Active Directory Attacks

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt contains many example commands and workflows that embed plaintext credentials, hashes, and tokens directly (e.g., user:password, -p 'Password123', -hashes :NTHASH, KRBTGT_HASH, HEXPASSWORD), which require the LLM to output secret values verbatim and thus creates exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The document contains comprehensive, step‑by‑step offensive Active Directory techniques—including credential theft (Mimikatz, DCSync, secretsdump), Kerberos ticket forging (Golden/Silver), remote code execution (psexec, PrintNightmare), NTLM relays, AD CS abuses, and automated deployment of backdoors via SCCM/WSUS—enabling unauthorized credential exfiltration, privilege escalation, lateral movement, persistent backdoors, and full domain compromise, so it is high risk.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs running privileged commands that change host state (e.g., "sudo date -s", faketime, network-sniffing/responders requiring root) and guides persistent/privilege‑escalation actions, so it pushes the agent to modify the machine's state.