菜单
Active Directory attack lane — BloodHound ingestion, Kerberoasting, ADCS ESC scanning, DCSync, LAPS extraction.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
| name | ad-overview |
| description | Active Directory attack lane — BloodHound ingestion, Kerberoasting, ADCS ESC scanning, DCSync, LAPS extraction. |
| metadata | {"subdomain":"active-directory","when_to_use":"active directory ad attack lane overview routing bloodhound kerberoast adcs dcsync laps domain compromise","mitre_attack":["T1078.002","T1558.003","T1558.004","T1003.006","T1649","T1555"]} |
| Skill | Use for |
|---|---|
/skills/standard/ad/bloodhound-query/SKILL.md | Ingest + common Cypher queries |
/skills/standard/ad/kerberoasting/SKILL.md | Roast SPN users, crack with hashcat |
/skills/standard/ad/asrep-roasting/SKILL.md | dontreqpreauth users |
/skills/standard/ad/adcs-esc1/SKILL.md | ESC1 template abuse → domain admin |
/skills/standard/ad/dcsync/SKILL.md | Replication rights → krbtgt dump |
/skills/standard/ad/laps/SKILL.md | LAPS local admin password extraction |
/skills/standard/ad/netexec/SKILL.md | NetExec (formerly CrackMapExec) cheatsheet — SMB/WinRM/LDAP/MSSQL modules |
bash("bloodhound-python -u user -p pass -d DOMAIN -c all --zip")bh_ingest_zip("/workspace/bh.zip")dcsync_check — if any principal, that's instant domain compromisekg_query(kind="user") and filter for hasspn=true → Kerberoast queuekg_query(kind="user") and filter for dontreqpreauth=true → AS-REP roastbash("certipy find -u user -p pass -dc-ip X -json") then adcs_auditplan_attack_chains to see graph-computed domain compromise pathskg_add_node(kind="crown_jewel", label="Domain Admins group")
kg_add_node(kind="crown_jewel", label="krbtgt account")
kg_add_node(kind="crown_jewel", label="DC: DC01.corp.local")
Drive Decepticon — an autonomous multi-agent red-team framework — over MCP to run authorized penetration tests and bug-bounty engagements end to end, then watch and steer them live from chat. Launch an engagement against a target, poll its transcript to narrate progress, send messages to refocus it, and pull findings as SARIF. Use when the user asks to run a pentest/red-team engagement, hunt a bug bounty, do recon, exploit/scan a host, web app, API, network, cloud, Active Directory, mobile app, or smart contract WITH Decepticon — or to check/resume a running engagement or report what Decepticon found. Triggers: run a decepticon engagement, pentest this with decepticon, bug bounty, recon this target, red team this, scan this host, resume the engagement, what did decepticon find, decepticon status. Do NOT use for ad-hoc local tool runs (running nmap/sqlmap/ffuf directly) when no Decepticon server is involved — this drives the Decepticon orchestrator, not raw tools.
IoT device security reconnaissance — firmware extraction, embedded analysis, protocol identification, default credential checking, vulnerability scanning, device fingerprinting.
Mobile application security reconnaissance — APK/IPA analysis, permission enumeration, certificate validation, hardcoded secret detection, insecure storage identification, network security analysis.
Wireless network security reconnaissance — WiFi analysis, Bluetooth assessment, RFID/NFC evaluation, signal capture, protocol analysis, encryption testing, rogue device detection.
Operational-tier finding template — minimal fields for sub-agent decision support. Heavyweight deliverable promotion lives in skills/decepticon/final-report.
Red team engagement lifecycle management — initiation, phase transitions, go/no-go gates, deconfliction, emergency procedures, completion.