It was great meeting you at RSAC! Learn more about Pentest Copilot Enterprise.

Pentest Copilot took the entire Game of Active Directory to domain admin.

One click. One campaign. Five hosts, three domains, three domain controllers, discovered, validated, and chained across the lab. No hand-written routes for each weakness.

Run it on your AD Read the full breakdown

5/5 hosts3/3 domains3/3 DCs12 technique families

NORTHnorth.sevenkingdoms.local

winterfell192.168.56.11owned · DA
castelblack192.168.56.22RCE

SEVENKINGDOMSsevenkingdoms.local

kingslanding192.168.56.10owned · DA

ESSOSessos.local

meereen192.168.56.12owned · DA
braavos192.168.56.23RCE

owned, domain admincross-domain trust hop3 domains · 5 hosts · 3 DCs · 12 technique families

01 / The campaign

One run across the whole lab

PCE discovered the subnet, mapped every domain, and chained compromise across them, including the cross-domain hops that turn five hosts into one campaign.

One-click campaign192.168.56.0/24

NORTHnorth.sevenkingdoms.localNTDS extracted · Domain Admin

DCwinterfell192.168.56.11owned

Membercastelblack192.168.56.22owned

SEVENKINGDOMSsevenkingdoms.localParent-domain Administrator

DCkingslanding192.168.56.10owned

ESSOSessos.localDomain Admin via ADCS ESC1

DCmeereen192.168.56.12owned

Memberbraavos192.168.56.23owned

Cross-domain chaining

NORTHParent-child trust abuseNORTH NTDS → sevenkingdoms\AdministratorSEVENKINGDOMS

NORTHMSSQL linked servercastelblack → braavos · xp_cmdshellESSOS

02 / Compromise paths

Five chains to domain admin

Each path is a verified chain: a credential, a permission, a certificate or a trust, followed to its conclusion. Every node is a real host, principal, and technique; the violet step is where compromise becomes total.

winterfell192.168.56.11Domain controller

Responder to NORTH domain controller

north.sevenkingdoms.local

A poisoned response became a cracked password, which carried Domain Admins reach, which became the NORTH directory itself.

Network capture
winterfellresponder lane
LLMNR / NBT-NS poisoning
Hash captured
north\robb.starkNetNTLMv2
Offline cracking
Credential cracked
robb.starksexywolfy
Validate SMB · WMI · WinRM · RDP
Privileged on DC
winterfellDomain Admins owner
NTDS.dit extraction
Directory dumped
north\AdministratorNTLM recovered
Domain Admin

Impact

Network capture → domain-controller privileged access → full NORTH credential extraction.

castelblack192.168.56.22Member server

AD metadata, SQL execution & admin-backed RCE

north.sevenkingdoms.local

A password sitting in an AD description, a SQL service that trusted the wrong account, and the NORTH directory hash. Three independent ways in.

SMB user search
winterfell--users enum
Password in AD description
Credential leaked
samwell.tarlyHeartsbane
Validate RDP · MSSQL
MSSQL access
castelblackimpersonate → sa
xp_cmdshell enabled
Command execution
north\sql_svcOS command exec
Code execution
Parallel: NORTH Administrator NTLM
Admin-backed RCE
castelblackWMI / WinRM PowerShell

Impact

Three paths of consequence: RDP access, SQL service-account execution, and administrator-backed RCE.

kingslanding192.168.56.10Parent domain controller

Child compromise to parent-domain trust abuse

sevenkingdoms.local

The NORTH dump carried more than NORTH. With the trust path mapped, the child domain minted parent-domain administrator.

From NORTH NTDS
eddard.starkNTLM material
Domain trust enumeration
Trust discovered
north → sevenkingdomsparent-child trust
Trust-key / SID abuse
Trust abused
sevenkingdoms\AdministratorNTLM material
Validate SMB · WMI · LDAP
Parent DC owned
kingslandingWinRM PowerShell
Parent-domain admin

Impact

Compromise of the child domain became administrator-backed command execution on the parent domain controller.

meereen192.168.56.12Domain controller

AS-REP roast to ADCS ESC1 to ESSOS admin

essos.local

A user that didn't need pre-auth, plus a certificate template that let you name yourself. The classic ESC1 to domain admin.

AS-REP roastable
missandeiAS-REP hash
Offline cracking
Credential cracked
missandeifr3edom
Authenticate to ADCS
ESC1 template
essos ADCSenrollee-supplied SAN
Request cert for administrator@essos
Certificate issued
administrator@essosPKINIT auth
UnPAC-the-hash
ESSOS admin
essos\AdministratorNTLM recovered
Domain Admin

Impact

A roastable user plus a vulnerable template produced full ESSOS domain administrator material.

braavos192.168.56.23Member server

ESSOS admin & linked-SQL execution

essos.local

Reachable two ways: the ESSOS administrator material from ADCS, and, independently, a SQL linked-server hop all the way from NORTH.

