Assess Active Directory security posture using PingCastle, BloodHound, and Purple Knight to identify misconfigurations, privilege escalation paths, and attack vectors.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionperforming-active-directory-vulnerability-assessmentExecute the skills CLI command in your project's root directory to begin installation:
Fetches performing-active-directory-vulnerability-assessment from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate performing-active-directory-vulnerability-assessment. Access via /performing-active-directory-vulnerability-assessment in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | performing-active-directory-vulnerability-assessment |
| description | Assess Active Directory security posture using PingCastle, BloodHound, and Purple Knight to identify misconfigurations, privilege escalation paths, and attack vectors. |
| domain | cybersecurity |
| subdomain | vulnerability-management |
| tags | - active-directory - pingcastle - bloodhound - purple-knight - ad-security - privilege-escalation - ldap - kerberos |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| d3fend_techniques | - Restore Object - Network Traffic Policy Mapping - Restore Configuration - Access Modeling - Operational Activity Mapping |
| nist_csf | - ID.RA-01 - ID.RA-02 - ID.IM-02 - ID.RA-06 |
Active Directory (AD) is the primary identity and access management system in most enterprise environments, making it a critical attack target. This skill covers comprehensive AD security assessment using PingCastle for health checks, BloodHound for attack path analysis, and Purple Knight for security posture scoring. These tools identify misconfigurations, excessive privileges, Kerberos weaknesses, and lateral movement opportunities.
# Download PingCastle
Invoke-WebRequest -Uri "https://github.com/netwrix/pingcastle/releases/latest/download/PingCastle.zip" `
-OutFile "PingCastle.zip"
Expand-Archive PingCastle.zip -DestinationPath C:\Tools\PingCastle
# Run health check against current domain
cd C:\Tools\PingCastle
.\PingCastle.exe --healthcheck
# Run health check against specific domain
.\PingCastle.exe --healthcheck --server dc01.corp.local --user CORP\scanner_account --password P@ssw0rd
# Run in scanner mode for multiple domains
.\PingCastle.exe --scanner --scannerlp
# Generate consolidated report
.\PingCastle.exe --healthcheck --level Full
| Category | Description | Risk Areas |
|---|---|---|
| Stale Objects | Inactive accounts, old passwords, obsolete OS | Ghost accounts, expired credentials |
| Privileged Accounts | Excessive admin rights, nested groups | Domain Admin sprawl, SID history |
| Trusts | Forest and domain trust configurations | Transitive trust abuse, SID filtering |
| Anomalies | Security setting deviations | GPO misconfigurations, schema issues |
# Critical items to review in PingCastle report:
- Accounts with "Password Never Expires" flag
- Accounts with Kerberos pre-authentication disabled (AS-REP roastable)
- Accounts with Kerberos delegation (unconstrained/constrained)
- Domain Controllers running unsupported OS versions
- AdminSDHolder permission modifications
- Accounts in privileged groups (Domain Admins, Enterprise Admins, Schema Admins)
- Trust relationships with SID filtering disabled
- GPO vulnerabilities allowing privilege escalation
# Download SharpHound collector
# https://github.com/SpecterOps/BloodHound/tree/main/packages/csharp/SharpHound
# Run SharpHound collection (all methods)
.\SharpHound.exe --collectionmethods All --domain corp.local --zipfilename bloodhound_data.zip
# Stealthy collection (minimal noise)
.\SharpHound.exe --collectionmethods Session,LoggedOn --domain corp.local --stealth
# Collection with specific domain controller
.\SharpHound.exe --collectionmethods All --domain corp.local --domaincontroller dc01.corp.local
# Run via PowerShell
Import-Module .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All -Domain corp.local -OutputDirectory C:\BH_Data
# Deploy BloodHound Community Edition with Docker
curl -L https://ghst.ly/getbhce -o docker-compose.yml
docker compose up -d
# Access BloodHound CE at http://localhost:8080
# Default credentials shown in docker compose logs
# Upload SharpHound data through web UI or API
curl -X POST "http://localhost:8080/api/v2/file-upload/start" \
-H "Authorization: Bearer $BH_TOKEN" \
-H "Content-Type: application/json" \
-d '{"fileName": "bloodhound_data.zip"}'
# Find shortest path to Domain Admin
MATCH p=shortestPath((u:User)-[*1..]->(g:Group {name:"DOMAIN [email protected]"}))
WHERE u.name <> "[email protected]"
RETURN p
# Find Kerberoastable accounts with admin privileges
MATCH (u:User {hasspn:true})-[:MemberOf*1..]->(g:Group)
WHERE g.name CONTAINS "ADMIN"
RETURN u.name, u.serviceprincipalnames
# Find computers where Domain Admins are logged in
MATCH (c:Computer)-[:HasSession]->(u:User)-[:MemberOf*1..]->(g:Group {name:"DOMAIN [email protected]"})
RETURN c.name, u.name
# Find AS-REP roastable accounts
MATCH (u:User {dontreqpreauth:true})
RETURN u.name, u.description
# Find unconstrained delegation hosts
MATCH (c:Computer {unconstraineddelegation:true})
WHERE NOT c.name CONTAINS "DC"
RETURN c.name
# Find GPO abuse paths
MATCH p=(u:User)-[:GenericAll|GenericWrite|WriteOwner|WriteDacl]->(g:GPO)
RETURN p
# Download Purple Knight from https://www.purple-knight.com/
# Run as domain admin or with appropriate read permissions
.\PurpleKnight.exe
# Purple Knight checks 130+ security indicators across:
# - Account Security (password policies, privileged accounts)
# - AD Infrastructure (replication, DNS, LDAP signing)
# - Group Policy (GPO permissions, security settings)
# - Kerberos Security (delegation, encryption types, SPN)
# - AD Delegation (AdminSDHolder, OU permissions)
| Score Range | Rating | Action Required |
|---|---|---|
| 90-100 | Excellent | Maintain current posture |
| 75-89 | Good | Address high-risk findings |
| 60-74 | Fair | Prioritize remediation plan |
| 40-59 | Poor | Immediate remediation required |
| 0-39 | Critical | Emergency response needed |
# Find SPNs assigned to user accounts (Kerberoasting targets)
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName |
Select-Object Name, ServicePrincipalName, PasswordLastSet, Enabled
# Find accounts with pre-auth disabled
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} -Properties DoesNotRequirePreAuth |
Select-Object Name, DoesNotRequirePreAuth, Enabled
# Check if LLMNR is disabled via GPO
Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" -Name EnableMulticast -ErrorAction SilentlyContinue
# Count members in critical groups
$groups = @("Domain Admins", "Enterprise Admins", "Schema Admins", "Account Operators", "Backup Operators")
foreach ($group in $groups) {
$count = (Get-ADGroupMember -Identity $group -Recursive).Count
Write-Output "$group : $count members"
}
| Finding | Risk | Remediation |
|---|---|---|
| Kerberoastable admin accounts | Critical | Remove SPNs or use MSA/gMSA |
| Unconstrained delegation on non-DCs | Critical | Switch to constrained/RBCD |
| Password Never Expires on admins | High | Enable password rotation policy |
| AS-REP roastable accounts | High | Enable Kerberos pre-authentication |
| AdminSDHolder modification | High | Audit and restore default ACLs |
| Stale computer accounts (90+ days) | Medium | Disable and move to quarantine OU |
| LDAP signing not enforced | Medium | Enable via GPO on all DCs |
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
performing-active-directory-vulnerability-assessment is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
performing-active-directory-vulnerability-assessment reduced setup friction for our internal harness; good balance of opinion and flexibility.
performing-active-directory-vulnerability-assessment is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
Registry listing for performing-active-directory-vulnerability-assessment matched our evaluation — installs cleanly and behaves as described in the markdown.
Registry listing for performing-active-directory-vulnerability-assessment matched our evaluation — installs cleanly and behaves as described in the markdown.
Useful defaults in performing-active-directory-vulnerability-assessment — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
I recommend performing-active-directory-vulnerability-assessment for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
Keeps context tight: performing-active-directory-vulnerability-assessment is the kind of skill you can hand to a new teammate without a long onboarding doc.
Useful defaults in performing-active-directory-vulnerability-assessment — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
performing-active-directory-vulnerability-assessment is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
showing 1-10 of 66