AI-Powered Active Directory Attack Agent
59 tools · 139 techniques · Autonomous kill-chain execution · Ollama + Claude · MCP server
Authorized use only. Do not run this tool against systems without explicit written permission. This tool automates offensive AD techniques that can cause account lockouts, service disruption, or domain compromise.
AdAgent is a standalone autonomous agent that chains Active Directory offensive techniques automatically using an AI backend (Ollama or Claude). It drives the full kill chain — from initial enumeration through domain compromise — without manual intervention, while tracking evidence, adapting to dead paths, and producing structured pentest reports.
It runs in three modes:
| Mode | Brain | Cost | How |
|---|---|---|---|
| Ollama | local model | free, offline | ./run.sh → backend [1] |
| Claude | Anthropic API | your API key | ./run.sh → backend [2] |
| MCP server ⭐ | your Claude Code / Cursor / Claude Desktop | no API key, no local model | register mcp_server.py |
No
ANTHROPIC_API_KEY. No Ollama. No local model. AdAgent exposes all 53 tools (the 52 attack tools +set_engagement) over the Model Context Protocol. A host that already has an LLM — Claude Code, Cursor, Claude Desktop — becomes the brain and funds the reasoning from its own subscription. The host decides which tool to call; AdAgent is the toolbox.
The repo ships a ready .mcp.json, so from the project folder it's one approval:
cd AdAgent
claude # launches Claude Code; approve the "adagent" server on first run
# …or register globally from anywhere:
claude mcp add adagent -- /path/to/AdAgent/venv/bin/python3 /path/to/AdAgent/mcp_server.pyThen set the engagement once and let the host drive the kill chain:
set_engagement: dc_ip 10.0.0.1, domain corp.local, username alice, password …"run nmap, enumerate LDAP, collect BloodHound, and find the shortest path to Domain Admin."
AdAgent injects the target + credentials into every later call, so the model never repeats the password and can't target the wrong host. Credentials and reasoning never leave your host.
📖 Full setup (Claude Code · Cursor · Claude Desktop), tool map, and usage: docs/mcp.md
The main menu shows a live dashboard with target, auth mode, attacker IP, findings severity breakdown, and session stats — all updated in real time. Green dots indicate ready state; menu items show READY or SESSION REQUIRED based on current configuration.
git clone https://github.com/capture0x/AdAgent.git
cd AdAgent
chmod +x install.sh run.sh
./install.sh
cp .env.example .env
nano .env # set DC_IP, DOMAIN, USERNAME, PASSWORD
./run.sh
Ollama (local, free — recommended):
ollama pull qwen2.5-coder:7b
ollama serveClaude API:
# Add to .env:
ANTHROPIC_API_KEY=sk-ant-..../run.sh # interactive menu
./run.sh --agent # launch agent directly (skip menu)
./run.sh --session path/to/session.json
./run.sh --no-bannerSkip the interactive menus entirely — pass all settings as flags and the agent starts immediately.
chmod +x adcli.sh run.sh./run.sh --dc 10.10.10.10 --domain corp.local --user john --pass Password123 \
--attacker 10.10.14.5 --opsec normal./run.sh --dc 10.10.10.10 --domain corp.local --user administrator \
--hash aad3b435b51404eeaad3b435b51404ee:abc123def456... \
--backend claude --model sonnet --opsec loud./run.sh --dc 10.10.10.10 --domain corp.local --user john \
--ccache /tmp/john.ccache --opsec stealth./run.sh --dc 10.10.10.10 --domain corp.local --opsec normal./run.sh --dc 10.10.10.10 --domain corp.local --user john \
--pass Password123 --mode plan| Flag | Description | Default |
|---|---|---|
--dc |
Domain Controller IP | required |
--domain |
AD domain (e.g. corp.local) |
required |
--user |
Username (omit for NULL session) | — |
--pass |
Plaintext password | — |
--hash |
NT hash (LM:NT or just NT) |
— |
--ccache |
Kerberos ccache file path | — |
--attacker |
Your listener / attacker IP | — |
--engagement |
Engagement name for reports | — |
--backend |
ollama or claude |
ollama |
--model |
Model name or alias (opus/sonnet/haiku for Claude) |
auto |
--api-key |
Anthropic API key (or set ANTHROPIC_API_KEY env var) |
— |
--opsec |
loud · normal · stealth |
normal |
--mode |
auto = full run · plan = text plan only |
auto |
--rounds |
Override max agent rounds | built-in limit |
--yes |
Skip 5-second confirmation countdown | — |
--no-banner |
Suppress ASCII banner | — |
Routing:
./run.shauto-detects CLI mode when--dcor--domainis present and routes tocli/adcli.py. Without those flags it opens the interactive menu as usual.
