AD — From Windows

Quick Reference Technique Tool Privilege Needed Domain / forest info Native AD cmdlets, PowerView Domain user User / group / computer enumeration Get-ADUser, Get-DomainUser Domain user SPN discovery (Kerberoast candidates) Get-ADUser, PowerView Domain user AdminSDHolder / privileged objects Get-ADObject Domain user ACL enumeration PowerView Domain user Local admin discovery Find-LocalAdminAccess Domain user Share discovery Find-DomainShare, Snaffler Domain user Full graph collection SharpHound Domain user Host recon Seatbelt Local user (some checks need admin) Session enumeration SharpHound, NetSessionEnum Local admin (remote hosts) GPO enumeration PowerView Domain user Trust mapping Get-DomainTrust, nltest Domain user Native AD Cmdlets No extra tooling required. Requires the ActiveDirectory PowerShell module, which is present on domain-joined systems with RSAT installed, or can be imported from a DC. ...

Quick Reference Attack Tool Prerequisite Output Kerberoasting Rubeus, PowerView Domain user, SPN exists RC4/AES hash → offline crack AS-REP Roasting Rubeus Domain user, pre-auth disabled on target AS-REP hash → offline crack Pass-the-Ticket Rubeus, Mimikatz Valid .kirbi or base64 ticket Ticket injected into session Overpass-the-Hash Mimikatz, Rubeus NTLM or AES hash TGT obtained, ticket injected Pass-the-Key Mimikatz AES256 hash TGT obtained via AES pre-auth Ticket Extraction Rubeus, Mimikatz Local admin (for other users’ tickets) .kirbi files / base64 tickets TGT Delegation Rubeus tgtdeleg Domain user, no local admin needed Usable TGT Ticket Harvesting Rubeus harvest/monitor Local admin Ongoing TGT collection Unconstrained Delegation Abuse Rubeus monitor + coerce Local admin on delegation host Victim TGT captured Hashcat Cracking Modes Reference Mode Hash Type Attack Context 13100 Kerberoast — RC4 (TGS-REP) Kerberoasting with /rc4opsec 19600 Kerberoast — AES128 (TGS-REP) Kerberoasting with /aes 19700 Kerberoast — AES256 (TGS-REP) Kerberoasting with /aes 18200 AS-REP — RC4 (krb5asrep) AS-REP Roasting 17200 DPAPI masterkey Seatbelt / Mimikatz DPAPI 1000 NTLM Pass-the-Hash, secretsdump output 5600 NTLMv2 (Net-NTLMv2) Responder / NTLM relay capture 7500 Kerberos 5 AS-REQ (etype 23) Pre-auth brute force 3000 LM Legacy — rarely seen Kerberoasting Kerberoasting requests Kerberos service tickets (TGS-REP) for accounts with a Service Principal Name (SPN) set. The ticket is encrypted with the service account’s password hash, enabling offline cracking. ...

Quick Reference Attack Tool Privilege Required LSASS dump (live) Mimikatz LocalAdmin + SeDebugPrivilege LSASS dump (ProcDump) ProcDump / comsvcs.dll LocalAdmin DCSync Mimikatz lsadump::dcsync Domain Admin (or replication rights) Local SAM reg save + secretsdump LocalAdmin LSA Secrets Mimikatz lsadump::lsa SYSTEM Cached domain creds Mimikatz lsadump::cache SYSTEM GPP passwords PowerSploit Get-GPPPassword Domain User (SYSVOL read) DPAPI triage SharpDPAPI LocalAdmin (backup key needs DA) WDigest cleartext Mimikatz sekurlsa::wdigest LocalAdmin + WDigest enabled Skeleton key Mimikatz misc::skeleton Domain Admin (DC access) SSP injection Mimikatz misc::memssp SYSTEM on DC Password spray DomainPasswordSpray / Rubeus Domain User PPL bypass mimidrv.sys kernel driver SYSTEM + vulnerable driver Mimikatz — Core Commands Mimikatz is the primary credential extraction tool for Windows. Most operations require SeDebugPrivilege at minimum, and many require SYSTEM. ...

Delegation Attacks — From Windows Kerberos delegation allows services to impersonate users when accessing downstream resources on their behalf. Misconfigured delegation is one of the most reliable paths to domain compromise from a low-privilege Windows foothold. This guide covers all four major delegation attack classes — Unconstrained, Constrained (KCD), Resource-Based Constrained Delegation (RBCD), and Shadow Credentials — with full PowerShell and command-line tradecraft. Quick Reference Table Attack Primary Tool Required Privilege Unconstrained Delegation Rubeus monitor + coercion Local Admin on delegating host Constrained Delegation Rubeus s4u Service account creds or hash RBCD PowerMad + PowerView + Rubeus GenericWrite or WriteDACL on target computer object Shadow Credentials Whisker + Rubeus WriteProperty on msDS-KeyCredentialLink 1. Delegation Concepts 1.1 Why Delegation Exists Kerberos delegation was introduced to solve the “double-hop” problem: when a front-end web service needs to authenticate to a back-end SQL server using the identity of the connecting user, it needs the ability to forward or impersonate that user’s credentials downstream. Three delegation mechanisms exist in Active Directory, each with different security boundaries and abuse surfaces. ...

