Pentest Copilot Enterprise ran against Mayfly's GOAD Active Directory lab from a single internal subnet and chained the environment the way an operator would: discover hosts, map services, capture or discover credentials, validate where they work, use the validated access to reach higher-value systems, then continue into identity-layer compromise. This is the point of PCE's internal assessment workflow: one click to stand up the campaign, cover the full lab, and show how individual weaknesses become compromise paths. The result was 100% host and domain coverage across the GOAD Windows environment, with all five Windows hosts, all three domains, all three domain controllers, both member servers, and the major GOAD attack-path families represented in the final story.
.png)
PCE started from the internal subnet 192.168.56.0/24. From that scope it identified the GOAD Windows hosts, mapped the exposed services, and built verified attack chains across three domains:
| Domain | Key systems | Primary impact shown |
|---|---|---|
north.sevenkingdoms.local | winterfell, castelblack | Responder capture, cracked credentials, RDP and MSSQL access, NTDS extraction |
sevenkingdoms.local | kingslanding | Parent-domain trust abuse and administrator access |
essos.local | meereen, braavos | AS-REP roast, ADCS ESC1, ESSOS Administrator material, SQL linked-server execution |
The main compromise paths covered below show how PCE moved from one-click setup to domain-level impact:
winterfell: Responder captured robb.stark, cracking produced sexywolfy, validation showed privileged access, and PCE dumped NORTH domain NTDS.castelblack: SMB user enumeration on winterfell exposed samwell.tarly:Heartsbane, and that recovered credential was then accepted on castelblack for RDP and MSSQL xp_cmdshell execution through impersonation. A separate NTDS-derived NORTH Administrator hash path also led to WMI and WinRM PowerShell execution on the same host.kingslanding: NORTH domain compromise exposed eddard.stark material, which enabled parent-child trust abuse into sevenkingdoms.local and administrator-backed WinRM command execution on the parent domain controller.meereen: AS-REP roasting exposed missandei, cracking produced fr3edom, and ADCS ESC1 produced ESSOS Administrator material.braavos: PCE reached the host through ESSOS administrator material and independently proved SQL linked-server command execution as essos\sql_svc.The second half covers additional vulnerability categories PCE identified: SMB shares, domain trusts, trust-ticket and golden-ticket class risk, ADCS, ACLs, delegation, RBCD, NTDS and DCSync-class credential exposure, MSSQL lateral movement, and PrintNightmare exposure.
In customer terms, this was not five manual demos. It was a single campaign that moved across the whole lab and connected the attack paths customers expect an automated internal pentest to cover.
The strongest customer-facing claim is specific: PCE delivered 100% coverage of the GOAD Windows host and domain scope, then exercised the major GOAD attack-path families from the same campaign.
| Coverage area | Result |
|---|---|
| Windows hosts in GOAD scope | 5 of 5 discovered and modeled |
| Domains in GOAD scope | 3 of 3 represented in attack paths |
| Domain controllers | 3 of 3 reached in the campaign story |
| Member servers | 2 of 2 used in compromise paths |
| Major path families | Credentials, roasting, cracking, protocol validation, SMB, MSSQL, ADCS, trusts, ACLs, delegation, RBCD, NTDS |
The important distinction is that PCE did not require a hand-written route for each weakness. The same campaign discovered, validated, and chained the paths.
Game of Active Directory is a deliberately vulnerable Active Directory lab maintained by Orange Cyberdefense. It is designed to exercise realistic identity attack paths rather than single-host vulnerability checks.
The GOAD lab has five important Windows hosts:
| Host | IP | Domain | Role |
|---|---|---|---|
kingslanding | 192.168.56.10 | sevenkingdoms.local | Domain controller |
winterfell | 192.168.56.11 | north.sevenkingdoms.local | Domain controller |
meereen | 192.168.56.12 | essos.local | Domain controller |
castelblack | 192.168.56.22 | north.sevenkingdoms.local | Member server |
braavos | 192.168.56.23 | essos.local | Member server |
GOAD matters because the attack paths are familiar to real enterprise defenders: SMB, LDAP, Kerberos, WinRM, WMI, RDP, MSSQL, ADCS, delegation, ACLs, and domain trusts. It is a useful benchmark because the question is not whether a tool can find one weak password. The question is whether it can cover the full range and keep chaining.
