performing-purple-team-exercise

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The content explicitly contains step‑by‑step, actionable instructions and commands to perform credential theft (Mimikatz/LSASS access), remote command execution and C2 (Cobalt Strike, PsExec, wmic), data exfiltration (rclone), destructive/persistence actions (shadow copy deletion, registry Run keys, scheduled tasks, log clearing), and executes remote PowerShell code via IEX (IWR) — all high‑risk, dual‑use techniques that can be directly abused as backdoors or for system compromise.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md workflow explicitly instructs fetching and executing an open GitHub raw script (IEX (IWR 'https://raw.githubusercontent.com/.../install-atomicredteam.ps1') in Step 3) and references public tools/APIs (Atomic Red Team, MITRE Caldera) which are untrusted third‑party content the exercise expects to run/interpret as part of the workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly runs a PowerShell one-liner that downloads and executes remote code at runtime via Invoke-Expression from https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1 (used to install/run Atomic Red Team), so the fetched content is executed and required for the skill's tests.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt explicitly directs running adversary-emulation actions (e.g., installing/running Atomic Red Team, Mimikatz LSASS dumps, creating scheduled tasks/services, registry persistence, shadow-copy deletion, PsExec) which perform privileged, state-changing operations on target hosts and thus would compromise the machine the agent runs on.