performing-active-directory-vulnerability-assessment
Assess Active Directory security posture using PingCastle, BloodHound, and Purple Knight to identify misconfigurations, privilege escalation paths, and attack vectors.
Best use case
performing-active-directory-vulnerability-assessment is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Assess Active Directory security posture using PingCastle, BloodHound, and Purple Knight to identify misconfigurations, privilege escalation paths, and attack vectors.
Teams using performing-active-directory-vulnerability-assessment should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/performing-active-directory-vulnerability-assessment/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How performing-active-directory-vulnerability-assessment Compares
| Feature / Agent | performing-active-directory-vulnerability-assessment | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Assess Active Directory security posture using PingCastle, BloodHound, and Purple Knight to identify misconfigurations, privilege escalation paths, and attack vectors.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Performing Active Directory Vulnerability Assessment
## Overview
Active Directory (AD) is the primary identity and access management system in most enterprise environments, making it a critical attack target. This skill covers comprehensive AD security assessment using PingCastle for health checks, BloodHound for attack path analysis, and Purple Knight for security posture scoring. These tools identify misconfigurations, excessive privileges, Kerberos weaknesses, and lateral movement opportunities.
## When to Use
- When conducting security assessments that involve performing active directory vulnerability assessment
- When following incident response procedures for related security events
- When performing scheduled security testing or auditing activities
- When validating security controls through hands-on testing
## Prerequisites
- Domain-joined workstation or domain admin access for scanning
- PingCastle (https://github.com/netwrix/pingcastle)
- BloodHound Community Edition with SharpHound collector
- Purple Knight from Semperis (free community tool)
- Python 3.9+ for analysis scripts
- .NET Framework 4.7+ for PingCastle on Windows
## Tool 1: PingCastle Health Check
### Installation and Execution
```powershell
# Download PingCastle
Invoke-WebRequest -Uri "https://github.com/netwrix/pingcastle/releases/latest/download/PingCastle.zip" `
-OutFile "PingCastle.zip"
Expand-Archive PingCastle.zip -DestinationPath C:\Tools\PingCastle
# Run health check against current domain
cd C:\Tools\PingCastle
.\PingCastle.exe --healthcheck
# Run health check against specific domain
.\PingCastle.exe --healthcheck --server dc01.corp.local --user CORP\scanner_account --password P@ssw0rd
# Run in scanner mode for multiple domains
.\PingCastle.exe --scanner --scannerlp
# Generate consolidated report
.\PingCastle.exe --healthcheck --level Full
```
### PingCastle Scoring Categories
| Category | Description | Risk Areas |
|----------|------------|------------|
| **Stale Objects** | Inactive accounts, old passwords, obsolete OS | Ghost accounts, expired credentials |
| **Privileged Accounts** | Excessive admin rights, nested groups | Domain Admin sprawl, SID history |
| **Trusts** | Forest and domain trust configurations | Transitive trust abuse, SID filtering |
| **Anomalies** | Security setting deviations | GPO misconfigurations, schema issues |
### Key PingCastle Checks
```
# Critical items to review in PingCastle report:
- Accounts with "Password Never Expires" flag
- Accounts with Kerberos pre-authentication disabled (AS-REP roastable)
- Accounts with Kerberos delegation (unconstrained/constrained)
- Domain Controllers running unsupported OS versions
- AdminSDHolder permission modifications
- Accounts in privileged groups (Domain Admins, Enterprise Admins, Schema Admins)
- Trust relationships with SID filtering disabled
- GPO vulnerabilities allowing privilege escalation
```
## Tool 2: BloodHound Attack Path Analysis
### SharpHound Data Collection
```powershell