AS-REP + Kerberoast
brandon.stark · jon.snowiseedeadpeople · iknownothing
NORTH SQL access
Linked server
castelblack MSSQL→ braavos
xp_cmdshell on target
Command execution
essos\sql_svcOS command exec
Code execution
Plus: ESSOS Administrator (ADCS)
Host owned
braavostwo independent routes

Impact

Reachable through ESSOS administrator material, with SQL linked-server command execution proven separately.

03 / Recovered material

What came out of the run

sexywolfy

north\robb.starkResponder → crack

Heartsbane

samwell.tarlyAD description

fr3edom

essos\missandeiAS-REP roast

iseedeadpeople

brandon.starkAS-REP roast

iknownothing

jon.snowKerberoast

<NTLM>

north\AdministratorNTDS.dit

<NTLM>

sevenkingdoms\AdministratorTrust abuse

<NTLM>

essos\AdministratorADCS ESC1

04 / Coverage

The whole GOAD attack-path family

The headline chains are only part of it. PCE exercised the major identity attack-path categories GOAD is built to teach, each tied to campaign evidence, not lab expectations.

Anonymous access

SMB shares & anonymous SMB

Readable/writable shares on BRAAVOS & CASTELBLACK, where the next credential hides.

north → sevenkingdoms

Domain trust abuse

Child-domain material minted parent-domain administrator.

krbtgt / trust keys

Golden-ticket class risk

Trust-ticket exposure: identity infrastructure that can forge authentication.

ESC1 · ESC13

ADCS

ESC1 to ESSOS administrator; broader certificate-service risk identified.

GenericAll · WriteDACL

ACL abuse

Privilege escalation through the directory's own authorization model.

RBCD configured

Delegation & RBCD

Constrained, unconstrained, and resource-based delegation exposure.

DC credential extraction

NTDS / DCSync-class

NORTH directory extracted: host compromise becomes domain compromise.

impersonation · linked servers

MSSQL lateral movement

One database login turned into cross-host command execution.

SYSTEM shell on MEEREEN

PrintNightmare

SYSTEM-level execution on 192.168.56.12; exposure across NORTH hosts.

Your AD is more interesting than a lab.

GOAD is the benchmark. Your environment is the real test. Point Pentest Copilot at it and watch the same campaign run end-to-end.

Request a demo Read the full breakdown

Instagram Twitter LinkedIn Youtube Mail

It was great meeting you at RSAC! Learn more about Pentest Copilot Enterprise.

Pentest Copilot took the entire Game of Active Directory to domain admin.

One click. One campaign. Five hosts, three domains, three domain controllers, discovered, validated, and chained across the lab. No hand-written routes for each weakness.

Run it on your AD Read the full breakdown

5/5 hosts3/3 domains3/3 DCs12 technique families

NORTHnorth.sevenkingdoms.local

winterfell192.168.56.11owned · DA
castelblack192.168.56.22RCE

SEVENKINGDOMSsevenkingdoms.local

kingslanding192.168.56.10owned · DA

ESSOSessos.local

meereen192.168.56.12owned · DA
braavos192.168.56.23RCE

owned, domain admincross-domain trust hop3 domains · 5 hosts · 3 DCs · 12 technique families

01 / The campaign

One run across the whole lab

PCE discovered the subnet, mapped every domain, and chained compromise across them, including the cross-domain hops that turn five hosts into one campaign.

One-click campaign192.168.56.0/24

NORTHnorth.sevenkingdoms.localNTDS extracted · Domain Admin

DCwinterfell192.168.56.11owned

Membercastelblack192.168.56.22owned

SEVENKINGDOMSsevenkingdoms.localParent-domain Administrator

DCkingslanding192.168.56.10owned

ESSOSessos.localDomain Admin via ADCS ESC1

DCmeereen192.168.56.12owned

Memberbraavos192.168.56.23owned

Cross-domain chaining

NORTHParent-child trust abuseNORTH NTDS → sevenkingdoms\AdministratorSEVENKINGDOMS

NORTHMSSQL linked servercastelblack → braavos · xp_cmdshellESSOS

02 / Compromise paths

Five chains to domain admin

winterfell192.168.56.11Domain controller

Responder to NORTH domain controller

north.sevenkingdoms.local

A poisoned response became a cracked password, which carried Domain Admins reach, which became the NORTH directory itself.

Network capture
winterfellresponder lane
LLMNR / NBT-NS poisoning
Hash captured
north\robb.starkNetNTLMv2
Offline cracking
Credential cracked
robb.starksexywolfy
Validate SMB · WMI · WinRM · RDP
Privileged on DC
winterfellDomain Admins owner
NTDS.dit extraction
Directory dumped
north\AdministratorNTLM recovered
Domain Admin

Impact

Network capture → domain-controller privileged access → full NORTH credential extraction.

castelblack192.168.56.22Member server

AD metadata, SQL execution & admin-backed RCE

north.sevenkingdoms.local

A password sitting in an AD description, a SQL service that trusted the wrong account, and the NORTH directory hash. Three independent ways in.

