v0.6.0

v0.6.0 — Full Pipeline Automation, Cross-Domain Trust Pivot

What's new since v0.5.0

Pipeline automation (Phases 1-10):

• Impact phase: NTDS.dit extraction, LSASS dump, SYSVOL access, file share enumeration
• Hybrid Bridge phase: AAD Connect credential extraction, SeamlessSSO silver ticket
• Cross-domain trust pivot: Kerberos-based LDAP discovery from parent to child domains
• Automatic phase ordering via state-grounded dependency DAG

Cloud/Entra ID phases (12-16):

• Teams phishing, device code auth, OAuth consent phishing for initial access
• Tenant enumeration (users, groups, apps, CAPs)
• O365 password spraying
• Cloud privilege escalation analysis
• Data pillage from mail, SharePoint, and Teams

Cross-domain trust pivot (fixes):

• impacket-getTGT now passes -dc-ip from state (bypasses WSL2 DNS issues)
• nxc ldap uses DC IP instead of hostname when Python DNS can't resolve .local domains
• Python ldap3 uses sas_credentials for SPN matching while connecting via IP
• Setup PATH fix so verification steps work immediately after install

Documentation & tooling:

• AGENTS.md rewritten as proper AI agent instruction file with quick start, config example, troubleshooting
• README restructured to show 3 independent pipeline tracks (on-prem, cloud, hybrid)
• WALKTHROUGH.md: complete step-by-step manual guide through all 16 phases
• Cross-domain trust pivot walkthrough updated with -dc-ip and DNS fallback patterns
• New demo GIF recorded against DREAD-GOAD light (3 VMs, 2 forests)
• Track PPLShade.exe + LECOMAx64.sys for pplshade evasion profile

v0.5.0 — Phase ordering fix, code cleanup, demo GIF

What's new

• Phase ordering corrected: credential_acq now does non-privileged spray only; privesc owns SYSTEM → AV kill → LSASS/SAM dump
• Dead code removed: ~500 lines deleted — removed go-mimikatz, UnDefend, DCSync pipelines
• Profile renamed: undefend → native (native AV kill via reg + sc + taskkill, no external binary)
• Credential selection fixed: pickCred scoring (validated + has secret + domain match) instead of last-added
• Persistence fixed: domain-scoped credential lookup
• Shell scripts hardened: os.CreateTemp + 0600 perms
• setup.sh cleaned: removed deprecated donut/gomimikatz/scarecrow installs
• Demo GIF: adpack-demo.gif embedded in README

v0.2.0 — Provider Layer, Identity Normalisation, GPO Fallback Fix

Architecture

• Provider boundary (core/provider.go): Acquisition quarantined behind DirectoryProvider interface. Orchestration never touches stdout/parsing/transport.
• Provider events + JSONL sink: Every provider call emits structured ProviderEvent (method, transport, duration, entity count, raw stdout/stderr) to a thread-safe sink. Self-contained replay artefacts.
• Identity normalisation (core/hostref.go, core/identity.go): HostRef{Name,Domain} canonical identity key. ResolveComputerRef/ResolveSessionRef are pure stateless functions collapsing LDAP + SMB observations. Identity drift snapshots emitted per harvest run.

GPO Fallback Fix

• Replaced broken nxc gpolocal module (removed in nxc v1.5.1) with ldapsearch fallback. Direct LDAP query against CN=Policies,CN=System. GOAD-Light now returns 2 GPOs (Default Domain Policy + Default Domain Controllers Policy) instead of a noisy error dump.

Parser Rewrites

• Two-stage computer grammar: DOMAIN\COMPUTER$ (qualified) + bare COMPUTER$ via whitespace-delimited tokens — no more $PATH false positives.
• DC detection: "windows server" / "domain controller" replaces too-broad "server" substring.
• Session harvest: Regex-based parseSMBSessions with source IP extraction and dedup.
• All parsing isolated in modules/netexec_parsers.go.

CLI

• --provider-log flag for autorun/run commands (JSONL event logging).
• --domain/--user/--password seed credential flags for autorun.

Documentation

• All 5 docs files aligned with codebase: phase ordering, config examples, tool provenance table, identity/event architecture.
• docs/CHANGELOG.md added with full release notes.
• README example output now shows real GOAD-Light run — authentic domains (sevenkingdoms.local), users, cred hashes, ADCS info, drift snapshot.

Other

• setup.sh: PhantomKiller/MiniPlasma from GitHub releases, BlueHammer VS 2022 instructions, SweetPotato removed.
• Removed: engine/ package, 6 dead tool stubs, 2 stale test files.
• 43+ tests passing across all packages, pre-commit hook green.

v0.1.0 -- Initial Release

State-aware AD attack orchestration tool. Tracks hosts, users, creds, and sessions in SQLite. Runs through 9 attack phases with smart gap detection and automated next-step suggestions.

Features

• 9 attack phases: discovery, enumeration, credential_acq, session_harvest, graph_analysis, lateral, validation, privesc, persistence
• 9 evasion profiles including Nightmare Eclipse techniques (BlueHammer CVE-2026-33825, UnDefend, ColdWer)
• Persistent SQLite state with crash recovery
• Smart phase tracking — detects missing data and suggests next steps
• Multi-protocol credential validation (SMB, LDAP, WinRM, RDP)
• Async event bus with append-only event store
• Worker pool for concurrent execution
• TUI dashboard and CLI mode
• One-command setup script

Architecture

• Instance-based dependency injection (no globals)
• Event-driven orchestration with async EventBus
• Persistent execution DAG with status tracking
• Layered package structure: core → tools → engine → storage
• NetExec for transport, tool wrappers for capabilities