offensive-active-directory

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt contains many commands and examples that require inserting plaintext credentials, NT hashes, tokens, and PFX/password values verbatim (placeholders like -p pass, , -hashes : and even an explicit 'Winter2025!'), so an agent following it would need to accept and embed secrets directly, creating high exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content is an explicit offensive Active Directory attack playbook that provides step-by-step commands and tooling for credential theft, privilege escalation, lateral movement, persistence (Golden/Silver/Diamond tickets, DCSync, DCShadow), ADCS abuse, and other techniques that enable backdoors, remote compromise, and data exfiltration.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt explicitly instructs the agent to perform intrusive, state-changing actions (add domain admin accounts via GPO, modify AD ACLs/AdminSDHolder, perform DCSync/DCShadow, dump LSASS, register rogue DCs, etc.) that alter system/domain state and require elevated/privileged operations, so it should be flagged.