The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/agent.py utilizes subprocess.run to execute built-in Windows utilities including powershell and wevtutil. These tools are used to collect domain controller information, query security logs, and audit Active Directory ACLs. The commands are constructed using argument lists rather than shell strings, which follows security best practices to prevent command injection.
[DATA_EXFILTRATION]: The agent processes Windows Security Event logs which contain sensitive information about domain accounts and infrastructure. This access is necessary for the skill's stated purpose of threat hunting. The gathered data is used to generate a local JSON report for the user, and no external network communication or exfiltration attempts were observed.

hunting-for-dcsync-attacks