performing-active-directory-compromise-investigation

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill instructs the agent to perform privileged, state-changing AD actions (NTDS.dit extraction, DCSync/Mimikatz use, rotating krbtgt, resetting passwords, removing privileged members, rebuilding DCs) that require elevated privileges and modify system/domain state and could be misused.