# Download SharpHound collector
# https://github.com/SpecterOps/BloodHound/tree/main/packages/csharp/SharpHound
# Run SharpHound collection (all methods)
.\SharpHound.exe --collectionmethods All --domain corp.local --zipfilename bloodhound_data.zip
# Stealthy collection (minimal noise)
.\SharpHound.exe --collectionmethods Session,LoggedOn --domain corp.local --stealth
# Collection with specific domain controller
.\SharpHound.exe --collectionmethods All --domain corp.local --domaincontroller dc01.corp.local
# Run via PowerShell
Import-Module .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All -Domain corp.local -OutputDirectory C:\BH_Data
```
### BloodHound CE Setup
```bash
# Deploy BloodHound Community Edition with Docker
curl -L https://ghst.ly/getbhce -o docker-compose.yml
docker compose up -d
# Access BloodHound CE at http://localhost:8080
# Default credentials shown in docker compose logs
# Upload SharpHound data through web UI or API
curl -X POST "http://localhost:8080/api/v2/file-upload/start" \
-H "Authorization: Bearer $BH_TOKEN" \
-H "Content-Type: application/json" \
-d '{"fileName": "bloodhound_data.zip"}'
```
### Critical BloodHound Queries
```cypher
# Find shortest path to Domain Admin
MATCH p=shortestPath((u:User)-[*1..]->(g:Group {name:"DOMAIN ADMINS@CORP.LOCAL"}))
WHERE u.name <> "ADMINISTRATOR@CORP.LOCAL"
RETURN p
# Find Kerberoastable accounts with admin privileges
MATCH (u:User {hasspn:true})-[:MemberOf*1..]->(g:Group)
WHERE g.name CONTAINS "ADMIN"
RETURN u.name, u.serviceprincipalnames
# Find computers where Domain Admins are logged in
MATCH (c:Computer)-[:HasSession]->(u:User)-[:MemberOf*1..]->(g:Group {name:"DOMAIN ADMINS@CORP.LOCAL"})
RETURN c.name, u.name
# Find AS-REP roastable accounts
MATCH (u:User {dontreqpreauth:true})
RETURN u.name, u.description
# Find unconstrained delegation hosts
MATCH (c:Computer {unconstraineddelegation:true})
WHERE NOT c.name CONTAINS "DC"
RETURN c.name
# Find GPO abuse paths
MATCH p=(u:User)-[:GenericAll|GenericWrite|WriteOwner|WriteDacl]->(g:GPO)
RETURN p
```
## Tool 3: Purple Knight Assessment
```powershell
# Download Purple Knight from https://www.purple-knight.com/
# Run as domain admin or with appropriate read permissions
.\PurpleKnight.exe
# Purple Knight checks 130+ security indicators across:
# - Account Security (password policies, privileged accounts)
# - AD Infrastructure (replication, DNS, LDAP signing)
# - Group Policy (GPO permissions, security settings)
# - Kerberos Security (delegation, encryption types, SPN)
# - AD Delegation (AdminSDHolder, OU permissions)
```
### Purple Knight Score Categories
| Score Range | Rating | Action Required |
|------------|--------|----------------|
| 90-100 | Excellent | Maintain current posture |
| 75-89 | Good | Address high-risk findings |
| 60-74 | Fair | Prioritize remediation plan |
| 40-59 | Poor | Immediate remediation required |
| 0-39 | Critical | Emergency response needed |
## Common AD Vulnerabilities
### 1. Kerberoasting Exposure
```powershell
# Find SPNs assigned to user accounts (Kerberoasting targets)
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName |
Select-Object Name, ServicePrincipalName, PasswordLastSet, Enabled
```
### 2. AS-REP Roasting Exposure
```powershell
# Find accounts with pre-auth disabled
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} -Properties DoesNotRequirePreAuth |
Select-Object Name, DoesNotRequirePreAuth, Enabled
```
### 3. LLMNR/NBT-NS Poisoning Risk
```powershell
# Check if LLMNR is disabled via GPO
Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" -Name EnableMulticast -ErrorAction SilentlyContinue
```
### 4. Excessive Privileged Group Membership
```powershell
# Count members in critical groups
$groups = @("Domain Admins", "Enterprise Admins", "Schema Admins", "Account Operators", "Backup Operators")
foreach ($group in $groups) {
$count = (Get-ADGroupMember -Identity $group -Recursive).Count
Write-Output "$group : $count members"
}
```
## Remediation Priorities
| Finding | Risk | Remediation |
|---------|------|-------------|
| Kerberoastable admin accounts | Critical | Remove SPNs or use MSA/gMSA |
| Unconstrained delegation on non-DCs | Critical | Switch to constrained/RBCD |
| Password Never Expires on admins | High | Enable password rotation policy |
| AS-REP roastable accounts | High | Enable Kerberos pre-authentication |