AdAgent/
├── adcli.sh ← standalone CLI launcher (alternative to run.sh)
└── cli/
├── adcli.py ← entry point
├── args.py ← argument parser
├── display.py ← banner, profile table, countdown
└── runner.py ← session injection + agent launch
Session Manager displays the current target, auth mode, and engagement name. Provides five options: Configure, Show, Save, Load, and Clear credentials.
Clean setup flow: choose AI backend (Ollama recommended / Claude API), enter target credentials (auto-filled from session), pick a tool-calling model, select run mode (Full Auto or Plan Only), and configure OPSEC level (Loud / Normal / Stealth). A launch summary bar confirms all settings before the agent starts.
The agent executes tools round by round, displaying inputs, commands, and results in real time. Color-coded output: green for success/findings, violet for errors, yellow for warnings. Each round is logged to a live Markdown report.
After enumeration, the chain_planner tool ranks discovered attack vectors by confidence and generates ready-to-run command sequences for each path — Kerberoast, ACL abuse, gMSA takeover, ADCS ESC, and more.
At mission end the agent displays a structured summary: rounds completed, findings by severity, owned users and hosts, captured hashes, and paths to all generated reports (HTML, Markdown, JSON, ATT&CK Navigator).
The professional HTML report opens with an executive summary: stat cards for each severity level, total findings, owned users/hosts, and commands run. Below is an auto-generated narrative paragraph. The MITRE ATT&CK® Coverage section maps every finding to the enterprise framework, highlighting which tactics were observed.
Each finding card shows severity badge, CVSS v3.1 score and vector, MITRE ATT&CK technique IDs (clickable links to attack.mitre.org), description, recommendation, and timestamp. The report also includes compromised assets, attack timeline, and an ATT&CK Navigator layer JSON.
| 59 Agent Tools | Full kill chain: recon → enum → creds → privesc → lateral → DA |
| 139 SAST Techniques | 22 YAML categories injected into AI system prompt |
| AI Backends | Ollama (local/free) · Anthropic Claude (API) |
| Auth Modes | Password · NT Hash (PTH) · Kerberos ccache |
| OPSEC Modes | loud · normal · stealth |
| Dead-Path Tracking | Per-principal loop prevention |
| Auto-Reporting | Live Markdown + HTML + JSON + ATT&CK Navigator |
| MITRE ATT&CK | CVSS v3.1 scoring, technique enrichment, tactic coverage map |
Reconnaissance & Discovery
| Tool | Description |
|---|---|
nmap_scan |
Port scan, OS, domain, clock skew |
kerbrute_enum |
Username enumeration over Kerberos |
no_cred_surface_recon |
LDAP rootDSE, SMB null/guest, HTTP/ADCS/WSUS surface |
rediscover_target |
Re-run LDAP/NXC/nmap discovery mid-engagement |
Enumeration
| Tool | Description |
|---|---|
enumerate_ldap |
Users, groups, GPOs, trusts, SPNs, LAPS, delegation |
enumerate_shares |
SMB shares, SYSVOL, GPP password files |
collect_bloodhound |
BloodHound data collection with fallbacks |
query_bloodhound_paths |
Neo4j shortest path queries |
user_hunt |
Session hunting, PSRemoting checks |
Credential Attacks
| Tool | Description |
|---|---|
asrep_roast |
AS-REP roastable account hashes |
kerberoast |
SPN account roasting |
targeted_kerberoast |
Targeted SPN abuse via writable account |
password_spray |
Credential spraying with jitter |
timeroast |
MS-SNTP NTP hash extraction (no creds) |
pre2k_attack |
Pre-Windows 2000 default password abuse |
Privilege Escalation
| Tool | Description |
|---|---|
adcs_scan |
ADCS ESC1–ESC13 enumeration and exploitation |
shadow_credentials_attack |
msDS-KeyCredentialLink injection |
acl_abuse_scan |
GenericWrite/WriteDACL/ForceChangePassword edges |
force_change_password_pivot |
Reset user via ForceChangePassword ACE |
rbcd_attack |
RBCD full chain |
unconstrained_delegation |
TGT capture via coercion |
local_privesc_chain |
Potato, AlwaysInstallElevated, unquoted paths |
jea_enum |
JEA endpoints, PSReadLine history |
windows_privesc_recon |
Post-shell local escalation recon |
Lateral Movement & Shell
| Tool | Description |
|---|---|
evil_winrm |
WinRM shell (password / hash / Kerberos) |
