Active Directory

Active Directory cheatsheet

Sections Active Directory

Tool Reference

TOOOOOOOOOOLS :)

Remote AD Enumeration

Enumerate Active Directory from a Linux attack box with no shell on a domain host. Covers NetExec, Impacket, enum4linux-ng, rpcclient, SMB/RPC queries, and null session checks.

AD Enumeration from Windows

Domain reconnaissance from a compromised Windows host. PowerView, AD module, SharpView, net.exe, WMI, nltest, systeminfo, and domain trust mapping.

Authentication Attacks

Password spraying, brute forcing, AS-REP roasting, Kerberoasting, and credential stuffing against Active Directory. Covers tooling from both Linux and Windows.

Credential Harvesting

Extract credentials from memory, disk, and AD itself. Covers Mimikatz, pypykatz, LSASS dumps, SAM/SYSTEM extraction, DPAPI, LSA secrets, cached domain creds, and DCSync.

Lateral Movement

Move between hosts in an AD environment. PsExec, WMI, WinRM, DCOM, smbexec, atexec, RDP, Pass-the-Hash, Pass-the-Ticket, and Overpass-the-Hash from both Linux and Windows.

Kerberos Attacks

Golden ticket, silver ticket, diamond ticket, sapphire ticket, delegation abuse, S4U, ticket forging, and Kerberos relay. Covers exploitation from both Linux and Windows.

Persistence

Maintain access to an AD environment after initial compromise. Golden/silver/diamond tickets, skeleton key, AdminSDHolder, DCShadow, SID history injection, GPO abuse, machine account persistence, and certificate-based persistence.

ACL Abuse

Enumerate and exploit abusable ACEs in Active Directory. GenericAll, WriteDACL, WriteOwner, GenericWrite, ForceChangePassword, targeted Kerberoasting, Shadow Credentials, and RBCD via ACL misconfigurations.

Domain and Forest Trust Attacks

Trust enumeration, cross-domain attacks, SID history abuse, trust key extraction, inter-forest Kerberoasting, PAM trust abuse, and foreign group membership exploitation.

GPO Abuse

Enumerate Group Policy Objects, identify writable GPOs, and deploy payloads through GPO manipulation. Covers SharpGPOAbuse, pyGPOAbuse, manual GPO editing, and cleanup.

Coercion and Relay Attacks

Force authentication from machines and relay captured credentials. PetitPotam, PrinterBug, DFSCoerce, ShadowCoerce, coercion to NTLM relay chains targeting LDAP, SMB, HTTP, and ADCS. Responder, ntlmrelayx, mitm6, and WPAD poisoning.

ADCS Enumeration and Overview

Enumerate Active Directory Certificate Services, find CAs, list templates, identify misconfigurations, and understand ESC vulnerability classes. Covers Certipy, Certify, and manual LDAP enumeration.

MSSQL in AD

Discover SQL servers via SPN enumeration, authenticate with Windows and SQL auth, abuse linked servers, xp_cmdshell, impersonation, and lateral movement through MSSQL in Active Directory environments.

Exchange and ADFS Attacks

Exchange enumeration, PrivExchange, mailbox access, Exchange group abuse, ProxyLogon/ProxyShell references, and ADFS token signing certificate extraction.

Defense Evasion in AD Environments

Bypass AMSI, ETW, PowerShell Constrained Language Mode, AppLocker, and Defender. Understand OPSEC considerations for Kerberos vs NTLM, ticket forging noise, and LDAP query footprints.