active-directory-attacks

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes numerous examples and commands that embed plaintext credentials, hashes, and secret placeholders directly in command-line arguments (e.g., user:password, -p 'password', domain/admin:password@host, -hashes :NTHASH), which requires the agent to include secret values verbatim.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The document is an explicit offensive playbook that instructs on deliberate malicious behaviors—credential theft (Mimikatz, DCSync, Kerberoasting, AS-REP roasting), Kerberos ticket forging (Golden/Silver tickets), NTLM relays, remote code execution and lateral movement (psexec/wmiexec/WMIC/CrackMapExec), and persistence/backdoor techniques (GPO/SCCM/WSUS deployments, creating accounts, scheduled tasks, certificate abuse) and exploitation of critical CVEs—enabling intentional domain compromise and backdoor installation.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill includes explicit privileged actions (e.g., "sudo date -s"), and step-by-step use of tools like Mimikatz, psexec, ticket forging and persistence techniques that require or encourage obtaining elevated privileges and modifying the host or remote systems' state.