Quick Reference Technique Tool Requirement Pass-the-Hash (PtH) Mimikatz, Invoke-TheHash, PsExec Local Admin / NTLM hash Pass-the-Ticket (PtT) Rubeus, Mimikatz Valid Kerberos ticket (.kirbi / base64) Overpass-the-Hash Mimikatz, Rubeus NTLM or AES256 hash WMI Exec PowerShell WMI, wmic, SharpWMI Local Admin on target DCOM Exec PowerShell COM objects Local Admin / DCOM permissions PowerShell Remoting Enter-PSSession, Invoke-Command WinRM enabled, appropriate rights PsExec Sysinternals PsExec Local Admin, ADMIN$ writable Remote Service sc.exe Local Admin on target Scheduled Task schtasks.exe Local Admin / valid credentials Token Impersonation Incognito, Invoke-TokenManipulation SeImpersonatePrivilege RDP mstsc, tscon RDP enabled, valid credentials or SYSTEM Pass-the-Hash (PtH) Pass-the-Hash abuses the NTLM authentication protocol by presenting a captured password hash directly instead of the cleartext password. The target authenticates the hash without needing the plaintext credential. ...

Quick Reference Attack Requirement Tool Cross-domain Kerberoast Valid domain user in child Rubeus Parent-Child escalation krbtgt hash of child Mimikatz / Rubeus Diamond Ticket cross-domain krbtgt AES256 + DA creds Rubeus One-way inbound abuse DCSync TDO object Mimikatz One-way outbound abuse DCSync TDO GUID Mimikatz Cross-forest Kerberoast Trust configured Rubeus Trust Concepts Trust Types Type Value Description DOWNLEVEL 1 Windows NT 4.0-style trust UPLEVEL 2 Active Directory (Kerberos-based) trust MIT 3 Non-Windows Kerberos realm DCE 4 Theoretical, not used in practice Parent-Child Trust — A two-way, transitive trust automatically created when a new domain is added to an existing tree. The child domain and parent domain mutually authenticate via Kerberos. ...

Quick Reference Table Technique Tool Requirement Stealth Level Golden Ticket Mimikatz / Rubeus krbtgt hash + DOMAIN_SID Medium Silver Ticket Mimikatz / Rubeus Service account hash High Diamond Ticket Rubeus krbtgt AES256 + DA creds High DCSync rights backdoor PowerView Domain Admin Low AdminSDHolder abuse PowerView Domain Admin Low DPAPI Backup Key SharpDPAPI Domain Admin High Skeleton Key Mimikatz Domain Admin (LSASS access) Low WMI Event Subscription PowerShell Local Admin Medium SID History Mimikatz Domain Admin Medium DCSync What it is: Abuse of the Directory Replication Service (DRS) protocol to impersonate a domain controller and request password data for any account directly from a legitimate DC. No file on disk needs to be touched — the DC simply hands over the hashes on request, because that is exactly what the DRS protocol is designed to do between DCs. ...

Quick Reference ESC Vulnerability Tool Requirement ESC1 SAN in template Certify + Rubeus Enroll on template ESC2 Any Purpose EKU Certify + Rubeus Enroll on template ESC3 Enrollment Agent Certify x2 + Rubeus Agent cert + 2nd enroll ESC4 Template write access PowerView + Certify GenericWrite on template ESC6 EDITF_ATTRIBUTESUBJECTALTNAME2 Certify + Rubeus Any enroll ESC7 CA Officer / Manage Certify ca ManageCA or ManageCertificates ESC8 NTLM relay to certsrv ntlmrelayx (from Kali) Coercion + web enrollment AD CS Fundamentals Active Directory Certificate Services (AD CS) is Microsoft’s PKI implementation, used to issue digital certificates for authentication, encryption, and code signing within a Windows domain. It is high-value from an attacker’s perspective because: ...

Quick Reference Technique Tool Requirement Impact KrbRelayUp (RBCD) KrbRelayUp + Rubeus Domain-joined, no LDAP signing Low-priv → SYSTEM gMSA password read GMSAPasswordReader Authorized principal Lateral movement LAPS password read Get-AdmPwdPassword / PowerView Read perm on ms-Mcs-AdmPwd Local admin on target PPL bypass (mimidrv) Mimikatz + mimidrv.sys Local admin LSASS dump despite PPL PPL bypass (PPLdump) PPLdump Local admin LSASS dump despite PPL LSASS dump (comsvcs) LOLBAS / rundll32 Local admin Credential extraction WebDAV coercion trigger PowerShell Shell on target Force HTTP auth for relay Shadow credentials Whisker GenericWrite on account PKINIT auth, NT hash KrbRelayUp — Local Privilege Escalation to SYSTEM What KrbRelayUp Is KrbRelayUp abuses Resource-Based Constrained Delegation (RBCD) to escalate from a low-privilege domain user with a local shell to NT AUTHORITY\SYSTEM on the same machine. The attack creates a new machine account, configures RBCD on the target machine to trust that new account, then uses S4U2Self + S4U2Proxy to get a Kerberos service ticket impersonating Administrator (or any domain user) for the current machine — then uses that ticket to spawn a SYSTEM process. ...

Quick Reference Technique Tool Requirement Effect Immediate Scheduled Task SharpGPOAbuse Write on GPO Code exec as SYSTEM on all linked machines Restricted Groups SharpGPOAbuse Write on GPO Add attacker to local Admins User Rights Assignment SharpGPOAbuse Write on GPO Grant SeDebugPrivilege / SeImpersonatePrivilege Manual XML task PowerShell / SYSVOL write Write on GPO or SYSVOL Arbitrary command as SYSTEM New GPO + Link PowerView / RSAT CreateGPO right + link permission Full control over target OU GPO Delegation read PowerView / BloodHound Any domain user Map attack surface GPO Fundamentals Group Policy Objects (GPOs) are containers of policy settings applied to users and computers. They are linked to Organizational Units (OUs), Sites, or the Domain. When a machine or user logs in, the domain controller delivers applicable GPOs via SYSVOL (a shared folder replicated to all DCs). The machine then applies them every 90 minutes by default (± 30-minute random offset), or immediately on gpupdate /force. ...