Agent skill

performing-active-directory-vulnerability-assessment

Assess Active Directory security posture using PingCastle, BloodHound, and Purple Knight to identify misconfigurations, privilege escalation paths, and attack vectors.

View SKILL.md on GitHub Repository
Stars 4,300
Forks 470

Install this agent skill to your Project

npx add-skill https://github.com/mukul975/Anthropic-Cybersecurity-Skills/tree/main/skills/performing-active-directory-vulnerability-assessment

SKILL.md

Performing Active Directory Vulnerability Assessment

Overview

Active Directory (AD) is the primary identity and access management system in most enterprise environments, making it a critical attack target. This skill covers comprehensive AD security assessment using PingCastle for health checks, BloodHound for attack path analysis, and Purple Knight for security posture scoring. These tools identify misconfigurations, excessive privileges, Kerberos weaknesses, and lateral movement opportunities.

When to Use

  • When conducting security assessments that involve performing active directory vulnerability assessment
  • When following incident response procedures for related security events
  • When performing scheduled security testing or auditing activities
  • When validating security controls through hands-on testing

Prerequisites

  • Domain-joined workstation or domain admin access for scanning
  • PingCastle (https://github.com/netwrix/pingcastle)
  • BloodHound Community Edition with SharpHound collector
  • Purple Knight from Semperis (free community tool)
  • Python 3.9+ for analysis scripts
  • .NET Framework 4.7+ for PingCastle on Windows

Tool 1: PingCastle Health Check

Installation and Execution

powershell
# Download PingCastle
Invoke-WebRequest -Uri "https://github.com/netwrix/pingcastle/releases/latest/download/PingCastle.zip" `
  -OutFile "PingCastle.zip"
Expand-Archive PingCastle.zip -DestinationPath C:\Tools\PingCastle

# Run health check against current domain
cd C:\Tools\PingCastle
.\PingCastle.exe --healthcheck

# Run health check against specific domain
.\PingCastle.exe --healthcheck --server dc01.corp.local --user CORP\scanner_account --password P@ssw0rd

# Run in scanner mode for multiple domains
.\PingCastle.exe --scanner --scannerlp

# Generate consolidated report
.\PingCastle.exe --healthcheck --level Full

PingCastle Scoring Categories

Category Description Risk Areas
Stale Objects Inactive accounts, old passwords, obsolete OS Ghost accounts, expired credentials
Privileged Accounts Excessive admin rights, nested groups Domain Admin sprawl, SID history
Trusts Forest and domain trust configurations Transitive trust abuse, SID filtering
Anomalies Security setting deviations GPO misconfigurations, schema issues

Key PingCastle Checks

# Critical items to review in PingCastle report:
- Accounts with "Password Never Expires" flag
- Accounts with Kerberos pre-authentication disabled (AS-REP roastable)
- Accounts with Kerberos delegation (unconstrained/constrained)
- Domain Controllers running unsupported OS versions
- AdminSDHolder permission modifications
- Accounts in privileged groups (Domain Admins, Enterprise Admins, Schema Admins)
- Trust relationships with SID filtering disabled
- GPO vulnerabilities allowing privilege escalation

Tool 2: BloodHound Attack Path Analysis

SharpHound Data Collection

powershell
# Download SharpHound collector
# https://github.com/SpecterOps/BloodHound/tree/main/packages/csharp/SharpHound

# Run SharpHound collection (all methods)
.\SharpHound.exe --collectionmethods All --domain corp.local --zipfilename bloodhound_data.zip

# Stealthy collection (minimal noise)
.\SharpHound.exe --collectionmethods Session,LoggedOn --domain corp.local --stealth

# Collection with specific domain controller
.\SharpHound.exe --collectionmethods All --domain corp.local --domaincontroller dc01.corp.local

# Run via PowerShell
Import-Module .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All -Domain corp.local -OutputDirectory C:\BH_Data

BloodHound CE Setup

bash
# Deploy BloodHound Community Edition with Docker
curl -L https://ghst.ly/getbhce -o docker-compose.yml
docker compose up -d

# Access BloodHound CE at http://localhost:8080
# Default credentials shown in docker compose logs

# Upload SharpHound data through web UI or API
curl -X POST "http://localhost:8080/api/v2/file-upload/start" \
  -H "Authorization: Bearer $BH_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"fileName": "bloodhound_data.zip"}'

Critical BloodHound Queries

cypher
# Find shortest path to Domain Admin
MATCH p=shortestPath((u:User)-[*1..]->(g:Group {name:"DOMAIN ADMINS@CORP.LOCAL"}))
WHERE u.name <> "ADMINISTRATOR@CORP.LOCAL"
RETURN p

# Find Kerberoastable accounts with admin privileges
MATCH (u:User {hasspn:true})-[:MemberOf*1..]->(g:Group)
WHERE g.name CONTAINS "ADMIN"
RETURN u.name, u.serviceprincipalnames