SMB user search
winterfell--users enum
Password in AD description
Credential leaked
samwell.tarlyHeartsbane
Validate RDP · MSSQL
MSSQL access
castelblackimpersonate → sa
xp_cmdshell enabled
Command execution
north\sql_svcOS command exec
Code execution
Parallel: NORTH Administrator NTLM
Admin-backed RCE
castelblackWMI / WinRM PowerShell

Impact

Three paths of consequence: RDP access, SQL service-account execution, and administrator-backed RCE.

kingslanding192.168.56.10Parent domain controller

Child compromise to parent-domain trust abuse

sevenkingdoms.local

The NORTH dump carried more than NORTH. With the trust path mapped, the child domain minted parent-domain administrator.

From NORTH NTDS
eddard.starkNTLM material
Domain trust enumeration
Trust discovered
north → sevenkingdomsparent-child trust
Trust-key / SID abuse
Trust abused
sevenkingdoms\AdministratorNTLM material
Validate SMB · WMI · LDAP
Parent DC owned
kingslandingWinRM PowerShell
Parent-domain admin

Impact

Compromise of the child domain became administrator-backed command execution on the parent domain controller.

meereen192.168.56.12Domain controller

AS-REP roast to ADCS ESC1 to ESSOS admin

essos.local

A user that didn't need pre-auth, plus a certificate template that let you name yourself. The classic ESC1 to domain admin.

AS-REP roastable
missandeiAS-REP hash
Offline cracking
Credential cracked
missandeifr3edom
Authenticate to ADCS
ESC1 template
essos ADCSenrollee-supplied SAN
Request cert for administrator@essos
Certificate issued
administrator@essosPKINIT auth
UnPAC-the-hash
ESSOS admin
essos\AdministratorNTLM recovered
Domain Admin

Impact

A roastable user plus a vulnerable template produced full ESSOS domain administrator material.

braavos192.168.56.23Member server

ESSOS admin & linked-SQL execution

essos.local

Reachable two ways: the ESSOS administrator material from ADCS, and, independently, a SQL linked-server hop all the way from NORTH.

AS-REP + Kerberoast
brandon.stark · jon.snowiseedeadpeople · iknownothing
NORTH SQL access
Linked server
castelblack MSSQL→ braavos
xp_cmdshell on target
Command execution
essos\sql_svcOS command exec
Code execution
Plus: ESSOS Administrator (ADCS)
Host owned
braavostwo independent routes

Impact

Reachable through ESSOS administrator material, with SQL linked-server command execution proven separately.

03 / Recovered material

What came out of the run

sexywolfy

north\robb.starkResponder → crack

Heartsbane

samwell.tarlyAD description

fr3edom

essos\missandeiAS-REP roast

iseedeadpeople

brandon.starkAS-REP roast

iknownothing

jon.snowKerberoast

<NTLM>

north\AdministratorNTDS.dit

<NTLM>

sevenkingdoms\AdministratorTrust abuse

<NTLM>

essos\AdministratorADCS ESC1

04 / Coverage

The whole GOAD attack-path family

The headline chains are only part of it. PCE exercised the major identity attack-path categories GOAD is built to teach, each tied to campaign evidence, not lab expectations.

Anonymous access

SMB shares & anonymous SMB

Readable/writable shares on BRAAVOS & CASTELBLACK, where the next credential hides.

north → sevenkingdoms

Domain trust abuse

Child-domain material minted parent-domain administrator.

krbtgt / trust keys

Golden-ticket class risk

Trust-ticket exposure: identity infrastructure that can forge authentication.

ESC1 · ESC13

ADCS

ESC1 to ESSOS administrator; broader certificate-service risk identified.

GenericAll · WriteDACL

ACL abuse

Privilege escalation through the directory's own authorization model.

RBCD configured

Delegation & RBCD

Constrained, unconstrained, and resource-based delegation exposure.

DC credential extraction

NTDS / DCSync-class

NORTH directory extracted: host compromise becomes domain compromise.

impersonation · linked servers

MSSQL lateral movement

One database login turned into cross-host command execution.

SYSTEM shell on MEEREEN

PrintNightmare

SYSTEM-level execution on 192.168.56.12; exposure across NORTH hosts.

Your AD is more interesting than a lab.

GOAD is the benchmark. Your environment is the real test. Point Pentest Copilot at it and watch the same campaign run end-to-end.

Request a demo Read the full breakdown

Instagram Twitter LinkedIn Youtube Mail

Pentest Copilot solves 100% of GOAD | Autonomous AD compromise