Add 10 new cybersecurity skills with full folder anatomy

Skills added:
- implementing-privileged-access-workstation (IAM, PAW hardening)
- detecting-suspicious-oauth-application-consent (cloud security, Graph API)
- performing-hardware-security-module-integration (cryptography, PKCS#11)
- analyzing-android-malware-with-apktool (malware analysis, androguard)
- hunting-for-unusual-service-installations (threat hunting, T1543.003)
- detecting-shadow-it-cloud-usage (cloud security, proxy/DNS log analysis)
- performing-active-directory-forest-trust-attack (red team, impacket)
- implementing-deception-based-detection-with-canarytoken (deception, Canary API)
- analyzing-office365-audit-logs-for-compromise (cloud security, BEC detection)
- hunting-for-startup-folder-persistence (threat hunting, T1547.001)

Each skill includes SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
This commit is contained in:
mukul975
2026-03-11 00:46:49 +01:00
parent d2341d4c96
commit 915ea611e5
40 changed files with 3578 additions and 0 deletions
@@ -0,0 +1,63 @@
# API Reference — Performing Active Directory Forest Trust Attack
## Libraries Used
- **impacket**: SMB/RPC transport for LSA SID lookups via `lsat.hLsarLookupSids2()`
- **ldap3**: LDAP queries against `trustedDomain` objects and `foreignSecurityPrincipal` containers
- **json**: JSON serialization for audit reports
## CLI Interface
```
python agent.py --dc 10.0.0.1 --domain corp.local --username admin --password Pass123 trusts
python agent.py --dc 10.0.0.1 --domain corp.local --username admin --password Pass123 foreign
python agent.py --dc 10.0.0.1 --domain corp.local --username admin --password Pass123 lookup-sid --sid S-1-5-21-...
python agent.py --dc 10.0.0.1 --domain corp.local --username admin --password Pass123 full
```
## Core Functions
### `enumerate_trusts_ldap(dc_host, domain, username, password)` — Trust enumeration
LDAP search: `(objectClass=trustedDomain)` under `CN=System,DC=...`.
Attributes: trustPartner, trustDirection, trustType, trustAttributes, flatName.
Decodes trust attribute bitmask for SID filtering, forest transitivity, RC4 encryption.
### `enumerate_foreign_principals(dc_host, domain, username, password)` — Cross-forest members
LDAP search: `(objectClass=foreignSecurityPrincipal)` under `CN=ForeignSecurityPrincipals`.
Filters well-known SIDs (S-1-5-x with 3 dashes). Returns group memberships.
### `lookup_sid_cross_forest(dc_host, domain, username, password, target_sid)` — LSA SID resolution
Opens SMB transport to `\lsarpc`, binds MSRPC_UUID_LSAT, calls `hLsarLookupSids2()`.
Resolves SIDs across trust boundaries.
### `assess_trust_risk(trusts, foreign_principals)` — Risk scoring
Scoring: +40 SID filtering disabled, +20 RC4 encryption, +15 bidirectional trust,
+10 forest transitive.
### `full_audit(dc_host, domain, username, password)` — Comprehensive audit
## Trust Direction Values
| Value | Direction |
|-------|-----------|
| 0 | Disabled |
| 1 | Inbound |
| 2 | Outbound |
| 3 | Bidirectional |
## Trust Attribute Flags
| Flag | Hex | Description |
|------|-----|-------------|
| NON_TRANSITIVE | 0x01 | Trust does not extend transitively |
| QUARANTINED_DOMAIN | 0x04 | SID filtering enabled |
| FOREST_TRANSITIVE | 0x08 | Forest-wide transitive trust |
| USES_RC4_ENCRYPTION | 0x80 | RC4 trust key (weaker than AES) |
## Impacket RPC Calls
| Call | Module | Purpose |
|------|--------|---------|
| `hLsarOpenPolicy2` | lsad | Open LSA policy handle |
| `hLsarLookupSids2` | lsat | Resolve SIDs to names across trust |
| SMBTransport(`\lsarpc`) | transport | RPC transport over SMB |
## Dependencies
- `impacket` >= 0.11.0
- `ldap3` >= 2.9.0
- Network access to DC ports 389 (LDAP), 445 (SMB), 88 (Kerberos)