> For the complete documentation index, see [llms.txt](https://copilot-docs.bugbase.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://copilot-docs.bugbase.ai/enterprise/how-to-trigger-an-internal-scan/internal-assessment-destructive-actions.md). # Internal Assessment Destructive Actions Internal Assessment can simulate real adversary activity inside Active Directory and connected hosts. Some exploit categories only validate exposure or collect evidence. Others can change account state, directory permissions, certificate services, delegation settings, host configuration, or credential material. Pentest Copilot highlights these selections in the final configuration review. The product warning is intentionally short so operators can make a fast decision before launching the assessment. This page explains the impact behind those warnings in plain language. ## Before enabling high-impact exploit categories Before running an internal assessment with destructive or hard-to-revert categories enabled: * Confirm the engagement allows active exploitation, not only enumeration. * Confirm who owns rollback for Active Directory, certificate services, GPOs, delegation settings, and endpoint cleanup. * Snapshot lab or staging domains where possible. * Keep domain controller recovery procedures ready before enabling domain controller authentication-bypass testing. * Plan credential rotation for any password, hash, Kerberos ticket, trust key, KRBTGT material, or LAPS password recovered during the run. * Disable any exploit category that is outside the approved engagement scope. ## Critical Active Directory and certificate-service changes These categories can directly change Active Directory, Active Directory Certificate Services, or domain controller state. ### ACL Privilege Escalation This category abuses dangerous permissions that a user or group has over another Active Directory object. Examples include rights to reset a password, add a member to a group, write to an object, change object ownership, or modify object permissions. **What Pentest Copilot may do** * Reset an AD user's password to prove the account can be taken over. * Add a user or computer to an AD group when group-control permissions allow it. * Grant additional control over an AD object by changing its permissions. * Change the owner of an AD object and then use that ownership to gain more control. * Add certificate or key-based logon material to an account to recover credential material. * Abuse GPO control to create a local administrator account on affected machines. * Read LAPS-managed local administrator passwords if the discovered permissions allow it. **What can remain changed** * User passwords. * Group membership. * Object permissions and owners. * GPO-controlled local administrator changes. * Certificate or key-based account login material. * Recovered local administrator credentials. **Cleanup expectations** * Restore changed passwords. * Remove added group members. * Revert object owner and permission changes. * Remove GPO artifacts and any local administrator accounts created through GPO abuse. * Review affected accounts for unexpected certificate or key-based login material. * Rotate any recovered credentials or LAPS passwords. ### Resource-Based Constrained Delegation This category abuses delegation settings that allow one computer account to impersonate users to another computer. In practice, this can let an attacker act as an administrator to a target host. **What Pentest Copilot may do** * Create a controlled computer account in Active Directory. * Change the target computer's delegation configuration so the controlled account can impersonate users to that target. * Request Kerberos tickets through the new delegation path. * Use those tickets for follow-on access to the target system. **What can remain changed** * A newly created computer account. * Delegation settings on the target computer object. * Kerberos tickets or credential material generated through the delegation path. **Cleanup expectations** * Delete the controlled computer account created during the assessment. * Clear the target computer's resource-based delegation setting. * Review ticket use from the delegated identity. ### Domain Controller Authentication Bypass This category validates high-impact domain controller authentication-bypass conditions, such as ZeroLogon-style abuse. A successful exploit can take over a domain controller and expose domain credential material. **What Pentest Copilot may do** * Attempt the authentication bypass against a domain controller. * Reset the domain controller machine-account password as part of the takeover path. * Collect password hashes or other credential material from the domain controller after takeover. **What can remain changed** * The domain controller machine-account password. * Domain credential material exposed during collection. * Domain controller health if the machine-account password is not restored correctly. **Cleanup expectations** * Restore the domain controller machine-account password immediately. * Verify domain controller health, trust, replication, and authentication behavior. * Treat any recovered domain credential material as compromised. ### ADCS Certificate Abuse