Active Directory compromise is usually a chain, not one isolated finding.
A responder capture becomes a cracked password. A cracked password becomes privileged SMB, WMI, WinRM, or RDP access. Privileged access to a domain controller becomes NTDS extraction. NTDS material becomes trust abuse and administrator-backed command execution. ADCS turns a low-privileged user into domain admin. SQL Server links become command execution on another host.
That is what PCE demonstrated in this benchmark. It did not stop at saying a weakness existed. It kept asking the next question: what does this credential, permission, ticket, certificate, service, or trust relationship unlock?
That is also where the 100% coverage message matters. PCE discovered every GOAD Windows host in scope, mapped every domain in the lab, reached every domain controller in the campaign story, and exercised the major attack-path families GOAD is built to teach: credential exposure, roasting, cracking, protocol validation, SQL abuse, ADCS, trust abuse, ACLs, delegation, SMB exposure, and DC credential extraction.
PCE first identified the live hosts in 192.168.56.0/24, then mapped the services that mattered for identity attack paths.
| Host | Discovery result | Services that mattered |
|---|---|---|
kingslanding | Parent-domain controller found at 192.168.56.10 | LDAP, SMB, RDP, WinRM, WMI |
winterfell | NORTH domain controller found at 192.168.56.11 | LDAP, SMB, RDP, WinRM, WMI |
meereen | ESSOS domain controller found at 192.168.56.12 | LDAP, SMB, RDP, WinRM, WMI, ADCS context |
castelblack | NORTH member server found at 192.168.56.22 | SMB, MSSQL, RDP, WinRM, print spooler |
braavos | ESSOS member server found at 192.168.56.23 | SMB, MSSQL, RDP, WinRM |
winterfell was the domain controller for north.sevenkingdoms.local.
PCE captured a NetNTLMv2 hash for north\robb.stark through the responder lane. The hash was cracked to the plaintext password sexywolfy. PCE then validated the credential across exposed remote services. On winterfell, the credential had privileged access over SMB, WMI, WinRM, and RDP.
That access was not treated as magic. The AD data showed why robb.stark mattered: the account was a member of the NORTH built-in Administrators group, had a session on winterfell, owned the NORTH Domain Admins group, and had additional write-control edges around tier-zero groups. In practical terms, the credential was not just valid. It carried domain-controller administrative reach.
PCE then used robb.stark:sexywolfy to dump NTDS from winterfell. This is a DC credential-extraction path, not a generic claim that every valid user had DCSync. The chain confirmed robb.stark authenticated to winterfell over SMB, NTDS extraction ran, and the output included the NORTH Administrator hash.
PCE validated that NORTH Administrator hash over SMB, WMI, and WinRM on NORTH systems, then used it for PowerShell execution through WMI on winterfell and through WMI and WinRM on castelblack.
The important source relationship is straightforward:
| Secret or credential | Where it came from | What it unlocked |
|---|---|---|
north\robb.stark NetNTLMv2 | Responder and NTLM capture | Offline cracking |
robb.stark:sexywolfy | Secret cracking of the captured hash | Privileged access to winterfell |
robb.stark privilege context | NORTH Administrators membership, Domain Admins ownership, and tier-zero write-control edges | Why the credential could be used for domain-controller credential extraction |
| NORTH NTDS material | NTDS extraction from winterfell using robb.stark:sexywolfy | More NORTH credential material, including high-value domain identities |
north.sevenkingdoms.local\Administrator NTLM material | NORTH NTDS extraction from winterfell | SMB, WMI, WinRM validation and admin-backed command execution on NORTH hosts |
Impact: PCE moved from a network authentication capture to privileged access on the NORTH domain controller, then to domain credential extraction.
castelblack was a member server in north.sevenkingdoms.local.
