detecting-ntlm-relay-with-event-correlation

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill includes PowerShell and registry/GPO commands (Set-ItemProperty, domain-wide SMB/LDAP signing changes, revoking certs, blocking IPs, remote Invoke-Command/New-CimSession) that instruct changing system configuration and performing domain-wide actions requiring elevated privileges, so it encourages modifying the machine/state.