This category abuses unsafe Active Directory Certificate Services configuration. Certificate abuse can allow privileged impersonation even when the original password is unknown. **What Pentest Copilot may do** * Request certificates that allow impersonation of privileged users. * Forge or use certificates to recover credential material. * Temporarily change a certificate template when the attack path requires it. * Modify certificate authority permissions or enable a dangerous template when the attack path requires it. * Change account attributes or certificate login material for certificate-based impersonation. * Relay authentication to certificate enrollment services. * Access certificate authority material when administrative access to the certificate authority is available. **What can remain changed** * Certificate template permissions or settings. * Certificate authority officer or enrollment settings. * Issued or failed certificate requests. * Account attributes used for certificate mapping. * Certificate or private-key artifacts created during exploitation. * Credential material recovered through certificate authentication. **Cleanup expectations** * Review and revert certificate authority permission changes. * Review enabled templates and template permissions. * Review issued and failed certificate requests. * Remove unintended account attribute or certificate-mapping changes. * Revoke certificates where appropriate. * Rotate credentials recovered through certificate authentication. ## High-impact host, credential, and ticket actions These categories may not always write directly to Active Directory, but they can deploy implants, extract reusable credentials, forge tickets, or move laterally. ### Remote Code Execution This category uses valid access or a confirmed vulnerability to run commands on a reachable host. **What Pentest Copilot may do** * Run commands over Windows or Linux administration protocols. * Run commands through a database server when database-level command execution is available. * Deploy and start a callback agent or implant. * Mark the host as compromised and run follow-on post-compromise checks. * Enable operating-system command execution through a database feature when that is part of the path. **What can remain changed** * Dropped payloads, callback agents, services, scheduled tasks, or temporary files. * Host configuration changed to enable command execution. * Logs and security telemetry generated by command execution. **Cleanup expectations** * Remove deployed agents, services, scheduled tasks, and temporary payloads. * Disable database command-execution features if they were enabled. * Review host logs and endpoint state. ### Local Privilege Escalation This category attempts to turn an already reached account into a more privileged account on the same host. **What Pentest Copilot may do** * Run local privilege-escalation techniques on a reached host. * Start an elevated callback agent if exploitation succeeds. * Continue post-compromise collection from the elevated context. **What can remain changed** * Elevated callback artifacts. * Temporary exploit files or process artifacts. * Host logs and security telemetry. **Cleanup expectations** * Remove elevated callback artifacts. * Validate the host state after exploitation. * Patch or mitigate the local escalation condition. ### Credential Exposure and Reuse This category uses discovered passwords, hashes, or tickets to prove what access they provide. **What Pentest Copilot may do** * Authenticate with discovered passwords, hashes, or Kerberos tickets. * Crack exposed Kerberos material when roasting paths produce hashes. * Use credentialed access for remote execution when the target allows it. * Continue post-compromise collection on newly reached hosts. **What can remain changed** * Reusable credential material in assessment artifacts. * Callback artifacts created by follow-on remote execution. * Authentication logs across affected services and hosts. **Cleanup expectations** * Rotate exposed passwords and hashes. * Invalidate or expire exposed Kerberos tickets where possible. * Remove callback artifacts created through follow-on remote execution. ### Domain Trust Abuse This category abuses trust relationships between Active Directory domains. A successful path can enable cross-domain access. **What Pentest Copilot may do** * Extract trust material from a domain. * Create tickets that cross a domain trust boundary. * Use trusted-domain access for follow-on actions. **What can remain changed** * Trust keys or other trust material exposed in assessment artifacts. * Reusable Kerberos tickets. * Cross-domain authentication traces. **Cleanup expectations** * Treat extracted trust material as compromised. * Rotate trust material according to domain recovery procedures. * Review cross-domain ticket use. ### Golden Ticket Forging This category uses domain Kerberos signing material to create a forged domain ticket. **What Pentest Copilot may do** * Use KRBTGT hash material and the domain SID to forge an administrator ticket. * Store the forged ticket for pass-the-ticket follow-on actions. **What can remain changed** * Reusable forged ticket material. * Domain-wide Kerberos exposure until