I don’t disagree that a good RT op should wear many hats and work on a number of levels - but should be akin to a real threat actor at least during the exercise. Afterwards is another matter. Certainly shouldn’t be a case “You got pwned”. More how can we help you / org get 💪
Following a comment from __int128 I explored this a little more and it seems 'Web Client' does start with the mere presence of these files prior to clicking 🕸️📁
Made a few useful updates to this post. Mainly quick ways to make this more useful, by switching to the advanced editor when building these and some areas of 'Further research'