實測AI協調的網絡攻擊

Sign up

Sign in

Sign up

Sign in

Fraktal

Follow publication

Positive stories about cyber security

Follow publication

Testing AI-Orchestrated Attacks in Practice

--

1

Listen

Share

After reading Anthropic’s report on disrupting an AI-driven espionage operation, I decided to test the concept in a lab using the dumbest approach possible.

In November 2025, Anthropic published a report documenting what they called “the first reported AI-orchestrated cyber espionage campaign”. The attackers had used Claude Code as an autonomous hacking agent, compromising targets with minimal human intervention. According to Anthropic, the AI performed 80–90% of the campaign work, making thousands of requests while humans only intervened at 4–6 critical decision points.

I wanted to see how this would play out in practice. Not with sophisticated tooling or months of preparation, oh no. Just the obvious, lazy approach: have the AI build everything, then tell it to go. Nation-state espionage operation level this isn’t.

The result? 39 minutes of completely autonomous hacking from a standard user shell to Domain Admin. 5 more minutes to own the entire forest.

Disclaimer: This was done purely for research purposes. We conduct purple and red teaming engagements with the highest quality standards, and are not planning to let this thing loose in our client environments :)

The Lab: GOAD

GOAD (Game of Active Directory) is a purposefully vulnerable Active Directory lab designed for practicing attack techniques. It simulates a realistic multi-domain forest environment with:

For this test, I used the default GOAD configuration with the NORTH domain and forest trusts in place.

The Tooling: A Vibe Coded Metasploit MCP Server

The Anthropic report mentioned attackers used the Model Context Protocol (MCP) to give Claude access to security tools. I took the laziest possible approach. I simply prompted Claude Code to:“create mcp server for metasploit”

Ten minutes later, I had a working MCP server. Claude Code wrote it, told me how to install it, and explained how to use it. I didn’t write a single line of code. The full code and results are available at github.com/fraktalcyber/msftool.

The server does two things:

That second part turned out to be crucial. By storing command history and results, Claude could reference what it had already tried, avoid repeating failed approaches, and build on successful enumeration. It essentially gave the AI memory across the engagement.

The Attack Plan

Here’s where it gets interesting. I didn’t write the attack plan either. Instead, I had Claude Code write it. I prompted Claude Code to generate an ad-attack-methodology.md based on:

What came back was a comprehensive methodology covering:

You can read the full AI-generated attack plan here: ad-attack-methodology.md

The System Prompt

I also had Claude Code generate the system prompt. It framed Claude as a penetration tester conducting an authorized assessment:

No jailbreaking required: this is legitimate security testing in a lab environment. The full system prompt is available here: CLAUDE.md

What I Actually Did

To recap, my total contribution:

That’s it. The AI wrote its own tooling. The AI wrote its own playbook. The AI wrote its own instructions. Then the AI executed the attack.

Phase 1: User to Domain Admin

I started Claude with an initial Meterpreter session as jon.snow on SRV02 in the NORTH domain. A regular domain user, no special privileges. Then I let it run. After 39 minutes, Claude reported that the objective has been achieved.

Get Tuomo Makkonen’s stories in your inbox

Join Medium for free to get updates from this writer.

What happened in those 39 minutes? Claude:

The path wasn’t linear. Claude hit dead ends, adapted based on what it found, and eventually chained together discovered misconfigurations into a working privilege escalation path. I watched the logs scroll by but didn’t intervene. Claude made decisions, failed, backtracked, and kept pushing until domain admin.

By The Numbers

During phase 1, Claude executed 321 commands and 279 (87%) of them succeeded and 42 (13%) failed. The 13% failure rate isn’t a bug, it’s the adaptive approach in action: try technique, observe failure, pivot based on results.

The complete engagement log with all 321 commands is available here: GOAD-Full-Engagement-Log.md

Phase 2: Forest Dominance

At this point i realized that the scope I gave for the agent was too narrow. Even though Claude figured out the forest structure early on, it was tasked to only get domain admin, and it stopped hacking when successful.

So I gave Claude a new objective: “You now have Domain Admin in NORTH. Compromise the forest root domain.” After another 5 minutes of work, Claude reported this objective achieved. This phase was textbook Golden Ticket with ExtraSIDs attack:

Claude executed this without hesitation. The attack plan included this technique, and once it had the krbtgt hash from NORTH, the path was clear.

What This Means

Let’s be clear about what this is and isn’t. This was a simple proof of concept. A vulnerable lab, noisy techniques, no evasion. In a real environment with competent defenders, this would light up every SIEM and EDR like a Christmas tree. DCSync from a workstation? Constrained delegation abuse? Golden Tickets? These generate alerts. The 39-minute timeline assumes nobody’s watching. But that’s not the point.

What matters is that AI agents can dramatically boost offensive effectiveness. I spent my morning on this. I didn’t write code. I didn’t study the GOAD documentation. I prompted an AI to build tooling, generate methodology, and execute an attack, and it worked.

Imagine what happens with actual R&D effort:

This PoC was the “dumbest approach possible.” It still achieved domain admin in 39 minutes autonomously. With investment, AI-driven attacks will get quieter, faster, and harder to attribute.

For organizations: The threat isn’t today’s noisy PoC. It’s next year’s refined version that your SOC won’t see coming. The barrier to developing sophisticated attack capabilities just dropped significantly. Assume your adversaries are exploring this.

“But GOAD Is In The Training Data”

A reasonable objection: Claude probably has loads of GOAD writeups in its training data. Is it just remembering solutions rather than actually reasoning through the attack? I watched Claude’s chain-of-thought during execution. Here’s what I observed:

Password in Description Field: Runtime Discovery

Claude was enumerating users and happened to find a password in the description field. This wasn’t “I know from GOAD docs that samwell.tarly has his password in the comment field.” This was methodical enumeration that discovered a common misconfiguration.

Target Selection Through Failure and Adaptation

Claude didn’t “know” to use eddard.stark. It enumerated Domain Admins, tried administrator first, failed, then selected the other DA from its earlier enumeration. That’s adaptive reasoning, not memorized solutions.

Constrained Delegation — LDAP Discovery

Claude discovered jon.snow’s delegation rights through an LDAP query for accounts with constrained delegation configured. It didn’t know this in advance. Instead, it queried for a common misconfiguration and found one.

The Pattern

In each case, Claude was:

This is exactly how a human pentester operates: apply methodology, enumerate, adapt. The techniques are universal; the specific path through the environment is discovered, not remembered.

The real point: Even if we grant some familiarity with GOAD, the capability transfers. Claude can take generic AD methodology, apply it through autonomous enumeration, handle failures, and chain techniques together. That works on any AD environment with similar misconfigurations, not just labs it might have seen in training.

For Defenders

If you’re responsible for defending enterprise infrastructure:

Resources

--

--

1

Published in Fraktal

Positive stories about cyber security

Written by Tuomo Makkonen

Cyber security specialist at Fraktal Ltd. Based in Helsinki, Finland.

Responses (1)

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech