and OPSEC scoring
+  are maintained in the iom-pentest skill.
+  Trigger conditions: use when the user asks "is this safe?", "will this be detected?",
+  "how should I think about OPSEC?", "risk assessment", "operational security advice",
+  or "help me analyze the detection surface".
+---
+
+# IoM OPSEC Advisor
+
+Provides operational security methodology guidance. Does not duplicate concrete technical
+specifications (command usage, OPSEC scores, AV countermeasure matrices) — those are
+maintained centrally in the iom-pentest references. This skill focuses on **mindset and
+decision frameworks**.
+
+## Methodology: Five Questions Before Every Operation
+
+Answer these five questions before executing any operation:
+
+**1. Do I know what is on the other side?**
+Do not execute any risky operation without first running `enum av` / `ps`. Operating blind is the number-one OPSEC killer.
+
+**2. What is the detection surface of this operation?**
+Every operation has a detection surface. Understanding it is the prerequisite for assessing risk:
+
+| Detection Dimension | Trigger Source | Monitored By |
+|---------------------|---------------|--------------|
+| Process creation | New process, anomalous parent-child relationship | EDR, Sysmon Event 1 |
+| Memory operations | Process injection, cross-process read/write | EDR kernel callbacks |
+| File on disk | Files written to disk | AV real-time scanning |
+| Registry | Run keys, service registration | Sysmon Event 12/13 |
+| Network | Anomalous outbound traffic, lateral movement ports | NDR, firewall |
+| Credential access | LSASS access | Credential Guard, EDR |
+| Logging | ETW providers | SIEM, Defender ATP |
+| API calls | Sensitive ntdll/kernel32 calls | EDR inline hooks |
+
+**3. Is there an alternative with a smaller detection surface?**
+Almost always yes. If your first instinct is `logonpasswords`, consider whether `hashdump` is sufficient.
+
+**4. What if it fails?**
+Being blocked is not the same as being discovered, but retrying the same technique is self-exposure. Plan a fallback path.
+
+**5. Is this step actually necessary?**
+If you can skip it, skip it. Every operation carries risk.
+
+## HITL Decision Framework
+
+Triage user-requested operations by severity level:
+
+**Green Light (execute directly, inform the user)**
+- Read-only information gathering: sysinfo, whoami, ps, enum av
+- Status checks: session, listener, pipeline list
+- These operations have a minimal detection surface, but it is still worth telling the user what is happening
+
+**Yellow Light (present options, wait for confirmation)**
+- Operations with multiple implementation paths that differ significantly in OPSEC impact
+- Privilege escalation, credential harvesting, persistence
+- Present at least two options, annotating the detection surface of each
+
+**Red Light (strong warning, explicit confirmation required)**
+- Operations with an OPSEC score < 6
+- Techniques known to be blocked by the current AV (per the case library)
+- Operations that may destabilize the system (kernel exploits)
+- Clearly state the risk, recommend alternatives, and wait for the user to explicitly confirm
+
+## Case Library
+
+The case library is the core of experience accumulation. Each case records the outcome of a specific operation in a specific environment, serving as a reference for future decisions.
+
+Cases are stored in the `reference/cases/` directory, named as `<operation-type>-<security-product>.md`.
+See [reference/case-template.md](reference/case-template.md) for the case format.
+
+### Using Cases
+
+When a user requests an operation:
+1. Identify the security products in the target environment
+2. Search the case library for `<operation-type>-<security-product>.md`
+3. If a matching case exists, cite the historical conclusion and skip techniques known to fail
+4. If no matching case exists, assess per the methodology, execute, and record the result as a new case
+
+### Iteration Mechanism
+
+Cases feed back into the iom-pentest references:
+- A technique is consistently blocked by a specific AV — update the [strategy matrix](../iom-pentest/reference/opsec-guide.md#strategy-matrix) in `opsec-guide.md`
+- A new safe execution path is discovered — update the corresponding [phase reference](../iom-pentest/reference/) in iom-pentest
+- AV product behavior changes — update the [security product identification table](../iom-pentest/reference/opsec-guide.md#security-product-identification) in `opsec-guide.md`
+
+This way the case library drives iterative improvement of the iom-pentest specifications, rather than maintaining duplicates in both places.
