The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill directs the agent to utilize external exploit scripts such as proxylogon.py and proxyshell_rce.py to exploit CVE-2021-26855 and CVE-2021-34473. These instructions detail achieving SYSTEM-level access and writing aspx webshells to the target server.
[COMMAND_EXECUTION]: Provides instructions for executing high-risk network and authentication tools, including curl for server probing, nmap for vulnerability detection scripts, and spray, MailSniper, and nxc for automated password spraying against OWA and ECP interfaces.
[DATA_EXFILTRATION]: Details specific methods for harvesting sensitive data, such as extracting the Global Address Book (GAL) to obtain user lists, searching mailboxes for sensitive keywords like "password" or "VPN", and exporting entire mailbox contents to PST files using New-MailboxExportRequest.
[CREDENTIALS_UNSAFE]: Includes hardcoded password patterns and instructions for performing password spraying attacks using dictionaries, which can lead to unauthorized access to domain accounts.
[REMOTE_CODE_EXECUTION]: Describes privilege escalation techniques using privexchange.py to relay NTLM authentication to LDAP, effectively elevating privileges from a standard user to a Domain Administrator via DCSync rights.

exchange-attack