Skills
skills/mukul975/anthropic-cybersecurity-skills/hunting-for-ntlm-relay-attacks/Gen Agent Trust Hub

hunting-for-ntlm-relay-attacks

Warn

Audited by Gen Agent Trust Hub on Apr 12, 2026

Risk Level: MEDIUMCOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/agent.py uses subprocess.run to execute system-level utilities such as wevtutil and powershell to retrieve Windows Security event logs and perform system audits.
  • [COMMAND_EXECUTION]: A command injection vulnerability exists in the check_smb_signing function of scripts/agent.py. Hostnames provided via the --hosts argument or retrieved from Active Directory are directly interpolated into PowerShell command strings (e.g., -CimSession '{host}'). A maliciously crafted hostname containing characters like single quotes or semicolons could allow for arbitrary PowerShell command execution.
  • [COMMAND_EXECUTION]: The skill requires the agent to operate with elevated administrative privileges to query the Security event log and perform remote CIM sessions. This high-privilege requirement, combined with the command construction vulnerability, increases the security risk of deploying the skill.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 12, 2026, 06:02 PM
Security Audit — agent-trust-hub — hunting-for-ntlm-relay-attacks