The routing hub. Match your current state to a situation, open that page, take the next move. Driven from the Engagement_Cockpit.
Decision pages route, they don’t re-teach. Each one points into the technique notes you already have, in the order worth trying them. The goal is to kill “I don’t know what to do next,” fast.
🚦 Situation Router
Don’t know your situation — just seeing an error or odd behaviour? Start from the symptom instead: Symptom_Index maps “this exact thing is happening” → likely cause → where to go → what to capture.
| You are… | Tell-tale signals | Go to |
|---|---|---|
| Without a foothold | No valid creds, no shell. External/initial position. | No_Foothold |
| Holding credentials | A username/password or hash, but no usable shell yet. | Have_Creds |
| On a shell | Interactive or semi-interactive shell as some user. | Have_Shell |
| Stuck in the domain | Domain creds/shell + BloodHound data, but no path to DA. | Stuck_In_AD |
| Local admin, not domain admin | SYSTEM/admin on a host; need domain dominance. | Local_Admin_To_DA |
| Boxed into a network | A compromised host reaches a subnet yours can’t. | Need_To_Pivot |
🔁 Global Stall Protocol
When nothing above clicks and you’re genuinely stuck, work this list in order. Most “stuck” is one of these.
- Re-enumerate wide, not deep. Did every in-scope host get a full port scan (all TCP, top UDP)? Tunnel vision on one host hides the intended path. Enumeration_Methodology · Nmap_Service_Enumeration
- Diff what changed. New creds, new access, new host since you last looked? Each new identity re-opens earlier doors — re-test them.
- Re-collect BloodHound after every new owned principal, and mark owned. Stale graphs hide the path that just opened. NetExec_BloodHound
- Work the credential ledger. Has every secret been validated on every service and host? Reuse is the most-missed win. Have_Creds
- Re-read your own notes / output. Banners, error messages, share contents, certificate metadata, descriptions — the hint is often already on screen.
- Question your access boundary. If a service answers from the foothold but not your box, you may need to Need_To_Pivot.
- Lower the abstraction. Drop the automated tool, run the raw command, read the full output.
(Guest)/silent-success fakeouts hide here. - Reset assumptions. Re-confirm scope, target names, realm/domain, and clock sync (
ntpdate) before blaming the technique.
Time-box the thread, not just the engagement. If a specific path still isn’t moving after you’ve worked this list, that path’s own page carries a ⏱️ Stop condition telling you when to drop it — honour it. Most lost time is over-investment in one dead thread, not too little effort on it.
🔗 Related Nodes
- Engagement_Cockpit — the always-open driver page
- No_Foothold · Have_Creds · Have_Shell · Stuck_In_AD · Local_Admin_To_DA · Need_To_Pivot
- Reporting_SysReptor — keep evidence flowing while you work the trees