discover_winrm_access |
Find WinRM-accessible hosts |
lateral_movement |
WMI / WinRM / PSExec-style execution |
mssql_abuse |
xp_cmdshell, linked server RCE |
logon_script_abuse |
Writable scriptPath abuse |
Credential Access
| Tool | Description |
|---|---|
dcsync_attack |
Full domain hash dump |
credential_dump |
Remote LSASS / SAM / NTDS |
credential_loot |
Post-exploitation credential hunting |
laps_read |
LAPS local admin password |
shadow_copies_dump |
VSS-based NTDS.dit and SAM extraction |
auto_loot_chain |
Shares → parse creds → test → pivot |
gMSA · Certificates · Kerberos
| Tool | Description |
|---|---|
gmsa_read |
Read gMSA managed password |
gmsa_takeover |
Modify msDS-GroupMSAMembership → dump hash |
bloodyad |
Generic LDAP object operations |
pass_the_cert |
PKINIT → NT hash |
golden_ticket |
Forge TGT using krbtgt hash |
silver_ticket |
Forge TGS using service account hash |
request_tgt |
Obtain Kerberos TGT |
Cloud / Hybrid / ADFS / SCCM / WSUS
| Tool | Description |
|---|---|
adfs_attack |
DKM cert, Golden SAML, MSOL DCSync |
sccm_abuse |
NAA credentials, client push relay |
wsus_attack |
HTTP vuln check, pywsus injection |
trust_attack |
Trust key, SID history, cross-domain |
trust_chain_planner |
ExtraSID plan, cross-forest Kerberoast |
gpo_abuse |
GPO create / link / exec / hijack |
adidns_abuse |
DNS wildcard, WPAD, record injection |
rodc_attack |
RODC PRP, Key List, RODC Golden Ticket |
coercion_attack |
PrinterBug / PetitPotam / Coercer |
OPSEC & Utility
| Tool | Description |
|---|---|
opsec_check |
EDR/AV/Sysmon/MDI/LAPS detection |
c2_stage |
Sliver / Havoc / MSF payload + delivery |
test_credential |
Test creds across SMB/LDAP/WinRM |
update_session |
Persist discovered intel |
chain_planner |
Rank attack chains from evidence |
generate_report |
HTML · Markdown · JSON · ATT&CK Navigator |
agent_complete |
End mission with summary |
DC_IP=10.10.10.10
DOMAIN=corp.local
USERNAME=john.doe
PASSWORD=Password123
# NT_HASH=aad3b435b51404ee... (alternative to PASSWORD)
ATTACKER_IP=10.10.14.5
ENGAGEMENT_NAME=Corp-Pentest-2026
ANTHROPIC_API_KEY= # leave blank for Ollama
ADSTRIKE_OPSEC=normal # loud | normal | stealthoutput/
├── session.json ← persistent session state
├── agent_logs/
│ ├── agent_<ts>.md ← live Markdown round-by-round report
│ └── agent_<ts>.json ← JSON conversation log
└── reports/
├── adagent_report_<ts>.html ← full HTML pentest report
├── adagent_report_<ts>.md ← Markdown report
├── adagent_report_<ts>.json ← JSON findings export
└── adagent_report_<ts>_navigator.json ← ATT&CK Navigator layer
# System tools
sudo apt install -y impacket-scripts nxc evil-winrm bloodhound-python \
certipy-ad ldap-utils krb5-user nmap responder coercer seclists
# Python packages
pip install -r requirements.txt
# Optional
pip install bloodyad lsassy dploot roadtx roadrecon sccmhunter pywsus- Operator guide:
docs/ADAGENT_GUIDE.md— session model, all 59 tools, SAST knowledge base, decision engine priority ladder, gMSA/ADCS/BloodHound/ADFS/WSUS/Trust workflows, loop guards, troubleshooting, development guidelines, and operator checklist. - MCP server:
docs/mcp.md— run AdAgent as a tool server inside Claude Code / Cursor / Claude Desktop with no API key and no local model (register, set the engagement, the 53-tool map, usage).
AdAgent is the agent-only extraction of AdStrike — the full 56-module interactive AD attack framework.
| AdAgent | AdStrike | |
|---|---|---|
| AI Agent | ✅ Full (59 tools) | ✅ Full |
| MCP server (Claude Code / Cursor) | ✅ 53 tools, no API key | ✅ |
| Interactive Modules | ❌ | ✅ 56 modules |
| Best for | Autonomous runs | Manual + AI hybrid |
AdAgent is intended exclusively for authorised security testing, red team engagements, and educational lab use. The authors accept no responsibility for misuse. Always obtain written permission before testing any system you do not own.
Password spraying can lock accounts. DCSync, DCShadow, ADCS exploitation, and coercion attacks are high-impact — use only with explicit scope approval.
Creator: tmrswrr ·
GitHub: capture0x ·
Contact: tmrswrr -at- gmail.com
Framework: AdStrike v5.0 «AdStrike» ·
License: MIT