# Find computers where Domain Admins are logged in
MATCH (c:Computer)-[:HasSession]->(u:User)-[:MemberOf*1..]->(g:Group {name:"DOMAIN ADMINS@CORP.LOCAL"})
RETURN c.name, u.name

# Find AS-REP roastable accounts
MATCH (u:User {dontreqpreauth:true})
RETURN u.name, u.description

# Find unconstrained delegation hosts
MATCH (c:Computer {unconstraineddelegation:true})
WHERE NOT c.name CONTAINS "DC"
RETURN c.name

# Find GPO abuse paths
MATCH p=(u:User)-[:GenericAll|GenericWrite|WriteOwner|WriteDacl]->(g:GPO)
RETURN p

Tool 3: Purple Knight Assessment

powershell
# Download Purple Knight from https://www.purple-knight.com/
# Run as domain admin or with appropriate read permissions

.\PurpleKnight.exe

# Purple Knight checks 130+ security indicators across:
# - Account Security (password policies, privileged accounts)
# - AD Infrastructure (replication, DNS, LDAP signing)
# - Group Policy (GPO permissions, security settings)
# - Kerberos Security (delegation, encryption types, SPN)
# - AD Delegation (AdminSDHolder, OU permissions)

Purple Knight Score Categories

Score Range Rating Action Required
90-100 Excellent Maintain current posture
75-89 Good Address high-risk findings
60-74 Fair Prioritize remediation plan
40-59 Poor Immediate remediation required
0-39 Critical Emergency response needed

Common AD Vulnerabilities

1. Kerberoasting Exposure

powershell
# Find SPNs assigned to user accounts (Kerberoasting targets)
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName |
  Select-Object Name, ServicePrincipalName, PasswordLastSet, Enabled

2. AS-REP Roasting Exposure

powershell
# Find accounts with pre-auth disabled
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} -Properties DoesNotRequirePreAuth |
  Select-Object Name, DoesNotRequirePreAuth, Enabled

3. LLMNR/NBT-NS Poisoning Risk

powershell
# Check if LLMNR is disabled via GPO
Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" -Name EnableMulticast -ErrorAction SilentlyContinue

4. Excessive Privileged Group Membership

powershell
# Count members in critical groups
$groups = @("Domain Admins", "Enterprise Admins", "Schema Admins", "Account Operators", "Backup Operators")
foreach ($group in $groups) {
    $count = (Get-ADGroupMember -Identity $group -Recursive).Count
    Write-Output "$group : $count members"
}

Remediation Priorities

Finding Risk Remediation
Kerberoastable admin accounts Critical Remove SPNs or use MSA/gMSA
Unconstrained delegation on non-DCs Critical Switch to constrained/RBCD
Password Never Expires on admins High Enable password rotation policy
AS-REP roastable accounts High Enable Kerberos pre-authentication
AdminSDHolder modification High Audit and restore default ACLs
Stale computer accounts (90+ days) Medium Disable and move to quarantine OU
LDAP signing not enforced Medium Enable via GPO on all DCs

References

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

mukul975/Anthropic-Cybersecurity-Skills

mapping-mitre-attack-techniques

Maps observed adversary behaviors, security alerts, and detection rules to MITRE ATT&CK techniques and sub-techniques to quantify detection coverage and guide control prioritization. Use when building an ATT&CK-based coverage heatmap, tagging SIEM alerts with technique IDs, aligning security controls to adversary playbooks, or reporting threat exposure to executives. Activates for requests involving ATT&CK Navigator, Sigma rules, MITRE D3FEND, or coverage gap analysis.

4,300 470
Explore
mukul975/Anthropic-Cybersecurity-Skills

hunting-for-spearphishing-indicators

Hunt for spearphishing campaign indicators across email logs, endpoint telemetry, and network data to detect targeted email attacks.

4,300 470
Explore
mukul975/Anthropic-Cybersecurity-Skills

analyzing-malicious-url-with-urlscan

URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat

4,300 470
Explore
mukul975/Anthropic-Cybersecurity-Skills

implementing-zero-standing-privilege-with-cyberark

Deploy CyberArk Secure Cloud Access to eliminate standing privileges in hybrid and multi-cloud environments using just-in-time access with time, entitlement, and approval controls.

4,300 470
Explore
mukul975/Anthropic-Cybersecurity-Skills

implementing-pam-for-database-access

Deploy privileged access management for database systems including Oracle, SQL Server, PostgreSQL, and MySQL. Covers session proxy configuration, credential vaulting, query auditing, dynamic credentia

4,300 470
Explore
mukul975/Anthropic-Cybersecurity-Skills

detecting-t1003-credential-dumping-with-edr

Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.

4,300 470
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results