agent security skill risk: high
Active Directory Forest Trust Auditor
The prompt instructs the model to enumerate forest trust relationships via LDAP, query trust attributes and SID filtering status, perform cross-forest SID lookups, check SID histor…
- Policy sensitive
- Human review
- External action: high
SKILL 4 files · 2 folders
SKILL.md
--- name: performing-active-directory-forest-trust-attack description: "Enumerate and audit Active Directory forest trust relationships using impacket for SID filtering analysis, trust" --- # Performing Active Directory Forest Trust Attack ## Overview Active Directory forest trusts enable authentication across organizational boundaries but introduce attack surface if misconfigured. This skill uses impacket to enumerate trust relationships, analyze SID filtering configuration, detect SID history abuse vectors, perform cross-forest SID lookups via LSA/LSAT RPC calls, and assess inter-realm Kerberos ticket configurations for trust ticket forgery risks. ## When to Use - When conducting security assessments that involve performing active directory forest trust attack - When following incident response procedures for related security events - When performing scheduled security testing or auditing activities - When validating security controls through hands-on testing ## Prerequisites - Python 3.9+ with `impacket`, `ldap3` - Domain credentials with read access to AD trust objects - Network access to Domain Controllers (ports 389, 445, 88) - Authorized penetration testing engagement or lab environment > **Legal Notice:** This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws. ## Steps 1. Enumerate forest trust relationships via LDAP trusted domain objects 2. Query trust attributes and SID filtering status for each trust 3. Perform SID lookups across trust boundaries using LsarLookupNames3 4. Enumerate foreign security principals in trusted domains 5. Check for SID history on cross-forest accounts 6. Assess trust direction and transitivity for lateral movement paths 7. Generate trust security audit report with risk findings ## Expected Output - JSON report listing all trust relationships, SID filtering status, foreign principals, trust direction/transitivity, and risk assessment - Cross-forest attack path analysis with remediation recommendations
REQUIRED CONTEXT
- Domain credentials with read access to AD trust objects
- Network access to Domain Controllers
TOOLS REQUIRED
- impacket
- ldap3
EXPECTED OUTPUT
- Format
- structured_report
- Schema
- json_report · trust relationships, SID filtering status, foreign principals, trust direction/transitivity, risk assessment, Cross-forest attack path analysis, remediation recommendations
- Constraints
- JSON report with trust relationships, SID filtering, foreign principals, directions, and risks
- Include cross-forest attack path analysis and remediation recommendations
SUCCESS CRITERIA
- Enumerate forest trust relationships via LDAP
- Generate trust security audit report with risk findings
CAVEATS
- Dependencies
- Python 3.9+ with impacket, ldap3
- Domain credentials with read access to AD trust objects
- Network access to Domain Controllers (ports 389, 445, 88)
- Authorized penetration testing engagement or lab environment
- Missing context
- Target domain / DC hostname or IP
- Credential input format or variable names
- Exact command examples or script snippets for each step
- Output file path or report template
- Ambiguities
- Description sentence is truncated: "using impacket for SID filtering analysis, trust"
QUALITY
- OVERALL
- 0.60
- CLARITY
- 0.80
- SPECIFICITY
- 0.60
- REUSABILITY
- 0.35
- COMPLETENESS
- 0.65
IMPROVEMENT SUGGESTIONS
- Add explicit input placeholders (e.g., {{domain}}, {{username}}, {{dc_ip}}) in the Steps section.
- Expand each numbered step with the actual impacket or ldap3 command or function call.
- Specify the exact JSON schema for the expected report output.
USAGE
Copy the prompt above and paste it into your AI of choice — Claude, ChatGPT, Gemini, or anywhere else you're working. Replace any placeholder sections with your own context, then ask for the output.
MORE FOR AGENT
- MoltPass Client for AI Agent Identitiesagentsecurity
- Supply Chain Dependency Risk Auditoragentsecurity
- Supply Chain Dependency Risk Auditoragentsecurity
- Threat Modeling Security Expertagentsecurity
- Security Bluebook Policy Builderagentsecurity
- Security Bluebook Policy Builderagentsecurity
- Security Blue Book Policy Builderagentsecurity
- Threat Modeling Security Architecture Expertagentsecurity
- Supply Chain Dependency Risk Auditoragentsecurity
- Threat Modeling Security Expertagentsecurity
- SIEM Detection Rule Tuning Guideagentsecurity
- AI File Metadata Compliance Auditoragentsecurity
- Azure Storage Misconfiguration Audit Reporteragentsecurity
- Implementing PAM for Database Accessagentsecurity
- AFL++ Coverage-Guided Fuzzing Procedureagentsecurity
- Supply Chain Attack Simulation Detectoragentsecurity
- Security Audit Fix Verifieragentsecurity
- Active Directory ACL Abuse Analyzeragentsecurity
- Privileged Access Workstation Implementation Guideagentsecurity
- SSRF Vulnerability Testing and Reporting Guideagentsecurity
- Security Audit Fix Revieweragentsecurity
- AWS IAM Privilege Escalation Detectoragentsecurity
- SSL/TLS Security Assessment with Sslyzeagentsecurity
- GCP Penetration Testing with GCPBucketBruteagentsecurity
- AWS CloudTrail Anomaly Detection Guideagentsecurity