PCE discovered the credential samwell.tarly:Heartsbane during SMB user enumeration against winterfell, the NORTH domain controller. The netexec smb 192.168.56.11 --users output listed samwell.tarly and exposed Password : Heartsbane in the description field. PCE then validated the recovered credential against castelblack, where it provided RDP access and MSSQL access.
On MSSQL, PCE found that samwell.tarly could impersonate sa. That allowed xp_cmdshell to be enabled, and PCE proved operating system command execution as north\sql_svc.
Separately, PCE chained the winterfell NTDS result into CASTELBLACK. The flow was: Responder produced robb.stark, cracking produced sexywolfy, Robb's NORTH privilege context allowed NTDS extraction from winterfell, and that NTDS output included the NORTH Administrator hash. PCE then validated the Administrator hash against castelblack over SMB, WMI, and WinRM, and used WMI and WinRM to execute PowerShell.
| Secret or credential | Where it came from | What it unlocked |
|---|---|---|
samwell.tarly:Heartsbane | SMB user enumeration on winterfell exposed the password in the description field | RDP and MSSQL access to castelblack |
sa execution context | MSSQL impersonation path | xp_cmdshell enablement |
north\sql_svc command execution | MSSQL xp_cmdshell | OS command execution on castelblack |
north.sevenkingdoms.local\Administrator NTLM material | robb.stark NTDS extraction from winterfell | WMI and WinRM PowerShell execution on castelblack |
Impact: CASTELBLACK had three separate paths of consequence: RDP access from exposed AD metadata, SQL service-account execution through MSSQL impersonation, and administrator-backed WMI/WinRM command execution from the NORTH NTDS chain.
kingslanding was the domain controller for the parent domain sevenkingdoms.local.
The clean chain into kingslanding started with the winterfell compromise. After PCE dumped NORTH domain credential material, the NTDS output included eddard.stark NTLM material. PCE also identified the parent-child trust from north.sevenkingdoms.local to sevenkingdoms.local.
Using the recovered NORTH material and the discovered trust relationship, PCE performed parent-child trust abuse and obtained sevenkingdoms.local Administrator NTLM material. That administrator material was then validated against kingslanding over privileged services.
PCE then used the sevenkingdoms.local\Administrator NTLM material over WinRM on kingslanding and executed PowerShell.
| Secret or credential | Where it came from | What it unlocked |
|---|---|---|
eddard.stark NTLM material | NORTH NTDS extraction from winterfell | Trust abuse precondition |
| NORTH to SEVENKINGDOMS trust | Domain trust discovery | Parent-domain escalation route |
sevenkingdoms.local\administrator NTLM material | Parent-child trust abuse | Privileged access to kingslanding |
WinRM PowerShell execution on kingslanding | sevenkingdoms.local\Administrator NTLM material | Administrator-backed command execution on the parent domain controller |
Impact: Compromise of the child domain became administrator-backed command execution in the parent domain.
meereen was the domain controller for essos.local.
PCE identified missandei as AS-REP roastable. It captured AS-REP material, cracked the password to fr3edom, and used the credential to interact with ESSOS certificate services.
The ADCS path was ESC1. The vulnerable certificate template allowed a requester to supply an alternate identity suitable for client authentication. PCE used missandei:fr3edom to request a certificate for administrator@essos, authenticated with the resulting certificate, and recovered the ESSOS Administrator NTLM hash.
| Secret or credential | Where it came from | What it unlocked |
|---|---|---|
missandei AS-REP hash | AS-REP roasting against ESSOS LDAP/Kerberos | Offline cracking |
missandei:fr3edom | Secret cracking of AS-REP material | ADCS enrollment path |
administrator@essos certificate and NTLM material | ESC1 abuse against ESSOS ADCS | ESSOS domain administrator control |
Impact: A roastable user plus a vulnerable certificate template produced ESSOS domain administrator material.
braavos was a member server in essos.local.
PCE reached BRAAVOS through two important routes.
