Active Directory Penetration Testing

Reference Poster — Full Attack Chain

① Reconnaissance

External

LinkedIn/Hunter.io Dehashed theHarvester dnsrecon/dnsenum amass/subfinder Shodan/Censys

Internal Unauth

nmap/fping netdiscover Ports 88/389/636 Responder -A LDAP anon bind enum4linux-ng rpcclient -U “”

Domain Info

FQDN Forest trusts Functional level Naming context

② Initial Access

Poisoning / Coercion

Responder LLMNR/NBT-NS mitm6 IPv6/WPAD ntlmrelayx SMB relay LDAP/LDAPS relay PetitPotam PrinterBug DFSCoerce ADCS ESC8 HTTP→LDAP

Pre-auth Kerberos

Kerbrute userenum AS-REP Roasting DONT_REQ_PREAUTH

Password Attacks

Kerbrute spray NetExec spray Check policy first Season+Year Company+123

CVEs / Anon Access

Zerologon CVE-2020-1472 PrintNightmare noPac CVE-2021-42278 EternalBlue ProxyShell/Logon SMB null shares Snaffler/MANSPIDER

③ Auth. Enumeration

BloodHound

SharpHound CE bloodhound-python RustHound/SOAPHound Shortest path to DA Kerberoastable users Unconstrained delegation

Users / Groups

PowerView ADSearch ldapsearch windapsearch Descriptions → passwords adminCount=1

Shares / Files

SMBMap smbclient Snaffler SYSVOL Groups.xml cpassword Manspider

ACL / ADCS / GPO

GenericAll GenericWrite WriteOwner WriteDACL ReadLAPSPassword ReadGMSAPassword Certipy find ESC1–ESC15 Get-DomainGPO

④ Credential Theft

Offline Roasting

Kerberoasting Rubeus GetUserSPNs.py AS-REP Roasting GetNPUsers.py Hashcat 13100/18200 SPN via GenericWrite

On-host Dumping

Mimikatz sekurlsa nanodump pypykatz comsvcs.dll MiniDump SAM/SYSTEM hives DPAPI master keys SharpChromium/DPAPI WDigest cleartext

Domain-wide

DCSync lsadump::dcsync NTDS.dit + SYSTEM secretsdump.py

Special Sources

LAPS ms-Mcs-AdmPwd gMSA password GPP Groups.xml gpp-decrypt KeePass/Bitwarden PuTTY/WinSCP sessions

⑤ Privilege Escalation

Local Windows

winPEAS PowerUp Seatbelt Unquoted svc paths DLL hijack AlwaysInstallElevated JuicyPotato RoguePotato PrintSpoofer GodPotato UAC fodhelper/sdclt

ACL Abuse

GenericAll → reset pw GenericAll group → AddMember GenericWrite → SPN WriteDACL → DCSync rights WriteOwner → WriteDACL

Kerberos Delegation

Unconstrained → capture TGTs Constrained S4U2Self/Proxy RBCD msDS-AllowedToActOnBehalf MachineAccountQuota=10

ADCS Certipy

ESC1 SAN+clientAuth ESC2 any-purpose EKU ESC3 enrollment agent ESC4 template ACL ESC6 EDITF_ATTR ESC8 HTTP NTLM relay ESC9–ESC15

⑥ Lateral Movement

Pass-the-*

PtH: NetExec -H Mimikatz sekurlsa::pth PtT: Rubeus ptt ccache KRB5CCNAME Overpass-the-Hash Pass-the-Certificate PKINIT Shadow Creds Whisker

Remote Execution

PsExec SMBExec WMIExec Evil-WinRM 5985/5986 DCOM MMC20 schtasks sc.exe services xfreerdp RDP+PtH

Pivoting

Chisel Ligolo-ng SOCKS SSH proxychains CS SMB/TCP beacons

⑦ Domain Dominance

DCSync

DS-Replication-Get-Changes-All lsadump::dcsync krbtgt hash secretsdump -just-dc

DCShadow

Krbtgt / Trusts

Golden Ticket krbtgt NT/AES Reset krbtgt ×2 Inter-realm TGT SID History ExtraSids Trust key extraction

⑧ Persistence

Kerberos Tickets

Golden Ticket Silver Ticket Diamond Ticket Sapphire Ticket

DC-resident

Skeleton Key misc::skeleton DSRM RID 500 logon Custom SSP memssp LSA password filter DLL

ACL Backdoors

AdminSDHolder ACE DCSync low-priv user Shadow Creds msDS-KeyCredLink

Service / Object

Scheduled tasks WMI event subscriptions GPO modification ADCS long-lived cert

⑨ Defense Evasion

AMSI / ETW

amsiInitFailed patch HW breakpoint AMSI EtwEventWrite patch ETW provider GUID disable

Logging

ScriptBlock bypass PS v2 downgrade Sysmon rule gaps

EDR / Defender

SysWhispers Hell’s Gate Unhook ntdll Early bird injection BYOVD vuln driver Defender exclusion abuse

LOLBAS / Obfusc.

rundll32/regsvr32/mshta certutil decode/download Invoke-Obfuscation ConfuserEx .NET AES payload encryption

⑩ Hybrid / Cloud

Entra Connect

MSOL account DCSync ADSync svc abuse Pass-through Auth agent

Federation

Golden SAML ADFS cert ADFS DKM master key

Token Theft

ROADtools AADInternals TokenTactics PRT theft

OAuth / Device Code

Device code phishing Illicit consent grant

Recon & Enum Tools

BloodHound CE SharpHound bloodhound-python PowerView PowerSploit ADRecon PingCastle enum4linux-ng ldapsearch windapsearch NetExec CrackMapExec

Creds & Kerberos Tools

Mimikatz pypykatz lsassy Rubeus secretsdump.py GetUserSPNs.py ntlmrelayx.py Kerbrute hashcat john

ADCS & Coercion Tools

certipy-ad Certify ForgeCert PSPKIAudit PetitPotam.py Coercer.py DFSCoerce PrinterBug

C2 & Post-Ex Tools

Cobalt Strike Sliver Mythic Havoc Brute Ratel NightHawk winPEAS Seatbelt GodPotato SweetPotato SharpDPAPI SharpChromium LAPSToolkit gMSADumper

Download The Above in High-Quality Image by Clicking Here

Back to Mindmap Library

If you like this post, then please share it:

Buy me A Coffee!

Support The CyberSec Guru’s Mission

Active Directory Penetration Testing

Join the Conversation

The analysis doesn't stop here. Connect with our community of tech enthusiasts and security pros for daily discussions and Q&As

Buy me A Coffee!

Support The CyberSec Guru’s Mission

Why your support matters:

Cybersecurity Mindmap Library: Pentesting, Blue Team, OSINT & Security Tools

Cybersecurity Mindmap Library: Pentesting, Blue Team, OSINT & Security Tools

Leave a ReplyCancel reply

Mindmap