+
+## References
+
+| Content | Location |
+|---------|----------|
+| Case template | [reference/case-template.md](reference/case-template.md) |
+| Case library | [reference/cases/](reference/cases/) |
+| AV countermeasures and execution methods (detailed specs) | iom-pentest/reference/opsec-guide.md — [Strategy Matrix](../iom-pentest/reference/opsec-guide.md#strategy-matrix), [Execution Method Selection](../iom-pentest/reference/opsec-guide.md#execution-method-selection) |
+| Technique quick-reference and OPSEC scores | iom-pentest/reference/technique-reference.md — [Credential Harvesting](../iom-pentest/reference/technique-reference.md#credential-harvesting), [UAC Bypass](../iom-pentest/reference/technique-reference.md#uac-bypass) |
@@ -0,0 +1,72 @@
+# OPSEC Case Template
+
+Each case records the full context of a real operation, serving as a reference for similar future scenarios.
+
+## Case File Naming
+
+Format: `<operation-type>-<security-product>.md`
+
+Examples:
+- `cred-dump-defender.md` — credential harvesting in a Defender environment
+- `uac-bypass-crowdstrike.md` — UAC bypass in a CrowdStrike environment
+- `lateral-wmi-no-av.md` — WMI lateral movement with no AV present
+
+## Case Structure
+
+```markdown
+# [Short Title]
+
+## Environment
+
+| Item | Value |
+|------|-------|
+| OS | Windows 10 21H2 x64 |
+| AV/EDR | [Security product name and version] |
+| Privileges | [Medium/High/SYSTEM] |
+| Domain | [WORKGROUP/domain name] |
+| Patch level | [Last KB date] |
+
+## Objective
+
+[What operation needs to be accomplished]
+
+## Attempts
+
+### Attempt 1: [Technique Name] — [Success/Failure/Blocked]
+
+Command:
+```
+[Actual command executed]
+```
+
+Result: [Success/Failure/Detected]
+Analysis: [Why it succeeded or failed]
+
+### Attempt 2: [Technique Name] — [Success/Failure/Blocked]
+
+...
+
+## Final Solution
+
+[The approach that ultimately succeeded, or the conclusion if all approaches failed]
+
+## Lessons Learned
+
+- [Key finding 1]
+- [Key finding 2]
+- [Recommendations for subsequent operations]
+
+## Tags
+
+`[Security Product]` `[Operation Type]` `[OPSEC Score]` `[Success/Failure]`
+```
+
+## Case Accumulation
+
+After each operation conducted through the iom-opsec skill, if the result has reference value (especially failed cases), it should be recorded as a new case and stored in the `reference/cases/` directory.
+
+Characteristics of a valuable case:
+- A technique was blocked by a specific AV (can be skipped directly in the future)
+- A detection blind spot was discovered in a specific AV
+- An unconventional but effective operation path was found
+- A recovery strategy after a failed operation
@@ -0,0 +1,71 @@
+# Credential Harvesting in a Defender Environment
+
+## Environment
+
+| Item | Value |
+|------|-------|
+| OS | Windows 10 21H2 x64 |
+| AV/EDR | Windows Defender (MsMpEng.exe) |
+| Privileges | High (Admin, UAC bypassed) |
+| Domain | CONTOSO.LOCAL |
+| Patch level | 2024-01 |
+
+## Objective
+
+Obtain local and domain credentials (hashes + plaintext)
+
+## Attempts
+
+### Attempt 1: hashdump — Success
+
+```
+hashdump
+```
+
+Result: Success — local SAM hashes obtained
+Analysis: hashdump does not touch LSASS; Defender did not detect it. OPSEC 9.0.
+
+### Attempt 2: logonpasswords — Blocked
+
+```
+logonpasswords
+```
+
+Result: Blocked by Defender real-time protection
+Analysis: logonpasswords reads LSASS memory directly; Defender has dedicated protection rules for LSASS access. OPSEC 5.9, as expected.
+
+### Attempt 3: nanodump --fork --spoof-callstack — Success
+
+```
+nanodump --fork --spoof-callstack
+```
+
+Result: Success — LSASS dump obtained
+Analysis: Fork mode creates a copy of the LSASS process rather than reading it directly; spoof-callstack conceals the call stack. Defender did not detect it.
