← 返回 Skills 市场
BloodHound Narrator
作者
KuroStrike
· GitHub ↗
· v1.0.1
· MIT-0
127
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install bloodhound-narrator
功能描述
Turn BloodHound attack path exports into dual-layer security reports — CISO executive prose on top, technical remediation playbook below. Automates Active Di...
使用说明 (SKILL.md)
BloodHound Narrator
Turn BloodHound attack paths into boardroom-ready security reports — entirely offline.
Built for pentesters, blue teams, and AD security consultants who need to translate BloodHound graph output into actionable deliverables without spending hours writing prose.
BloodHound Narrator ingests Cypher export JSON, scores each attack path on a weighted severity model, and produces a dual-layer Markdown report:
- CISO / Executive Layer — severity summary table, per-path business risk narrative, impact statements written in non-technical language that management and board members can act on.
- Technical Remediation Appendix — step-by-step hardening playbook with PowerShell commands, Event IDs to monitor, and remediation guidance per finding.
Detected attack patterns: DCSync, Kerberoasting, unconstrained delegation, GenericAll / WriteDacl / WriteOwner ACL abuse, GPO takeover, lateral movement chains (AdminTo + HasSession), Tier 0 boundary violations, stale service account passwords, and sensitive data exposure paths.
No API keys. No network calls. No data exfiltration risk. Air-gap compatible. Works in regulated, classified, and OT environments.
Setup
Install PowerShell (if not already present):
# macOS
brew install powershell/tap/powershell
# Linux (Ubuntu/Debian)
sudo apt-get install -y powershell
# Windows — already included
No environment variables or credentials required.
Usage
# Generate a full report (all severities)
bash {baseDir}/scripts/bh-narrator.sh -InputFile "path/to/bloodhound-export.json"
# Only include Critical and High findings
bash {baseDir}/scripts/bh-narrator.sh -InputFile "path/to/export.json" -MinSeverity High
# Specify output path
bash {baseDir}/scripts/bh-narrator.sh -InputFile "path/to/export.json" -OutputFile "report.md"
# Pipe classified objects for further processing
bash {baseDir}/scripts/bh-narrator.sh -InputFile "path/to/export.json" -PassThru
Run the test suite
bash {baseDir}/tests/run-tests.sh
A synthetic BloodHound export with 5 attack paths (3 Critical, 2 High) is included at {baseDir}/tests/synthetic-bloodhound.json for validation.
Severity Scoring Model
| Factor | Points | Example |
|---|---|---|
| Tier 0 target (DA, EA, DC) | +40 | Path ends at Domain Admins |
| DCSync edge | +30 | Replication rights on DC |
| GenericAll/WriteDacl/Owns on Tier 0 | +30 | GenericAll on Domain Admins group |
| Unconstrained delegation in path | +20 | TGT cached on delegation host |
| GenericAll/WriteDacl/Owns (non-Tier 0) | +15 | WriteDacl on OU |
| Sensitive data keywords in path | +15 | Target description contains "PII" or "financial" |
| Kerberoastable source | +10 | Source account has SPN set |
| Short path (1-2 hops) | +10 | Direct GenericAll to DA |
| Lateral movement chain | +10 | AdminTo + HasSession combo |
| Medium path (3 hops) | +5 | Three-hop escalation |
| Stale password (>365 days) | +5 | Service account never rotated |
Thresholds: Critical >= 50 | High >= 30 | Medium >= 15 | Low \x3C 15
Report Output
The generated Markdown report includes:
- Header with domain name, collection date, BloodHound version
- Executive summary with severity distribution table
- Per-path findings with attack chain, business risk bullets, and impact statement
- Technical remediation appendix with numbered steps per finding (DCSync removal, gMSA migration, delegation hardening, tier isolation, GPO lockdown, etc.)
