Active Directory Penetration Testing

Reference Poster — Full Attack Chain

① Reconnaissance
External
LinkedIn/Hunter.io Dehashed theHarvester dnsrecon/dnsenum amass/subfinder Shodan/Censys
Internal Unauth
nmap/fping netdiscover Ports 88/389/636 Responder -A LDAP anon bind enum4linux-ng rpcclient -U “”
Domain Info
FQDN Forest trusts Functional level Naming context
② Initial Access
Poisoning / Coercion
Responder LLMNR/NBT-NS mitm6 IPv6/WPAD ntlmrelayx SMB relay LDAP/LDAPS relay PetitPotam PrinterBug DFSCoerce ADCS ESC8 HTTP→LDAP
Pre-auth Kerberos
Kerbrute userenum AS-REP Roasting DONT_REQ_PREAUTH
Password Attacks
Kerbrute spray NetExec spray Check policy first Season+Year Company+123
CVEs / Anon Access
Zerologon CVE-2020-1472 PrintNightmare noPac CVE-2021-42278 EternalBlue ProxyShell/Logon SMB null shares Snaffler/MANSPIDER
③ Auth. Enumeration
BloodHound
SharpHound CE bloodhound-python RustHound/SOAPHound Shortest path to DA Kerberoastable users Unconstrained delegation
Users / Groups
PowerView ADSearch ldapsearch windapsearch Descriptions → passwords adminCount=1
Shares / Files
SMBMap smbclient Snaffler SYSVOL Groups.xml cpassword Manspider
ACL / ADCS / GPO
GenericAll GenericWrite WriteOwner WriteDACL ReadLAPSPassword ReadGMSAPassword Certipy find ESC1–ESC15 Get-DomainGPO
④ Credential Theft
Offline Roasting
Kerberoasting Rubeus GetUserSPNs.py AS-REP Roasting GetNPUsers.py Hashcat 13100/18200 SPN via GenericWrite
On-host Dumping
Mimikatz sekurlsa nanodump pypykatz comsvcs.dll MiniDump SAM/SYSTEM hives DPAPI master keys SharpChromium/DPAPI WDigest cleartext
Domain-wide
DCSync lsadump::dcsync NTDS.dit + SYSTEM secretsdump.py
Special Sources
LAPS ms-Mcs-AdmPwd gMSA password GPP Groups.xml gpp-decrypt KeePass/Bitwarden PuTTY/WinSCP sessions
⑤ Privilege Escalation
Local Windows
winPEAS PowerUp Seatbelt Unquoted svc paths DLL hijack AlwaysInstallElevated JuicyPotato RoguePotato PrintSpoofer GodPotato UAC fodhelper/sdclt
ACL Abuse
GenericAll → reset pw GenericAll group → AddMember GenericWrite → SPN WriteDACL → DCSync rights WriteOwner → WriteDACL
Kerberos Delegation
Unconstrained → capture TGTs Constrained S4U2Self/Proxy RBCD msDS-AllowedToActOnBehalf MachineAccountQuota=10
ADCS Certipy
ESC1 SAN+clientAuth ESC2 any-purpose EKU ESC3 enrollment agent ESC4 template ACL ESC6 EDITF_ATTR ESC8 HTTP NTLM relay ESC9–ESC15
⑥ Lateral Movement
Pass-the-*
PtH: NetExec -H Mimikatz sekurlsa::pth PtT: Rubeus ptt ccache KRB5CCNAME Overpass-the-Hash Pass-the-Certificate PKINIT Shadow Creds Whisker
Remote Execution
PsExec SMBExec WMIExec Evil-WinRM 5985/5986 DCOM MMC20 schtasks sc.exe services xfreerdp RDP+PtH
Pivoting
Chisel Ligolo-ng SOCKS SSH proxychains CS SMB/TCP beacons
⑦ Domain Dominance
DCSync
DS-Replication-Get-Changes-All lsadump::dcsync krbtgt hash secretsdump -just-dc
DCShadow
Register rogue DC Push changes Deregister
Krbtgt / Trusts
Golden Ticket krbtgt NT/AES Reset krbtgt ×2 Inter-realm TGT SID History ExtraSids Trust key extraction
⑧ Persistence
Kerberos Tickets
Golden Ticket Silver Ticket Diamond Ticket Sapphire Ticket
DC-resident
Skeleton Key misc::skeleton DSRM RID 500 logon Custom SSP memssp LSA password filter DLL
ACL Backdoors
AdminSDHolder ACE DCSync low-priv user Shadow Creds msDS-KeyCredLink
Service / Object
Scheduled tasks WMI event subscriptions GPO modification ADCS long-lived cert
⑨ Defense Evasion
AMSI / ETW
amsiInitFailed patch HW breakpoint AMSI EtwEventWrite patch ETW provider GUID disable
Logging
ScriptBlock bypass PS v2 downgrade Sysmon rule gaps
EDR / Defender
SysWhispers Hell’s Gate Unhook ntdll Early bird injection BYOVD vuln driver Defender exclusion abuse
LOLBAS / Obfusc.
rundll32/regsvr32/mshta certutil decode/download Invoke-Obfuscation ConfuserEx .NET AES payload encryption
⑩ Hybrid / Cloud
Entra Connect
MSOL account DCSync ADSync svc abuse Pass-through Auth agent
Federation
Golden SAML ADFS cert ADFS DKM master key
Token Theft
ROADtools AADInternals TokenTactics PRT theft
OAuth / Device Code
Device code phishing Illicit consent grant
Recon & Enum Tools
BloodHound CE SharpHound bloodhound-python PowerView PowerSploit ADRecon PingCastle enum4linux-ng ldapsearch windapsearch NetExec CrackMapExec
Creds & Kerberos Tools
Mimikatz pypykatz lsassy Rubeus secretsdump.py GetUserSPNs.py ntlmrelayx.py Kerbrute hashcat john
ADCS & Coercion Tools
certipy-ad Certify ForgeCert PSPKIAudit PetitPotam.py Coercer.py DFSCoerce PrinterBug
C2 & Post-Ex Tools
Cobalt Strike Sliver Mythic Havoc Brute Ratel NightHawk winPEAS Seatbelt GodPotato SweetPotato SharpDPAPI SharpChromium LAPSToolkit gMSADumper
1 Recon
2 Foothold
3 Enumerate
4 Loot Creds
5 Escalate
6 Move Laterally
↻ repeat 3–6 →
7 Domain Dominance
8 Persist with approval
Document + Cleanup
Back to Mindmap Library

This post first appeared at - The CyberSec Guru