First, the ESSOS Administrator material recovered through ADCS represented privileged control over ESSOS domain systems, including BRAAVOS. PCE validated that the same ESSOS administrator material had privileged access to ESSOS systems during the campaign.
Second, PCE proved an independent SQL path into BRAAVOS. The chain started in NORTH. PCE found brandon.stark through AS-REP roasting and cracked it to iseedeadpeople. PCE also found jon.snow through Kerberoasting and cracked it to iknownothing. Those NORTH identities were useful in SQL paths involving castelblack. From there, PCE found a linked-server route into BRAAVOS and enabled xp_cmdshell, proving command execution as essos\sql_svc.
| Secret or credential | Where it came from | What it unlocked |
|---|---|---|
brandon.stark:iseedeadpeople | AS-REP roasting and cracking | NORTH access useful in SQL paths |
jon.snow:iknownothing | Kerberoasting and cracking | SQL impersonation and linked-server paths |
administrator@essos NTLM material | ADCS ESC1 abuse using missandei | Privileged ESSOS access |
essos\sql_svc execution | MSSQL linked server and xp_cmdshell | OS command execution on BRAAVOS SQL context |
Impact: BRAAVOS was reachable through ESSOS administrator material, and PCE separately proved SQL linked-server command execution on the BRAAVOS side.
PCE identified SMB share exposure and anonymous SMB access. These findings matter because shares often contain scripts, deployment files, certificates, configuration data, or operational documents that turn a low-level foothold into better credentials.
The campaign identified anonymous SMB access on BRAAVOS and CASTELBLACK. It also identified readable or writable shares, including administrative, logon, public, and certificate-related shares, depending on the credential used.
Defender takeaway: share findings should not be treated as file-system noise. They are often where attackers find the next credential, script, certificate, or deployment secret.
PCE identified the trust path from north.sevenkingdoms.local to sevenkingdoms.local and proved that recovered child-domain material could be used to obtain parent-domain administrator material.
Defender takeaway: a child domain is not a safe blast-radius boundary when trust relationships and credential material allow escalation into the parent.
PCE identified trust-ticket and Kerberos escalation risk tied to recovered trust and domain material. The strongest verified chain in the benchmark was parent-child trust abuse that produced parent-domain administrator material. PCE also identified trust-ticket style exposure in the environment.
This is a golden-ticket class risk because once krbtgt or inter-domain trust material is exposed, defenders are no longer dealing with one compromised host. They are dealing with identity infrastructure that can mint or accept forged authentication material.
Defender takeaway: ordinary password resets are not enough after krbtgt or trust material exposure. Kerberos keys and trust secrets need a deliberate rotation plan.
The clearest ADCS path was ESC1 in ESSOS:
PCE also identified broader certificate-service risk classes in the environment, including multiple ESC categories. The proven customer-facing chain is ESC1 to ESSOS Administrator through missandei.
Defender takeaway: ADCS is tier-zero infrastructure. Template permissions, enrollee-supplied subject settings, EKUs, enrollment rights, and CA exposure should be reviewed like domain controller security controls.
PCE identified dangerous Active Directory permissions such as GenericAll, GenericWrite, WriteDACL, WriteOwner, AddMember, ForceChangePassword, and ReadLAPSPassword.
These are high-value findings because they often represent privilege escalation without an exploit binary. The attacker abuses the directory's own authorization model.
Defender takeaway: AD object permissions are attack surface. Privileged groups, computer objects, service accounts, and certificate-service objects need regular ACL review.
PCE identified constrained delegation, unconstrained delegation, and resource-based constrained delegation exposure across the lab.
Delegation findings matter because they let attackers impersonate users to services, capture delegated Kerberos material, or configure machine-account based access.
Defender takeaway: delegation should be rare, documented, and scoped. Computer objects with delegation rights deserve the same scrutiny as privileged users.
The strongest NTDS path in this write-up is the NORTH domain controller path:
Defender takeaway: once NTDS is extracted, the incident changes from host compromise to domain compromise. Response must include credential rotation, privileged account review, Kerberos key rotation where needed, and trust review.
