ad-overview

Active Directory attack lane — BloodHound ingestion, Kerberoasting, ADCS ESC scanning, DCSync, LAPS extraction.

PurpleAILAB 4,249 843 Updated 1mo ago

GitHub

Install

npx skillscat add purpleailab/decepticon/ad-overview

Install via the SkillsCat registry.

SKILL.md

AD Operator Skill Catalog

Playbooks

Skill	Use for
`/skills/ad/bloodhound-query/SKILL.md`	Ingest + common Cypher queries
`/skills/ad/kerberoasting/SKILL.md`	Roast SPN users, crack with hashcat
`/skills/ad/asrep-roasting/SKILL.md`	dontreqpreauth users
`/skills/ad/adcs-esc1/SKILL.md`	ESC1 template abuse → domain admin
`/skills/ad/dcsync/SKILL.md`	Replication rights → krbtgt dump
`/skills/ad/laps/SKILL.md`	LAPS local admin password extraction

Workflow

Collect: bash("bloodhound-python -u user -p pass -d DOMAIN -c all --zip")
bh_ingest_zip("/workspace/bh.zip")
dcsync_check — if any principal, that's instant domain compromise
kg_query(kind="user") and filter for hasspn=true → Kerberoast queue
kg_query(kind="user") and filter for dontreqpreauth=true → AS-REP roast
ADCS: bash("certipy find -u user -p pass -dc-ip X -json") then adcs_audit
plan_attack_chains to see graph-computed domain compromise paths

Crown jewels to add

kg_add_node(kind="crown_jewel", label="Domain Admins group")
kg_add_node(kind="crown_jewel", label="krbtgt account")
kg_add_node(kind="crown_jewel", label="DC: DC01.corp.local")

ad-overview

Install

AD Operator Skill Catalog

Playbooks

Workflow

Crown jewels to add

Categories

Install

Recommended Skills