performing-active-directory-compromise-investigation

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs privileged, state-changing actions on domain controllers—e.g., extracting NTDS.dit via ntdsutil/vssadmin, resetting krbtgt and account passwords, removing privileged group members, and rebuilding DCs—which alter the machine/domain state and require elevated privileges, so it can compromise the host.