For defenders, this belongs in the same risk family as DCSync: a domain-level path has crossed into directory credential material. The exact mechanism matters for remediation, but the business impact is domain credential exposure.
PCE identified MSSQL paths that went beyond login success. It followed impersonation, linked servers, and xp_cmdshell to prove command execution.
Defender takeaway: SQL Server belongs in Active Directory attack modeling. Linked servers and impersonation can turn one database login into cross-host execution.
PCE identified PrintNightmare-style exposure on multiple Windows systems. In an environment where valid credentials already exist, exposed print spooler attack surface increases the number of available privilege and lateral movement routes.
The clearest RCE proof for this category was meereen: PCE recorded SYSTEM-level execution through PrintNightmare on 192.168.56.12. PCE also identified PrintNightmare exposure on NORTH systems such as castelblack, where the same campaign already had administrator-class credential paths.
Defender takeaway: print spooler exposure on servers and domain controllers should be minimized. Where the service is not needed, disable it.
The headline chains are only part of the coverage. The table below intentionally lists findings we tied to PCE campaign evidence, not raw GOAD expected-lab entries.
| Host or scope | Vulnerability title | Category |
|---|---|---|
| NORTH domain | NetNTLMv2 hash exposed for robb.stark@north | Responder and credential exposure |
winterfell | Privileged SMB/WMI/WinRM/RDP access with robb.stark:sexywolfy | Credential validation |
winterfell | NORTH NTDS extraction after robb.stark privilege validation | DC credential extraction |
winterfell | WMI PowerShell execution with NORTH Administrator NTLM from NTDS | Admin-backed RCE |
winterfell | SMB user search exposed samwell.tarly:Heartsbane in the description field | Credential exposure |
castelblack | RDP access accepted for samwell.tarly:Heartsbane | Remote access |
castelblack | MSSQL login accepted for samwell.tarly:Heartsbane | MSSQL |
castelblack | MSSQL impersonation from samwell.tarly to sa | MSSQL privilege escalation |
castelblack | MSSQL xp_cmdshell enabled via sa on CASTELBLACK\SQLEXPRESS | MSSQL command execution |
castelblack | WMI and WinRM PowerShell execution with NORTH Administrator NTLM from NTDS | Admin-backed RCE |
| NORTH domain | AS-REP roastable user brandon.stark cracked to iseedeadpeople | Kerberos |
| NORTH domain | Kerberoastable jon.snow cracked to iknownothing | Kerberos |
braavos | MSSQL linked server path from castelblack to BRAAVOS | MSSQL lateral movement |
braavos | MSSQL xp_cmdshell execution as essos\sql_svc | MSSQL command execution |
| ESSOS domain | AS-REP roastable user missandei cracked to fr3edom | Kerberos |
| ESSOS ADCS | ESC1 template abuse produced administrator@essos material | ADCS |
| ESSOS ADCS | ESC13 issuance policy linked certificate enrollment to privileged access | ADCS |
| ESSOS ADCS | ESC13 certificate-policy path exposed privileged certificate enrollment risk | ADCS |
| NORTH to SEVENKINGDOMS | Parent-child trust abuse produced parent-domain administrator material | Domain trust |
kingslanding | WinRM PowerShell execution with sevenkingdoms.local\Administrator NTLM material | Admin-backed RCE |
| SEVENKINGDOMS parent domain | Trust-ticket style exposure identified for parent-domain access | Trust ticket |
braavos | RBCD attack path configured to braavos | RBCD |
meereen | RBCD attack path configured to meereen | RBCD |
braavos | LAPS password read path to BRAAVOS$ identified | ACL and LAPS |
castelblack | Anonymous SMB access accepted on SMB | SMB exposure |
braavos | Anonymous SMB access accepted on SMB | SMB exposure |
meereen | PrintNightmare produced a SYSTEM shell with host agent context active | PrintNightmare RCE |
castelblack | PrintNightmare exposure identified on the print spooler path | PrintNightmare |