Active Directory

Active Directory cheatsheet for red teamers and pentesters. Organized by attack phase, built around modern tooling.

Sections Active Directory

Unauthenticated Enumeration

Everything you can pull from an AD environment without a single credential. Network discovery, null sessions, guest access, and protocol-level enumeration.

Authenticated Enumeration

You have creds (password, hash, or ticket). Time to map the entire domain. Pull users, groups, ACLs, delegations, trusts, certificates, and everything BloodHound needs.

Credential Attack

You've enumerated the domain. Now it's time to harvest, crack, relay, and dump credentials to expand your access.

Lateral Movement

You have credentials, hashes, or tickets. Time to move through the network, hop between hosts, and reach high-value targets.

Privilege Escalation

You have a foothold. Now escalate from a low-privilege domain user to Domain Admin (or equivalent). ACL abuse, delegation attacks, AD CS, Shadow Credentials, and coercion chains.

Persistence

You have Domain Admin (or equivalent). Now maintain access, extract everything of value, and establish persistence that survives password resets and remediation attempts.