AgentReadyHomeAgent Listing

← Active Directory Attacks

Active Directory Attacks — agentic threat model

9.9AIVSS 9.9 · Critical

This agent possesses highly offensive capabilities (DCSync, ticket forging, and AD enumeration) which, if compromised or hijacked via prompt injection, pose an existential threat to the host network's Active Directory domain.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 9.8AARS uplift 0.14Factor sum 6.3/10Threat ×1.1Mitigation ×1.0
Autonomy of Action
0.80
Goal-Driven Planning
0.90
Self-Modification
0.10
Dynamic Tool Use
1.00
Persistent Memory
0.30
Contextual Awareness
0.80
Dynamic Identity
0.90
Multi-Agent Interactions
0.20
Non-Determinism
0.60
Opacity & Reflexivity
0.70

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The underlying LLM is not specified. Threats include adversarial prompt injection to bypass safety guardrails, allowing unauthorized users to trigger destructive Active Directory attacks.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — No specific RAG or vector database is mentioned, though the agent must process highly sensitive AD enumeration data (e.g., BloodHound JSONs, hashes). Threats include data exfiltration of harvested credentials and ticket poisoning.

L3 · Agent Frameworks✓ mapped

The agent framework orchestrates highly sensitive tools (Kerberoasting, DCSync, BloodHound). Threats include tool misuse, where a prompt injection could hijack the agent to execute DCSync or ticket forging against unauthorized targets.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The hosting environment (sandboxing, network isolation) is not specified. Since the agent executes AD attacks, a lack of strict sandboxing could allow host compromise, lateral movement, or unauthorized domain controller access.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of logging, guardrails, or monitoring of the executed AD commands. Lack of observability could allow malicious actions to go undetected.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — No built-in authentication, authorization, or policy enforcement controls are described. Without strict identity controls, unauthorized users could trigger devastating AD attacks (e.g., Golden Ticket generation).

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — It is described as an 'Agent Skill' (likely integrated into a larger agent or multi-agent system). Threats include other compromised agents invoking these AD attack tools to escalate privileges horizontally or vertically.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).