Internal

---

Recon

Unauthenticated

• [ ] Null Session
• [ ] Network Scanning
• [ ] SMB Signing Authenticated
• [ ] DNS Dump
• [ ] Domain Wide Enumeration
• [ ]

Foothold

• [ ] Pre-Windows 2000 Computers

• [ ] Pre-Boot Execution Environment PXE

• [ ] LLMNR Poisoning
• [ ] IPv6 Attacks
• [ ] Relay Attacks
• [ ] ASREPRoast
• [ ] ZeroLogon
• [ ] Open Network Shares

Privilege Escalation & Lateral Movement

• [ ] Kerberoasting
• [ ] NoPac (SamAccountName Spoofing)
• [ ] Enumerate ADCS
• [ ] Enumerate SCCM
• [ ] GPP Password
• [ ] Bloodhound Enumerated Attacks
  • [ ] Domain ACLs
  • [ ] Alternate Service Name
  • [ ] Constrained Delegation
  • [ ] Resource-Based Constrained Delegation
  • [ ] Group Policy Abuse

General

• [ ] MachineAccountQuota
• [ ] Default Credentials
• [ ] IPMI Hash Disclosure
• [ ] Network Shares with Sensitive Data
• [ ] IIS Tilde Enumeration
• [ ] Cisco Smart Install
• [ ]