Who Is This For
- Pentesters delivering AD audit reports to clients — skip the manual write-up, generate the narrative from your BloodHound data
- Blue team / SOC analysts triaging BloodHound findings after a security assessment
- Security consultants who need client-ready deliverables fast
- CISOs and security managers who want attack path reports they can actually read without a graph database
- Purple teams documenting offensive findings for defensive remediation
Use Cases
- Post-pentest AD audit reporting
- Quarterly Active Directory security health checks
- Incident response — rapid attack path analysis after a compromise
- Compliance reporting (ISO 27001, NIS2, LPM, SOC2) requiring documented AD risk assessments
- Training and awareness — show management what "3 hops to Domain Admin" actually means
安全使用建议
This skill appears to do what it says: it parses a BloodHound Cypher-export JSON locally and emits a Markdown report with executive prose and remediation steps. Before installing/running: (1) ensure PowerShell (pwsh) is installed and trusted on the host, (2) run the bundled tests in an isolated environment if you want to validate behavior (tests call pwsh/Pester), (3) review the included PowerShell templates yourself (they are human-readable) if you have policy concerns, and (4) note minor metadata mismatches (declared version in files vs registry and missing 'required binary' in registry) — these are administrative inconsistencies, not functional or exfiltration issues. If you plan to run this on sensitive hosts, run it on a jump-host or admin workstation rather than directly on domain controllers, and avoid feeding it exports that include credentials or other secrets you don't want written to disk.
功能分析
Type: OpenClaw Skill
Name: bloodhound-narrator
Version: 1.0.1
The BloodHound Narrator skill is a reporting tool for Active Directory security audits that processes local JSON exports to generate Markdown reports. Analysis of the PowerShell logic (Invoke-BHNarrator.txt) and library files (SeverityClassifier.txt, NarrativeTemplates.txt) confirms that all processing is performed locally without network calls or data exfiltration. The use of temporary files and dynamic script block creation in the bash wrapper (bh-narrator.sh) is consistent with its stated purpose of providing a cross-platform entry point for PowerShell-based analysis, and the code lacks any indicators of malicious intent or prompt injection.
能力评估
Purpose & Capability
Name/description (convert BloodHound exports into dual-layer reports) match the included files and runtime behavior. The package contains PowerShell classifiers and narrative templates consistent with generating executive and technical Markdown reports from BloodHound JSON.
Instruction Scope
SKILL.md instructs purely local operations: read a JSON export, classify paths, and write a Markdown report. The included PowerShell code only reads local files, builds text output, and writes to disk; it does not make network calls or reference external endpoints or unrelated system credentials.
Install Mechanism
No install spec is provided (instruction-only with bundled scripts). The runtime wrapper copies local .txt PowerShell sources to a temp .ps1 and executes them with pwsh — a transparent, local execution pattern. No archives or remote downloads are used.
Credentials
The skill requires no secrets or config paths at runtime and does not access environment credentials. Minor metadata inconsistencies: SKILL.md declares 'bins: pwsh' and instructs installing PowerShell, but the registry 'Required binaries' field was empty; the registry version is 1.0.1 while SKILL.md header lists 1.0.0. These are bookkeeping issues, not functional red flags, but you should verify pwsh availability before running.
Persistence & Privilege
always:false and no persistent agent/system changes. The scripts create temporary files in /tmp and remove them; they do not modify other skills, system-wide agent settings, or store credentials.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install bloodhound-narrator - 安装完成后,直接呼叫该 Skill 的名称或使用
/bloodhound-narrator触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
No code changes; the documentation was significantly expanded for clarity and audience.
- Skill functionality description is now more detailed and tailored for pentesters, blue teams, security consultants, and CISOs.
- Added sections describing supported attack patterns, real-world use cases, and the audience who benefits.
- Expanded report outputs and attack scenario examples.
- Clarified air-gap/regulated environment compatibility.
- Usage instructions, scoring model, and setup remain unchanged.
v1.0.0
Initial release. Ingests BloodHound Cypher export JSON, classifies attack paths by severity (Critical/High/Medium/Low) using a weighted scoring model, and generates a dual-layer Markdown report: CISO executive prose with business risk narratives, plus a technical remediation appendix with step-by-step hardening playbook. Pure local PowerShell — no API calls, no data leaves the network. Includes Pester test suite (34 tests) and synthetic 5-path test fixture.
元数据
常见问题
BloodHound Narrator 是什么?
Turn BloodHound attack path exports into dual-layer security reports — CISO executive prose on top, technical remediation playbook below. Automates Active Di... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 127 次。
如何安装 BloodHound Narrator?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install bloodhound-narrator」即可一键安装,无需额外配置。
BloodHound Narrator 是免费的吗?
是的,BloodHound Narrator 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
BloodHound Narrator 支持哪些平台?
BloodHound Narrator 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 BloodHound Narrator?
由 KuroStrike(@kurostrike)开发并维护,当前版本 v1.0.1。
推荐 Skills