Active Directory takeover.
Point AutoAttack at a Windows forest with Domain Admin as the goal, and it returns the proven path — which misconfigurations chained, which credentials it pulled, and the captured evidence behind every step. Below is the run on GOAD: all three domains, from a black-box start.
Deploy →proven on GOAD
hardened · 0:51 On the hardened GOAD spec — Windows Defender on, LLMNR off, patched through March 2026 — AutoAttack reached Domain Admin across all three domains in a 0:51 median over ten independent runs.
black-box · 3 of 3 Given no credentials on the same lab, it reached all three domains with the first Domain Admin at 0:41, while an exposure-inventory tool on identical ground reached zero.
124 credentials The same black-box run recovered 124 credentials and logged 85 confirmed findings across 327 actions on six hosts.
every step proved Each finding is an action it carried out, with the captured output behind it.
the path it walks
crack a way in Where an account allows it, AutoAttack requests a Kerberos ticket and cracks it offline — no password needed to start. Weak and reused credentials fall the same way.
read the directory With one credential it enumerates the domain, surfacing passwords left in account descriptions, login scripts, and shares — the misconfigurations every directory accumulates over time.
reuse across domains A service-account password pulled from one host unlocks another. Across a trust, the same account is often Domain Admin in the next domain.
replicate everything It replicates the credential database the way a domain controller would, and a forged ticket carrying the trust key crosses domain boundaries — until the forest-root account hands over the rest.