The single page to keep open while working a time-boxed assessment. It does three things: tells you where to go next when a path stalls, tracks what you’ve found, and keeps evidence and reporting running alongside the work instead of bolted on at the end.
Operating principle: never sit on a stalled path. When forward progress stops, stop pushing — open Decision_Trees, pick your current situation, and take the next move. Movement beats staring.
🚦 Where am I → where next
Seeing a specific error or odd behaviour (creds rejected, no BloodHound path, PKINIT fails, proxychains dead)? Route by symptom first: Symptom_Index.
Otherwise jump to the situation that matches your current access. Full routing logic lives in Decision_Trees.
| Current state | Go to |
|---|---|
| No creds, no shell, nothing landed yet | No_Foothold |
| Have a username/password or hash, but no shell | Have_Creds |
| Have an interactive shell as some user | Have_Shell |
| In the domain with BloodHound data, no path to DA | Stuck_In_AD |
| Local admin / SYSTEM on a box, need domain dominance | Local_Admin_To_DA |
| A host can reach a network mine can’t | Need_To_Pivot |
| Totally stuck, none of the above clicks | Decision_Trees → Global Stall Protocol |
⏱️ Time-Box Checkpoints
State-based checkpoints, not a clock. At each one, if the state isn’t met, you’re being told where the work actually is — switch tracks instead of grinding the same path.
| Checkpoint state | If not met → next |
|---|---|
| Scope confirmed; every in-scope host discovered and full-port scanned | Still in recon — finish breadth before going deep on one host. Enumeration_Methodology |
| Initial access obtained | Run the No_Foothold moves end to end; broaden enumeration, revisit every service and the web surface |
| Foothold escalated (local priv or new identity) | Run Have_Shell; re-enumerate as the current user, run automated enum |
| Forward progress on the same path for more than one rotation | Step back to Decision_Trees → Global Stall Protocol; diff what changed and re-route |
| Domain dominance / all objectives met | Shift to closing out: verify, collect remaining evidence, Reporting_SysReptor |
Discipline at every checkpoint: update the trackers below, and capture evidence for anything new before moving on — re-creating proof later costs more time than capturing it now.
🧭 Phase Tracker
Tick phases as they’re genuinely covered (not just touched). Each links to its reference.
- Recon & enumeration — Enumeration_Methodology · Nmap_Service_Enumeration
- Initial access — No_Foothold
- Foothold & local privesc — Have_Shell · Windows_PrivEsc_Enumeration · Linux_PrivEsc_Methodology
- AD attack paths — Stuck_In_AD · NetExec_BloodHound
- Lateral movement / pivoting — Need_To_Pivot · Pass_the_Hash
- Domain dominance — Local_Admin_To_DA · AD_DCSync
- Evidence & report — Reporting_SysReptor
🗂️ Target / Host Tracker
Fill in as you go — the “Next move” column keeps you honest when you context-switch back to a host. The first row is a filled-in example (access level = none / user / admin / SYSTEM); replace it. Copy into your working notes (Obsidian / SysReptor):
| Host / IP | Role | Access level | Creds that work here | Flags / objectives | Next move |
|-----------|------|--------------|----------------------|--------------------|-----------|
| 10.10.10.10 | DC (dc01) | user | j.doe : Autumn2025! | user.txt | BloodHound from owned → ACL paths |
| | | | | | |🔑 Credential Ledger
Every credential, where it came from, and everywhere it’s been validated — reuse is one of the most missed wins, and this table is where you spot it. The first row is an example (secret type = password / NT hash / ticket / key); replace it. Copy into your working notes (Obsidian / SysReptor):
| Identity | Secret type | Source | Validated on (svc/host) | Access granted |
|----------|-------------|--------|-------------------------|----------------|
| svc_sql | NT hash | secretsdump @ web01 | smb ✓ admin @ db01 · winrm ✗ | local admin on db01 |
| | | | | |📸 Evidence & Reporting (always-on)
Reporting is not a phase at the end — it runs the whole time. Full workflow in Reporting_SysReptor.
- One folder per host, command output logged, screenshots named consistently — see Reporting_SysReptor for the convention.
- The moment something works, capture: the command, its output, and a screenshot. Tie it to a finding ID in the tracker.
- Each manual page’s
📝 Reporting Triggerblock is a ready-made finding — drop it straight into your report. - Reusable finding templates live in Finding_Library; the host tracker above fills their “Affected Components.”
🔗 Related Nodes
- Decision_Trees — the routing hub for “where next” (by access state)
- Symptom_Index — route by what you’re seeing (error / behaviour)
- Attack_Patterns — reusable pattern cards distilled from the write-ups
- Reporting_SysReptor — evidence discipline and report workflow
- Finding_Library — reusable SysReptor finding templates
- Master_Index — quick-jump to every command cheatsheet
- Enumeration_Methodology — the enumeration framework underneath it all