analyzing-active-directory-acl-abuse

SUSPICIOUS: The skill is internally consistent for AD ACL auditing and uses a normal PyPI dependency with direct LDAP/LDAPS data flows, so there is no strong sign of credential harvesting or malicious install behavior. However, it meaningfully equips an AI agent with offensive identity-security enumeration procedures for privilege-escalation path discovery, which makes it a high-risk dual-use cybersecurity skill.

This module is a dual-use Active Directory ACL abuse/reconnaissance tool. It binds to a specified domain controller using user-provided plaintext NTLM credentials, enumerates objects’ nTSecurityDescriptor ACLs, parses ACEs, and produces actionable JSON findings mapping dangerous AD permissions (e.g., GenericAll/WriteDACL/WriteOwner/GenericWrite) to known privilege-escalation attack paths. There is no direct malicious behavior like exploitation, persistence, or external exfiltration in the shown code, but its functionality meaningfully supports offensive AD intrusion workflows, making it security-sensitive. The code also introduces operational credential-handling risk by taking passwords via CLI.