conducting-pass-the-ticket-attack

by mukul975

conducting-pass-the-ticket-attack is a Security Audit and red-team skill for planning and documenting Pass-the-Ticket workflows. It helps you review Kerberos tickets, map detection signals, and produce a structured validation or report flow using the conducting-pass-the-ticket-attack skill.

Stars0

Favorites0

Comments0

AddedMay 9, 2026

CategorySecurity Audit

Install Command

npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill conducting-pass-the-ticket-attack

Curation Score

This skill scores 74/100, which means it is listable and useful for directory users who want a PtT-focused workflow rather than a generic prompt. The repository gives enough operational content—frontmatter, workflows, references, and automation scripts—to help an agent recognize the task and proceed with less guesswork, but it still needs tighter install/entry-point guidance before it feels fully turnkey.

74/100

Strengths

Concrete PtT workflows are provided, including Mimikatz, Rubeus, and Impacket-based steps in references/workflows.md.
Support files add execution leverage: scripts for detection/automation plus reference tables for event IDs and ATT&CK mapping.
Frontmatter is valid and well-scoped to cybersecurity/red-teaming with relevant tags and a clear legal notice.

Cautions

No install command in SKILL.md, so agents may need to infer how to set up dependencies and invoke the skill.
The repository mixes attack execution and detection/reporting content, which may make the intended use less immediately obvious to directory users.

Cybersecurity Red Team Mitre Attack Kerberos Impacket Mimikatz Golden Ticket Persistence

Overview

Overview of conducting-pass-the-ticket-attack skill

What conducting-pass-the-ticket-attack does

The conducting-pass-the-ticket-attack skill helps you plan and document a Pass-the-Ticket (PtT) workflow for authorized security work. It focuses on the practical chain: identify Kerberos tickets, understand how they are reused, and turn that into a reproducible assessment or validation plan. This is not a generic Kerberos explainer; it is centered on the conducting-pass-the-ticket-attack skill for Security Audit and red-team style engagements.

Who should use it

Use this skill if you need a fast, structured way to prepare a PtT test, validate detection coverage, or write up findings after a controlled exercise. It is best for security engineers, red teamers, and incident responders who already know they are working in a permitted environment and want less guesswork than a freeform prompt.

What makes it useful

The repository is more than a summary page: it includes workflow references, standards mapping, a report template, and helper scripts. That makes the conducting-pass-the-ticket-attack guide more actionable than a plain text checklist, especially when you need to move from concept to evidence, commands, and reporting in one pass.

How to Use conducting-pass-the-ticket-attack skill

Install and open the right files

Use the conducting-pass-the-ticket-attack install flow from your skill manager, then start with SKILL.md. After that, read references/workflows.md for task flow, references/standards.md for ATT&CK and control mapping, references/api-reference.md for event IDs and tooling notes, and assets/template.md for report structure. Check scripts/process.py and scripts/agent.py if you want automation or detection logic.

Turn a rough goal into a usable prompt

The conducting-pass-the-ticket-attack usage works best when you specify scope, environment, and output type. A weak prompt is: “help me do pass-the-ticket.” A stronger prompt is: “Build a PtT assessment plan for a Windows domain lab, including ticket extraction workflow, validation steps, detection points, and a brief report outline.” Add the tool family you expect to use, the target OS, and whether you want offensive validation, detection engineering, or reporting.

What input the skill needs

Give it the minimum facts that change the workflow: domain context, whether you are testing a workstation or server, whether you need Mimikatz, Rubeus, or Impacket-oriented steps, and what success looks like. If you want the output to be useful, ask for concrete deliverables such as command sequence, verification checks, logging signals, and a short remediation summary. That is how the conducting-pass-the-ticket-attack skill produces higher-signal output than a generic prompt.

Practical workflow to follow

First ask for the plan, then ask for the exact commands or analyst checklist, then ask for a report draft. This staged approach helps because PtT work often changes based on privilege level, ticket type, and target access path. If the first result is too broad, narrow it to one workflow, one target class, and one output format.

conducting-pass-the-ticket-attack skill FAQ

Is this only for offensive testing?

