windows-privilege-escalation

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content is an explicit offensive Windows privilege-escalation playbook that gives step‑by‑step instructions and commands to gain SYSTEM/admin privileges, create backdoors (reverse shells, add local admin users), steal credentials (LSASS/SAM/NTDS dumps, secretsdump), persist (service binary/DLL planting, scheduled tasks, registry autoruns), bypass UAC, load malicious drivers, and otherwise perform remote code execution and data exfiltration — clearly intended for malicious abuse.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The CMSTP INF example includes an explicit runtime URL "http://ATTACKER/sct_payload.sct" which CMSTP can fetch and execute as a remote .sct payload, meaning the skill depends on and instructs use of remote content that executes code.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). This skill explicitly instructs the agent to perform Windows privilege-escalation actions that modify system state—creating users, changing service binaries/configs, editing registry autoruns, planting DLLs/MSIs, and executing payloads—thereby directly compromising the host.