+
+### Attempt 4: credman — Success
+
+```
+credman
+```
+
+Result: Success — credentials saved in Credential Manager obtained
+Analysis: Reads the current user's Credential Manager; no special privileges required. OPSEC 9.0.
+
+## Final Solution
+
+1. `hashdump` to obtain local hashes (OPSEC 9.0)
+2. `credman` to obtain saved credentials (OPSEC 9.0)
+3. `nanodump --fork --spoof-callstack` to obtain domain credentials (OPSEC 8.0)
+
+No need to use logonpasswords or mimikatz.
+
+## Lessons Learned
+
+- logonpasswords is invariably blocked under Defender — skip it entirely
+- The nanodump fork + spoof-callstack combination is the best option for obtaining LSASS credentials under Defender
+- Prefer methods that do not touch LSASS (hashdump, credman, klist)
+
+## Tags
+
+`Defender` `Credential Harvesting` `OPSEC-8.0+` `Success`
@@ -0,0 +1,140 @@
+---
+name: iom-pentest
+description: >
+  Autonomous penetration testing via IoM C2 MCP tools. Adaptively executes based on user intent:
+  situational awareness, reconnaissance, privilege escalation, credential harvesting, lateral movement,
+  persistence, and more. Presents an execution plan and waits for user confirmation before sensitive operations.
+  Trigger conditions: user mentions penetration testing, red team, post-exploitation, privilege escalation,
+  lateral movement, credentials, persistence, situational awareness, or any scenario involving security
+  assessment of a target through IoM.
+---
+
+# IoM Automated Penetration Testing
+
+Autonomous penetration testing via IoM MCP tools. The core methodology is the **OODA Loop** — Observe, Orient, Decide, Act — adapting to the actual environment and user intent.
+
+## Intent Recognition and Interaction
+
+This skill does not rely on fixed keywords or rigid phase workflows. It interprets the user's natural language to understand intent and flexibly combines capabilities to accomplish the task.
+
+**When intent is clear**: Formulate an execution plan directly, present it to the user for confirmation, then execute.
+
+**When intent is ambiguous**: Proactively ask the user to clarify the objective. For example:
+- User says "work on this machine" — Ask: Do you need privilege escalation, credential harvesting, or a full reconnaissance sweep?
+- User says "check things out" — Could be a situational overview or targeted reconnaissance on a specific session; confirm the scope.
+- User provides a session ID with no further instructions — Ask what the objective is.
+
+**Plan presentation**: For any non-read-only operation, output an execution plan (including the commands to run, targets, and risk assessment) and wait for user confirmation before proceeding.
+
+## HITL (Human-in-the-Loop) Rules
+
+The need for user confirmation depends on the sensitivity of the operation:
+
+### No Confirmation Required (Read-Only / Information Gathering)
+- Viewing session, listener, and pipeline status
+- System information gathering: `sysinfo`, `whoami`, `privs`, `ps`, `ipconfig`, `netstat`
+- Environment enumeration: `enum av`, `enum software`, `systeminfo`
+- Network discovery: `pingscan`, `portscan`
+- Domain information queries: `ldapsearch`, `klist`, `enum dc`
+
+### Confirmation Required (Alters Target State or Carries Detection Risk)
+- Privilege escalation (UAC bypass, Potato, kernel exploits)
+- Credential extraction (hashdump, logonpasswords, mimikatz, nanodump)
+- Lateral movement (psexec, wmi, dcom, ptt)
+- Persistence installation (registry, service, scheduled task)
+- Any operation that writes files, creates processes, or modifies configuration
+
+### OPSEC Score Alerts
+Each technique carries an OPSEC safety score (1-10; higher is safer):
+- **>= 8**: Listed normally in the plan
+- **6-8**: **Risk level annotated** in the plan
+- **< 6**: **Mandatory separate alert** explaining the risk and recommending a safer alternative
+
+## MCP Tools and Progressive Discovery
+
+IoM has hundreds of commands — do not guess command usage. Use **progressive discovery** to retrieve information on demand:
+
+1. **Search for commands** — `search_commands` performs a fuzzy keyword search and returns command summaries (name, group, description, OPSEC score)