No. The conducting-pass-the-ticket-attack skill is also useful for detection review, purple-team validation, and post-incident analysis. If you are only trying to understand whether Kerberos tickets are being abused, you can use the same structure without running an attack path end to end.

How is it different from a normal prompt?

A normal prompt usually returns a high-level explanation. This skill gives you repository-backed structure: workflows, standards, a report template, and scripts that reduce interpretation work. That matters when you need consistent conducting-pass-the-ticket-attack usage across multiple assessments.

Is it beginner-friendly?

It is beginner-friendly only if you already know the work is authorized and you want guided structure. It is not the right starting point for learning Kerberos from zero. Beginners should use it as a guided assessment template, not as a substitute for foundational Windows authentication knowledge.

When should I not use it?

Do not use conducting-pass-the-ticket-attack if your goal is broad Windows enumeration, generic malware analysis, or non-Kerberos lateral movement. It is also a poor fit if you cannot provide environment details or if you need a purely defensive detection rule set without workflow context.

How to Improve conducting-pass-the-ticket-attack skill

Give stronger scope and constraints

The best results come from clear boundaries: domain name, host type, whether admin rights are assumed, and whether you need lab-safe validation or production-safe observation. For example, “produce a PtT validation plan for a Windows test domain with no payload execution, only detection verification and report notes” is far better than “make it realistic.”

Ask for the output you will actually use

If you need an assessment deliverable, say so. Request a command checklist, triage notes, ATT&CK mapping, or a one-page executive summary. The assets/template.md file is especially useful when you want the skill to generate a report that matches the repository’s format instead of an ad hoc narrative.

Iterate on the first draft

Common failure modes are too much tool-sprawl, unclear target assumptions, and missing verification steps. If the first answer is broad, refine it by asking for one workflow only, or for a version that separates extraction, injection, access validation, and evidence capture. That makes the conducting-pass-the-ticket-attack guide more accurate and easier to execute.

Use repo references to sharpen results

If you want better conducting-pass-the-ticket-attack install and usage outcomes, anchor your prompt to the repo’s references: ask for guidance tied to 4768, 4769, ticket encryption type, and ATT&CK T1550.003. The more you specify the evidence you want to collect, the better the skill can distinguish between offensive actions, detection signals, and reporting artifacts.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

security-threat-model

by openai

Repository-grounded security-threat-model skill for AppSec threat modeling. It maps trust boundaries, assets, attacker goals, abuse paths, and mitigations into a concise Markdown threat model. Use it when you need security-threat-model for Threat Modeling on a specific repo or path, not a generic architecture review or code check.

Threat Modeling

Favorites 0GitHub 0

solana-vulnerability-scanner

by trailofbits

solana-vulnerability-scanner is a focused Solana security audit skill for native Rust and Anchor programs. It helps review CPI logic, PDA validation, signer and ownership checks, and sysvar spoofing to catch six critical Solana-specific vulnerabilities before deployment.

Security Audit

Favorites 0GitHub 4.9k

azure-ai-contentsafety-ts

by microsoft

azure-ai-contentsafety-ts helps analyze text and images for harmful content with Azure AI Content Safety in TypeScript. Use this skill for moderation workflows, blocklists, and security audit checks for hate, violence, sexual content, and self-harm. It also covers Azure endpoint and auth setup.

Security Audit

Favorites 0GitHub 2.3k

sharp-edges

by trailofbits

The sharp-edges skill helps you find APIs, configs, and interfaces where the easy path leads to insecure use. Use it to review authentication flows, cryptographic wrappers, dangerous defaults, null or zero semantics, and misuse-prone design choices. It is a strong fit for sharp-edges for Security Audit work when you need concrete footguns, not generic security guesses.

Security Audit

Favorites 0GitHub 5k

security-review

by affaan-m

Use the security-review skill to review auth, user input, secrets, APIs, payments, uploads, and other sensitive flows. It provides a practical security-review guide with clear pass/fail checks, risky-pattern examples, and a focused process for catching common issues before release.

