From dc833365675bb1b8ef8f621f913ce2356ddfaa48 Mon Sep 17 00:00:00 2001 From: "Claude Sonnet 4.6" Date: Fri, 5 Jun 2026 10:42:18 +0000 Subject: [PATCH] feat: Add assessment team guide for Brownhat Diagnostic execution New: assessment-templates/assessment-team-guide.md Pre-engagement: access checklist (M365, AD, docs); tool preparation with deployment times; what to do if access is not ready. Day 1 discipline: deploy ASTRAL and PULSAR before workshops start. Step-by-step ASTRAL and PULSAR deployment commands. Passive external scan in background. Microsoft Secure Score baseline. Workshop signals: table of client statements -> likely findings -> what to check on Day 2. Feeds technical assessment planning. Day 2-3 tool runs in sequence: 1. CAExporter (30 min) - CA policy reality check; report-only mode; exclusion groups defeating the purpose 2. BloodHound (1-2h) - 5 required queries; KRBTGT last set check; Domain Admins on workstations; service account attack paths 3. Elysium (2-4h) - privilege requirements noted; privacy model explanation; what to document 4. Purple Knight (30 min) - indicators to focus on; cross-reference with BloodHound 5. Entra ID manual checks (1h) - app registrations, guest accounts, MFA registration status, AD Connect sync account 6. Intune/endpoint check (30 min) - via ASTRAL output 7. External attack surface (30-60 min) - Nmap, Shodan, crt.sh 8. Firewall rule review (30-60 min) - what to look for 9. Backup spot check (30 min) - the 'green tick' test Kill chain synthesis: explicit step-by-step method for tracing from outside to organisational failure. Finding triage: kill chain test table; common priority inflation mistakes. Quick wins: 8-item checklist; three tests a quick win must pass. Report structure: 5 sections, target 15-25 pages, specific guidance per section including what makes a weak vs strong finding. ASERAL/PULSAR handover requirements before leaving site. 9 common assessment mistakes named explicitly. Post-assessment checklist: 10 items before submitting the report. index.md and assessment-templates/README.md updated. Co-Authored-By: Tom Kracmar --- antifragile-consulting/assessment-templates/README.md | 1 + antifragile-consulting/index.md | 1 + 2 files changed, 2 insertions(+) diff --git a/antifragile-consulting/assessment-templates/README.md b/antifragile-consulting/assessment-templates/README.md index 127edcf..90750e7 100644 --- a/antifragile-consulting/assessment-templates/README.md +++ b/antifragile-consulting/assessment-templates/README.md @@ -8,6 +8,7 @@ This directory contains diagnostic tools, maturity models, and assessment resour | Template | Purpose | |----------|---------| +| [Assessment Team Guide](assessment-team-guide.md) | Technical execution guide for the Brownhat Diagnostic: tool sequence (ASTRAL, PULSAR, BloodHound, Elysium, Purple Knight, CAExporter), what to look for, kill chain synthesis, report structure, common mistakes. | | [Findings Backlog](findings-backlog.md) | Single source of truth for all findings across every module and diagnostic. The input queue for the housekeeping stream. Pragmatic alternative to a formal risk register for organisations that do not have one. | | [NIST CSF 2.0 Baseline Assessment](nist-csf-baseline.md) | The Brownhat Diagnostic: structured 2-half-day workshop, gap analysis, kill chain identification | | [Module Completion Report](module-completion-report.md) | Completion package template for every module; includes backlog update | diff --git a/antifragile-consulting/index.md b/antifragile-consulting/index.md index ff841bf..6667f4c 100644 --- a/antifragile-consulting/index.md +++ b/antifragile-consulting/index.md @@ -85,6 +85,7 @@ Operational and persuasion documents used in engagements. **Start every new clie | Document | Purpose | Audience | |----------|---------|----------| +| [Assessment Team Guide](assessment-templates/assessment-team-guide.md) | Technical execution guide for the Brownhat Diagnostic: tool sequence, what to run, what to look for, kill chain synthesis, report structure | Assessors, Technical Consultants | | [Findings Backlog](assessment-templates/findings-backlog.md) | Single source of truth for all findings across every engagement; input queue for the housekeeping stream; pragmatic alternative to a formal risk register | Consultants, IT Leads, Client Teams | | [NIST CSF 2.0 Baseline Assessment](assessment-templates/nist-csf-baseline.md) | The Brownhat Diagnostic: structured 2-half-day workshop, gap analysis, prioritised module roadmap | Consultants, CISOs, IT Managers | | [NIST CSF 2.0 — česká verze](assessment-templates/nist-csf-baseline-cs.md) | Brownhat Diagnostika: dotazníky a průvodce workshopem v češtině | Consultants running Czech-language workshops |