the underlying KRBTGT material is rotated. **Cleanup expectations** * Rotate KRBTGT according to the organization's domain recovery procedure. * Review Kerberos logs for forged ticket use. ### Constrained Delegation Abuse This category abuses constrained delegation configuration to impersonate users to specific services. **What Pentest Copilot may do** * Request or extract service tickets for impersonation. * Use delegated access to act as a privileged user to a target service. * Store ticket material for follow-on actions. **What can remain changed** * Reusable service ticket material in assessment artifacts. * Authentication traces from impersonated access. **Cleanup expectations** * Invalidate exposed tickets where possible. * Review delegated service account usage. * Tighten constrained delegation configuration if it is overly broad. ### Unconstrained Delegation Ticket Theft This category targets hosts configured with unconstrained delegation. Such hosts can hold delegated Kerberos tickets in memory. **What Pentest Copilot may do** * Trigger authentication to a delegated host. * Dump Kerberos tickets from memory on that host. * Store captured tickets for pass-the-ticket follow-on actions. **What can remain changed** * Captured Kerberos ticket material. * Temporary ticket dump files or archives. * Authentication traces from coercion and ticket use. **Cleanup expectations** * Invalidate exposed tickets where possible. * Remove temporary ticket dump artifacts from the host. * Review and reduce unconstrained delegation assignments. ### Lateral Movement This category uses confirmed access to move from one internal system to another. **What Pentest Copilot may do** * Authenticate to additional reachable hosts. * Run remote execution or database command-execution paths on services with supported execution methods. * Expand post-compromise collection to newly reached systems. **What can remain changed** * Callback agents, temporary payloads, or service changes on reached hosts. * Authentication and execution logs across multiple systems. * Reusable credentials or tickets created during the movement path. **Cleanup expectations** * Review all reached hosts for callback artifacts. * Rotate credentials used for movement. * Validate host compromise state and service changes. ## Sensitive collection paths These categories are less likely to modify Active Directory objects, but they can collect sensitive data that requires careful handling after the assessment. ### Credential Disclosure This category collects or cracks credential material that was exposed by another finding. **What Pentest Copilot may do** * Crack or parse exposed credential material. * Store recovered secrets in assessment artifacts. * Use recovered credentials for follow-on checks if those categories are enabled. **Cleanup expectations** * Rotate any recovered credentials. * Handle exported credential artifacts as sensitive data. ### LAPS Password Access This category reads local administrator passwords managed through Windows LAPS when directory permissions expose them. **What Pentest Copilot may do** * Query directory attributes that expose LAPS-managed local administrator passwords. * Store recovered local administrator credentials for follow-on checks. **Cleanup expectations** * Rotate exposed local administrator passwords. * Review which users or groups can read LAPS password attributes. ### SMB Share Data Collection This category reviews accessible Windows file shares for sensitive files. **What Pentest Copilot may do** * List files on accessible SMB shares. * Download selected files to assessment storage. * Analyze copied files for secrets or sensitive content. **Cleanup expectations** * Treat copied files and extracted secrets as sensitive assessment artifacts. * Remove or archive artifacts according to the engagement data-handling policy. ### FTP and Information Disclosure Collection This category reviews accessible FTP or similar exposed file services for sensitive files. **What Pentest Copilot may do** * Enumerate exposed files or records from reachable services. * Copy selected content into assessment artifacts for review. **Cleanup expectations** * Treat copied data as sensitive assessment output. * Rotate credentials if collected content exposes secrets. ## How to reduce risk from the UI In the final configuration review, disable any exploit category that is outside the engagement's approved scope. For a lower-risk internal run: * Disable ACL privilege escalation, resource-based constrained delegation, domain controller authentication bypass, and ADCS certificate abuse unless AD or certificate-service writes are approved. * Disable remote code execution, local privilege escalation, and lateral movement unless host compromise and callback deployment are approved. * Disable credential, ticket, delegation, and trust-abuse categories unless credential collection, cracking, and reuse are approved. * Keep discovery and enumeration enabled when you only need network and graph visibility. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://copilot-docs.bugbase.ai/enterprise/how-to-trigger-an-internal-scan/internal-assessment-destructive-actions.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.