detecting-golden-ticket-forgery
Pass
Audited by Gen Agent Trust Hub on Apr 12, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill is a security monitoring tool that analyzes provided log files for indicators of Kerberos Golden Ticket attacks. It operates entirely locally without any network connections or external data exfiltration.
- [DATA_EXPOSURE_AND_EXFILTRATION]: The script reads user-provided Windows Security event logs in XML format and generates a local JSON report. No network operations (e.g., requests, sockets) or sensitive file path access (e.g., .ssh, .aws) were found.
- [REMOTE_CODE_EXECUTION]: No remote code execution patterns or dynamic execution techniques were detected. The script uses standard Python libraries for XML parsing and data processing.
- [COMMAND_EXECUTION]: The script does not utilize subprocesses or shell execution. It generates Splunk Search Processing Language (SPL) queries for the user to use in their SIEM platform, which is a common practice for threat detection skills.
- [PROMPT_INJECTION]: The documentation and instructions focus strictly on the technical task of threat detection and do not contain any instructions intended to bypass AI safety filters or override agent behavior.
Audit Metadata