+2. **View usage** — `execute_command("<cmd> --help")` retrieves the specific command's parameters and examples
+3. **Execute the command** — Only run the command via `execute_command` after confirming usage
+
+### Available MCP Tools
+
+| Tool | Purpose |
+|------|---------|
+| `search_commands` | Fuzzy search commands by name/description; returns lightweight summaries |
+| `execute_command` | Execute any client/implant command; automatically waits for results |
+| `get_history` | Retrieve historical task output |
+
+### Basic Operations
+
+- **Switch session**: `execute_command("use <session_id_prefix>")` — enters the implant context
+- **Implant commands**: After switching, execute `sysinfo`, `whoami`, `ps`, etc. directly
+- **Client commands**: `session`, `listener`, `pipeline list`, etc. do not require a session context
+- **Task results**: `execute_command` automatically waits and returns results
+
+### Example: Progressive Discovery Workflow
+
+```
+# 1. Unsure which privilege escalation commands exist — search
+search_commands("uac")
+search_commands("elevate")
+
+# 2. Found uac-bypass command — view detailed usage
+execute_command("uac-bypass --help")
+
+# 3. Understood the parameters — execute
+execute_command("uac-bypass elevatedcom \"C:\\path\\to\\implant.exe\"")
+```
+
+## Core Principles
+
+1. **Observe before acting** — Never execute blindly; adjust strategy based on environmental data
+2. **OPSEC first** — Identify defenses before selecting evasion techniques. See [reference/opsec-guide.md](reference/opsec-guide.md)
+3. **Pivot on failure** — If a technique is blocked, mark it and switch paths; never retry the same technique
+4. **Minimum footprint** — Prefer BOF over execute_assembly; avoid writing to disk when possible
+5. **Respect user decisions** — Present a plan and wait for confirmation on sensitive operations; offer alternatives if the user declines
+
+## Capability Reference
+
+Consult the appropriate reference document based on user intent:
+
+| Scenario | Reference File | Key Sections |
+|----------|---------------|--------------|
+| Global situational awareness | [reference/phase-summary.md](reference/phase-summary.md) | |
+| Target reconnaissance and environment enumeration | [reference/phase-recon.md](reference/phase-recon.md) | |
+| Privilege escalation | [reference/phase-privesc.md](reference/phase-privesc.md) | UAC: [technique-reference.md#uac-bypass](reference/technique-reference.md#uac-bypass), Potato: [technique-reference.md#potato-privilege-escalation](reference/technique-reference.md#potato-privilege-escalation), Kernel: [technique-reference.md#kernel-exploits](reference/technique-reference.md#kernel-exploits) |
+| Credential harvesting | [reference/phase-creds.md](reference/phase-creds.md) | [technique-reference.md#credential-harvesting](reference/technique-reference.md#credential-harvesting) |
+| Lateral movement | [reference/phase-lateral.md](reference/phase-lateral.md) | [technique-reference.md#lateral-movement](reference/technique-reference.md#lateral-movement) |
+| Persistence | [reference/phase-persist.md](reference/phase-persist.md) | [technique-reference.md#persistence](reference/technique-reference.md#persistence) |
+| OPSEC strategy and AV evasion | [reference/opsec-guide.md](reference/opsec-guide.md) | [opsec-guide.md#execution-method-selection](reference/opsec-guide.md#execution-method-selection), [opsec-guide.md#strategy-matrix](reference/opsec-guide.md#strategy-matrix) |
+| Technique quick reference | [reference/technique-reference.md](reference/technique-reference.md) | |
+
+## Output Report
+
+Upon task completion, generate a structured report:
+
+```markdown
+## Penetration Test Report
+**Date**: YYYY-MM-DD HH:MM
+**Target**: [session / host operated on]
+**Summary**: [what was actually performed]
+
+### Attack Path
+[The actual execution path taken]
+
+### Session Inventory
+| Session | Host | User | Privilege | Obtained Via |
+|---------|------|------|-----------|-------------|
+
+### Harvested Credentials
+| Type | User | Domain | Source |
+|------|------|--------|--------|
+
+### Techniques Used
+| MITRE ID | Technique | OPSEC | Result | Notes |
+|----------|-----------|-------|--------|-------|
+
+### Defensive Gaps
+[Which weaknesses enabled the attack to succeed]
+```