performing-active-directory-compromise-investigation

Installation
SKILL.md

Performing Active Directory Compromise Investigation

Overview

Active Directory (AD) compromise investigation is a critical incident response capability that focuses on identifying how attackers gained access to domain services, what persistence mechanisms they established, and the scope of credential compromise. Since 88% of breaches involve compromised credentials (Verizon 2025 DBIR), AD is the primary target for enterprise-wide attacks. Investigators must analyze NTDS.dit database integrity, Kerberos ticket-granting activity, Group Policy modifications, replication metadata, and privileged group membership changes to reconstruct the attack chain and determine full compromise scope.

When to Use

  • When conducting security assessments that involve performing active directory compromise investigation
  • When following incident response procedures for related security events
  • When performing scheduled security testing or auditing activities
  • When validating security controls through hands-on testing

Prerequisites

Installs
35
GitHub Stars
24.2K
First Seen
Mar 15, 2026
performing-active-directory-compromise-investigation — mukul975/anthropic-cybersecurity-skills