attacking-active-directory

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt contains numerous command examples that explicitly embed plaintext credentials, NTLM hashes, and tickets (e.g., domain.local/user:password, -w 'password', -hashes :ntlmhash, krbtgt:hash), which instruct an agent to insert secret values verbatim into commands or requests.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This skill explicitly documents offensive Active Directory attack techniques — credential theft (Kerberoast, ASREPRoast, Mimikatz, DCSync), lateral movement (PtH/PtT, psexec, wmiexec), and persistence (Golden/Silver tickets, backdoor account creation) — which are deliberate malicious behaviors useful for compromising and maintaining unauthorized access to Windows domains.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). This skill explicitly instructs the agent to perform credential dumping (LSASS/SAM), run tools like Mimikatz/Rubeus to create/import tickets and persistence, and even "create backdoor accounts" and DCSync against domain controllers — actions that modify system state, create accounts, and bypass security on the machine/domain the agent runs on.