| AdminSDHolder modification | High | Audit and restore default ACLs |
| Stale computer accounts (90+ days) | Medium | Disable and move to quarantine OU |
| LDAP signing not enforced | Medium | Enable via GPO on all DCs |
## References
- [PingCastle GitHub](https://github.com/netwrix/pingcastle)
- [BloodHound CE](https://github.com/SpecterOps/BloodHound)
- [Purple Knight](https://www.purple-knight.com/)
- [MITRE ATT&CK - Active Directory](https://attack.mitre.org/techniques/T1484/)
- [Microsoft AD Security Best Practices](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory)Related Skills
testing-api-for-mass-assignment-vulnerability
Tests APIs for mass assignment (auto-binding) vulnerabilities where clients can modify object properties they should not have access to by including additional parameters in API requests. The tester identifies writable endpoints, adds undocumented fields to request bodies (role, isAdmin, price, balance), and checks if the server binds these to the data model without filtering. Part of OWASP API3:2023 Broken Object Property Level Authorization. Activates for requests involving mass assignment testing, parameter binding abuse, auto-binding vulnerability, or API over-posting.
substrate-vulnerability-scanner
Scans Substrate/Polkadot pallets for 7 critical vulnerabilities including arithmetic overflow, panic DoS, incorrect weights, and bad origin checks. Use when auditing Substrate runtimes or FRAME pallets. (project, gitignored)
performing-yara-rule-development-for-detection
Develop precise YARA rules for malware detection by identifying unique byte patterns, strings, and behavioral indicators in executable files while minimizing false positives.
performing-wireless-security-assessment-with-kismet
Conduct wireless network security assessments using Kismet to detect rogue access points, hidden SSIDs, weak encryption, and unauthorized clients through passive RF monitoring.
performing-wireless-network-penetration-test
Execute a wireless network penetration test to assess WiFi security by capturing handshakes, cracking WPA2/WPA3 keys, detecting rogue access points, and testing wireless segmentation using Aircrack-ng and related tools.
performing-windows-artifact-analysis-with-eric-zimmerman-tools
Perform comprehensive Windows forensic artifact analysis using Eric Zimmerman's open-source EZ Tools suite including KAPE, MFTECmd, PECmd, LECmd, JLECmd, and Timeline Explorer for parsing registry hives, prefetch files, event logs, and file system metadata.
performing-wifi-password-cracking-with-aircrack
Captures WPA/WPA2 handshakes and performs offline password cracking using aircrack-ng, hashcat, and dictionary attacks during authorized wireless security assessments to evaluate passphrase strength and wireless network security posture.
performing-web-cache-poisoning-attack
Exploiting web cache mechanisms to serve malicious content to other users by poisoning cached responses through unkeyed headers and parameters during authorized security tests.
performing-web-cache-deception-attack
Execute web cache deception attacks by exploiting path normalization discrepancies between CDN caching layers and origin servers to cache and retrieve sensitive authenticated content.
performing-web-application-vulnerability-triage
Triage web application vulnerability findings from DAST/SAST scanners using OWASP risk rating methodology to separate true positives from false positives and prioritize remediation.
performing-web-application-scanning-with-nikto
Nikto is an open-source web server and web application scanner that tests against over 7,000 potentially dangerous files/programs, checks for outdated versions of over 1,250 servers, and identifies ve
performing-web-application-penetration-test
Performs systematic security testing of web applications following the OWASP Web Security Testing Guide (WSTG) methodology to identify vulnerabilities in authentication, authorization, input validation, session management, and business logic. The tester uses Burp Suite as the primary interception proxy alongside manual testing techniques to find flaws that automated scanners miss. Activates for requests involving web app pentest, OWASP testing, application security assessment, or web vulnerability testing.