active-directory-acl-abuse

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The playbook includes many commands and examples that embed or return plaintext credentials (e.g., -p password, DOMAIN/user:password@DC01, secretsdump, LAPS readouts, net user 'NewP@ss123!'), and discusses retrieving and reusing those secrets, which would require the LLM to handle and potentially output secret values verbatim.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This document is an explicit, actionable offensive playbook for abusing Active Directory ACLs—providing step‑by‑step commands to steal credentials (DCSync/secretsdump, Kerberoast), escalate privileges (GenericAll/WriteDACL/AddMember), establish persistence/backdoors (shadow credentials, RBCD, writable GPOs, malicious logon scripts), and execute remote code—constituting deliberate malicious behavior.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt is an explicit offensive playbook with commands to modify Active Directory objects, change passwords, add users/groups, write ACLs, abuse GPOs and perform DCSync/shadow credential actions—i.e., it instructs state-changing, privilege-escalation operations that would compromise the host/domain.