executing-red-team-exercise

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content explicitly instructs and operationalizes covert C2 setup (domain fronting, redirectors), implant/payload development (AMSI/ETW bypass, signed proxy execution), credential theft (Kerberoasting, LSASS dumping), persistence and privilege escalation techniques, and data exfiltration workflows — all deliberate offensive behaviors that can be directly abused for malicious compromise and backdoors.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The agent downloads the MITRE ATT&CK STIX bundle at runtime from https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json (via MITRE_ATTACK_URL) which is used to populate and drive the operation plan—i.e., external data fetched at runtime that directly controls the agent's output and is a required dependency.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt explicitly instructs building and deploying C2 infrastructure and implants, performing AMSI/ETW bypasses, persistence mechanisms, privilege escalation, and other actions that modify system state and bypass security controls, so it encourages compromising the host and network.