pentest-active-directory
npx machina-cli add skill 0x-Professor/Agent-Skills-Hub/pentest-active-directory --openclawFiles (1)
SKILL.md
1.3 KB
Pentest Active Directory
Stage
- PTES: 6
- MITRE: TA0006, TA0008
Objective
Map and validate AD privilege escalation and movement paths.
Required Workflow
- Validate scope before any active action and reject out-of-scope targets.
- Run only authorized checks aligned to PTES, OWASP WSTG, NIST SP 800-115, and MITRE ATT&CK.
- Write findings in canonical finding_schema format with reproducible PoC notes.
- Honor dry-run mode and require explicit --i-have-authorization for live execution.
- Export deterministic artifacts for downstream skill consumption.
Execution
python skills/pentest-active-directory/scripts/active_directory.py --scope scope.json --target <target> --input <path> --output <path> --format json --dry-run
Outputs
ad-findings.jsonad-attack-paths.jsonad-report.json
References
references/tools.mdskills/autonomous-pentester/shared/scope_schema.jsonskills/autonomous-pentester/shared/finding_schema.json
Legal and Ethical Notice
WARNING AUTHORIZED USE ONLY
This skill executes real security testing tools against live targets.
Use only with written authorization.
Source
git clone https://github.com/0x-Professor/Agent-Skills-Hub/blob/main/skills/pentest-active-directory/SKILL.mdView on GitHub Overview
Maps and validates Active Directory privilege escalation and movement paths in authorized engagements. It aligns with PTES, MITRE ATT&CK, NIST SP 800-115, and OWASP guidance to identify AD identity attack surfaces and produce reproducible, actionable findings.
How This Skill Works
It follows a validated workflow: confirm scope, run only authorized checks, and produce reproducible evidence in a canonical finding_schema format. The active_directory.py script executes with scope, target, input, and output parameters and can run in dry-run mode or with explicit --i-have-authorization for live tests, emitting ad-findings.json, ad-attack-paths.json, and ad-report.json.
When to Use It
- During an authorized AD identity assessment to map privilege escalation routes and lateral movement
- When validating scope and permissions before any active security testing on AD targets
- While identifying roasting, relay, and delegation abuse opportunities in an AD forest
- For producing reproducible findings (PoCs) and deterministic artifacts for reporting
- When preparing for a live engagement after completing a thorough dry-run
Quick Start
- Step 1: Validate scope and obtain written authorization for the target scope
- Step 2: Run a dry-run to preview findings: python skills/pentest-active-directory/scripts/active_directory.py --scope scope.json --target <target> --input <path> --output <path> --format json --dry-run
- Step 3: If authorized for live testing, rerun with --i-have-authorization and review ad-findings.json, ad-attack-paths.json, and ad-report.json
Best Practices
- Validate scope before any active action and ensure written authorization
- Run only checks aligned to PTES, OWASP WSTG, NIST SP 800-115, and MITRE ATT&CK
- Use dry-run first and require explicit --i-have-authorization for live tests
- Write findings in canonical finding_schema format with reproducible PoC notes
- Export deterministic artifacts (ad-findings.json, ad-attack-paths.json, ad-report.json)
Example Use Cases
- Authorized pentest against an AD domain to map privilege escalation paths and generate ad-findings.json
- Assessment of Kerberos roasting opportunities and potential misuse within an AD forest
- Evaluation of delegation abuse (e.g., misconfigured constrained delegation) to understand lateral movement risks
- Dry-run validation of scope and target boundaries before enabling live testing
- Generation of deterministic artifacts for SOC review and ticketing using ad-attack-paths.json and ad-report.json
Frequently Asked Questions
Add this skill to your agents
