windows-lateral-movement

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). This playbook explicitly instructs embedding plaintext passwords, NTLM hashes, Kerberos tickets/keys, and other secrets directly into commands and tool arguments (e.g., psexec.py DOMAIN/administrator:password@TARGET_IP, -hashes :NTLM_HASH, -aesKey AES256_KEY), which requires the agent to handle and output secret values verbatim.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This document is explicitly a high-risk malicious playbook: it provides step-by-step instructions for Windows lateral movement, credential theft (LSASS, SAM, NTDS, DPAPI), pass‑the‑hash/ticket and overpass techniques, remote code execution (PsExec, WMI, DCOM, WinRM, RDP), persistence and pivoting (reverse tunnels, Chisel, Ligolo), and OPSEC/EDR evasion—i.e., deliberate attacker tactics to compromise, escalate, persist, and exfiltrate credentials and access.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). This playbook explicitly instructs running privileged/host-changing operations on the attacker's machine (e.g., starting chisel/ligolo servers and running "sudo ip route add INTERNAL_SUBNET/24 dev ligolo"), and describes creating services/binaries and credential-dumping techniques, which push an agent to modify the local system state and use sudo.