relaying-ntlm-for-adcs-esc8
Fail
Audited by Snyk on Jun 25, 2026
Risk Level: CRITICAL
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). The prompt includes examples and workflow steps that embed plaintext credentials on command lines (e.g., -p 'Password123!'), instructs capturing and echoing base64 certificates (sensitive secrets), and thus requires or encourages the LLM to handle and output secret values verbatim.
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.70). These are mostly legitimate security-research pages and GitHub repositories (Impacket, Certipy, PetitPotam, Coercer, SpecterOps/Dirk-jan blogs and PDFs, Apache license) rather than obscure/shortened executable hosting, but they host dual‑use offensive tooling and reference internal CA enrollment endpoints used in ESC8 — so while not classic malware-distribution links, they are high‑risk in that they can directly enable credential theft and domain compromise if used without authorization.
CRITICAL E006: Malicious code pattern detected in skill scripts.
- Malicious code pattern detected (high risk: 1.00). This repository and scripts intentionally orchestrate NTLM coercion and NTLM-relay to AD CS to capture a domain controller machine certificate, convert it to a Kerberos TGT/NT hash, and enable DCSync — a clear, high-risk credential theft and domain-compromise workflow usable for unauthorized takeover.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (medium risk: 0.65). The required runtime workflow runs
scripts/agent.py, which executesntlmrelayx --adcsand then ingests outsider-authored free text from the relay tool’s stdout (including the “Base64 certificate …” line) into the agent’s LLM context; that stdout is produced by an external network interaction with the CA/target and is not authored by the operating user.
Issues (4)
W007
HIGHInsecure credential handling detected in skill instructions.
E005
CRITICALSuspicious download URL detected in skill instructions.
E006
CRITICALMalicious code pattern detected in skill scripts.
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
Audit Metadata