Security Audit

Favorites 0GitHub 156.3k

django-security

by affaan-m

django-security is a practical guide for hardening Django apps with authentication, authorization, CSRF, XSS, SQL injection prevention, secure cookies, and production settings. It helps developers and reviewers run a focused Security Audit, quickly spot risky config, and apply concrete fixes before deployment.

Security Audit

Favorites 0GitHub 156.1k

exploiting-insecure-data-storage-in-mobile

by mukul975

The exploiting-insecure-data-storage-in-mobile skill helps assess and extract evidence from insecure local storage in Android and iOS apps. It covers SharedPreferences, SQLite databases, plist files, world-readable files, backup exposure, and weak keychain/keystore handling for mobile pentesting and Security Audit workflows.

Security Audit

Favorites 0GitHub 6.2k

detecting-s3-data-exfiltration-attempts

by mukul975

detecting-s3-data-exfiltration-attempts helps investigate possible AWS S3 data theft by correlating CloudTrail S3 data events, GuardDuty findings, Amazon Macie alerts, and S3 access patterns. Use this detecting-s3-data-exfiltration-attempts skill for Security Audit, incident response, and suspicious bulk-download analysis.

Security Audit

Favorites 0GitHub 6.2k

building-incident-response-playbook

by mukul975

building-incident-response-playbook helps security teams create reusable incident response playbooks with step-by-step phases, decision trees, escalation criteria, RACI ownership, and SOAR-ready structure. It is designed for incident response procedure documentation, incident triage workflows, and audit-friendly operational response plans.

Incident Triage

Favorites 0GitHub 6.1k

building-patch-tuesday-response-process

by mukul975

building-patch-tuesday-response-process helps teams build a repeatable Microsoft Patch Tuesday process to triage advisories, rank risk, test patches, approve rollout, and track compliance. Useful for security operations, vulnerability management, and building-patch-tuesday-response-process for Project Management.

Project Management

Favorites 0GitHub 6.1k

ossfuzz

by trailofbits

Learn the ossfuzz skill for continuous fuzzing setup, project enrollment, harness planning, and build workflow review. This guide helps security engineers and maintainers assess readiness, spot build blockers, and prepare a practical path from source tree to OSS-Fuzz or private fuzzing infrastructure.

Security Audit

Favorites 0GitHub 5k

codeql

by trailofbits

The codeql skill helps you run CodeQL with fewer blind spots during a security audit. It focuses on database quality, suite selection, data extensions, and SARIF review so you can use codeql usage more reliably across supported languages. Use it for repeatable codeql guide steps when analyzing real repositories.

Security Audit

Favorites 0GitHub 5k

semgrep-rule-creator

by trailofbits

semgrep-rule-creator creates production-quality Semgrep rules for security vulnerabilities, bug patterns, taint-flow detections, and coding standards. Use the semgrep-rule-creator skill for Security Audit work when you need precise rules, test cases, and validation instead of a generic draft.

Security Audit

Favorites 0GitHub 5k

insecure-defaults

by trailofbits

The insecure-defaults skill helps spot fail-open configuration patterns that let software run with unsafe settings instead of stopping. Use it for a Security Audit of production code, deployment configs, and secret-handling logic to catch weak auth, hardcoded secrets, and permissive defaults.

Security Audit

Favorites 0GitHub 5k

constant-time-analysis

by trailofbits

constant-time-analysis is a security-audit skill for finding timing side-channel risks in cryptographic code before they become exploitable bugs. Use it to review secret-dependent math, branches, comparisons, and compiled output when checking C, C++, Go, Rust, Swift, Java, Kotlin, PHP, JavaScript, TypeScript, Python, or Ruby.

Security Audit

Favorites 0GitHub 5k

secure-workflow-guide

by trailofbits

secure-workflow-guide guides a 5-step Solidity security workflow: Slither triage, feature-specific checks, visual inspection, security-property notes, and manual review. It is built for smart contract teams, auditors, and builders who want a repeatable secure-workflow-guide guide before deployment or release.

Security Audit

Favorites 0GitHub 4.9k