Active Directory Attacks

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly requires "Domain user credentials" as inputs and produces "extracted credentials and hashes" and attack steps (pass-the-hash, DCSync, Kerberoasting, etc.) that typically require embedding plaintext passwords, hashes, or tokens verbatim in commands or outputs, so the LLM would need to handle and likely output secret values.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This skill is a comprehensive, actionable offensive playbook for compromising Active Directory—covering credential theft (Mimikatz, DCSync, LAPS/GMSA extraction), Kerberos ticket forging (Golden/Silver/Overpass), NTLM relay, exploitation of CVEs, GPO/SCCM/WSUS-based persistence and backdoor deployment—indicating deliberate malicious intent and high risk for unauthorized compromise and persistence.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). This skill explicitly instructs active exploitation techniques (credential dumping, DCSync, Kerberos ticket attacks, and establishing persistent access/domain admin compromise), which involve creating accounts, installing persistence, or altering system state on targeted hosts and could likewise be used to modify the agent's host—so it pushes to compromise machine state.