ad-overview - SKILL.md Agent Skill

name: ad-overview description: Active Directory attack lane — BloodHound ingestion, Kerberoasting, ADCS ESC scanning, DCSync, LAPS extraction. metadata: subdomain: active-directory when_to_use: "active directory ad attack lane overview routing bloodhound kerberoast adcs dcsync laps domain compromise" mitre_attack: - T1078.002 - T1558.003 - T1558.004 - T1003.006 - T1649 - T1555

AD Operator Skill Catalog

Playbooks

Skill	Use for
`/skills/standard/ad/bloodhound-query/SKILL.md`	Ingest + common Cypher queries
`/skills/standard/ad/kerberoasting/SKILL.md`	Roast SPN users, crack with hashcat
`/skills/standard/ad/asrep-roasting/SKILL.md`	dontreqpreauth users
`/skills/standard/ad/adcs-esc1/SKILL.md`	ESC1 template abuse → domain admin
`/skills/standard/ad/dcsync/SKILL.md`	Replication rights → krbtgt dump
`/skills/standard/ad/laps/SKILL.md`	LAPS local admin password extraction
`/skills/standard/ad/netexec/SKILL.md`	NetExec (formerly CrackMapExec) cheatsheet — SMB/WinRM/LDAP/MSSQL modules

Workflow

Collect: bash("bloodhound-python -u user -p pass -d DOMAIN -c all --zip")
bh_ingest_zip("/workspace/bh.zip")
dcsync_check — if any principal, that's instant domain compromise
kg_query(kind="user") and filter for hasspn=true → Kerberoast queue
kg_query(kind="user") and filter for dontreqpreauth=true → AS-REP roast
ADCS: bash("certipy find -u user -p pass -dc-ip X -json") then adcs_audit
plan_attack_chains to see graph-computed domain compromise paths

Crown jewels to add

kg_add_node(kind="crown_jewel", label="Domain Admins group")
kg_add_node(kind="crown_jewel", label="krbtgt account")
kg_add_node(kind="crown_jewel", label="DC: DC01.corp.local")