ad-persistence

The provided fragment is not a normal software library implementation; it is a detailed Active Directory attack/persistence playbook aimed at forging Kerberos tickets, dumping secrets, injecting into LSASS, enabling DSRM network logon, abusing AdminSDHolder for persistence, stealing tokens, hijacking RDP sessions, and forcing SMB authentication/relay. This strongly indicates malicious content with high security risk. No code execution paths can be verified because there is no actual programming logic in the snippet.

MALICIOUS。该技能的实际目的就是帮助 AI 代理在被攻陷的 Windows/AD 环境中建立和维持未授权持久化，并规避检测与清除痕迹。其能力、所需凭据和产生的效果都属于高危进攻性后渗透行为，不适合作为普通代理技能。

This fragment is a clearly adversarial attack playbook for Windows Active Directory compromise and advanced persistence/privilege escalation. It provides concrete mechanisms to (1) modify AD state using replication/delegation/ACL manipulation, (2) derive credentials from directory secrets for Pass-the-Hash, and (3) acquire and inject Kerberos tickets via S4U/asktgs/ptt against high-value targets (including krbtgt). Even though no executable dependency code is included in the snippet, the content is directly usable for offensive operations and would constitute a critical security concern if present in a software package or dependency artifact.

This code fragment strongly indicates malware/persistence tooling for Windows: it creates multiple persistence mechanisms (scheduled tasks, services, Run keys, Winlogon, IFEO, COM hijacking, WMI permanent event subscriptions, and startup-folder LNKs) and executes hidden PowerShell that fetches and runs attacker-controlled remote code via IEX. Given the explicit system-level persistence and remote payload execution, the likelihood of malicious behavior is very high. If this appeared as part of an npm package, it represents a severe supply-chain compromise risk rather than a legitimate dependency.