Ad

Quick Reference Technique Tool Privilege Needed Domain / forest info Native AD cmdlets, PowerView Domain user User / group / computer enumeration Get-ADUser, Get-DomainUser Domain user SPN discovery (Kerberoast candidates) Get-ADUser, PowerView Domain user AdminSDHolder / privileged objects Get-ADObject Domain user ACL enumeration PowerView Domain user Local admin discovery Find-LocalAdminAccess Domain user Share discovery Find-DomainShare, Snaffler Domain user Full graph collection SharpHound Domain user Host recon Seatbelt Local user (some checks need admin) Session enumeration SharpHound, NetSessionEnum Local admin (remote hosts) GPO enumeration PowerView Domain user Trust mapping Get-DomainTrust, nltest Domain user Native AD Cmdlets No extra tooling required. Requires the ActiveDirectory PowerShell module, which is present on domain-joined systems with RSAT installed, or can be imported from a DC. ...

Quick Reference Attack Tool Hashcat Mode Requirement AS-REP Roasting GetNPUsers.py / kerbrute -m 18200 DONT_REQ_PREAUTH flag set Kerberoasting GetUserSPNs.py -m 13100 (RC4) / -m 19700 (AES) Valid domain user + SPN exists Pass-the-Ticket getTGT.py + impacket N/A Valid credentials or hash Overpass-the-Hash getTGT.py -aesKey N/A AES256 key for user Kerbrute userenum kerbrute N/A Network access to DC on port 88 Ticket conversion ticket_converter.py N/A Existing .kirbi or .ccache AS-REP Roasting AS-REP Roasting targets accounts that have Kerberos pre-authentication disabled (DONT_REQ_PREAUTH flag set in userAccountControl). The KDC returns an AS-REP containing a portion encrypted with the user’s hash — no prior authentication required, making it requestable by anyone. ...

Quick Reference Attack Tool Prerequisite Output Kerberoasting Rubeus, PowerView Domain user, SPN exists RC4/AES hash → offline crack AS-REP Roasting Rubeus Domain user, pre-auth disabled on target AS-REP hash → offline crack Pass-the-Ticket Rubeus, Mimikatz Valid .kirbi or base64 ticket Ticket injected into session Overpass-the-Hash Mimikatz, Rubeus NTLM or AES hash TGT obtained, ticket injected Pass-the-Key Mimikatz AES256 hash TGT obtained via AES pre-auth Ticket Extraction Rubeus, Mimikatz Local admin (for other users’ tickets) .kirbi files / base64 tickets TGT Delegation Rubeus tgtdeleg Domain user, no local admin needed Usable TGT Ticket Harvesting Rubeus harvest/monitor Local admin Ongoing TGT collection Unconstrained Delegation Abuse Rubeus monitor + coerce Local admin on delegation host Victim TGT captured Hashcat Cracking Modes Reference Mode Hash Type Attack Context 13100 Kerberoast — RC4 (TGS-REP) Kerberoasting with /rc4opsec 19600 Kerberoast — AES128 (TGS-REP) Kerberoasting with /aes 19700 Kerberoast — AES256 (TGS-REP) Kerberoasting with /aes 18200 AS-REP — RC4 (krb5asrep) AS-REP Roasting 17200 DPAPI masterkey Seatbelt / Mimikatz DPAPI 1000 NTLM Pass-the-Hash, secretsdump output 5600 NTLMv2 (Net-NTLMv2) Responder / NTLM relay capture 7500 Kerberos 5 AS-REQ (etype 23) Pre-auth brute force 3000 LM Legacy — rarely seen Kerberoasting Kerberoasting requests Kerberos service tickets (TGS-REP) for accounts with a Service Principal Name (SPN) set. The ticket is encrypted with the service account’s password hash, enabling offline cracking. ...

Quick Reference Attack Tool Privilege Required LSASS dump (live) Mimikatz LocalAdmin + SeDebugPrivilege LSASS dump (ProcDump) ProcDump / comsvcs.dll LocalAdmin DCSync Mimikatz lsadump::dcsync Domain Admin (or replication rights) Local SAM reg save + secretsdump LocalAdmin LSA Secrets Mimikatz lsadump::lsa SYSTEM Cached domain creds Mimikatz lsadump::cache SYSTEM GPP passwords PowerSploit Get-GPPPassword Domain User (SYSVOL read) DPAPI triage SharpDPAPI LocalAdmin (backup key needs DA) WDigest cleartext Mimikatz sekurlsa::wdigest LocalAdmin + WDigest enabled Skeleton key Mimikatz misc::skeleton Domain Admin (DC access) SSP injection Mimikatz misc::memssp SYSTEM on DC Password spray DomainPasswordSpray / Rubeus Domain User PPL bypass mimidrv.sys kernel driver SYSTEM + vulnerable driver Mimikatz — Core Commands Mimikatz is the primary credential extraction tool for Windows. Most operations require SeDebugPrivilege at minimum, and many require SYSTEM. ...

Quick Reference Technique Tool Prerequisite Output LLMNR/NBT-NS Poisoning Responder Network access, no SMB signing required NTLMv1/v2 hashes SMB Relay ntlmrelayx.py SMB signing disabled on target SAM dump / shell LDAP Relay ntlmrelayx.py LDAP on DC accessible Computer accounts / RBCD IPv6 Poisoning mitm6 + ntlmrelayx IPv6 not disabled on network LDAP relay → DA Coercion + Relay PetitPotam / printerbug Auth path to coerced machine NTLM relay or TGT DCSync secretsdump.py Domain Admin or replication rights All NTLM hashes + AES keys LSASS Dump lsassy Local admin on target Plaintext / hashes GPP Passwords nxc -M gpp_password Domain user Cleartext credential Password Spraying nxc smb/ldap Valid username list Valid credentials LLMNR/NBT-NS Poisoning with Responder LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) are fallback name resolution protocols used by Windows when DNS fails. When a host cannot resolve a name, it broadcasts an LLMNR/NBT-NS query to the local subnet. Responder answers these queries with the attacker’s IP, forcing the victim to authenticate — capturing NTLMv1 or NTLMv2 hashes. ...

Quick Reference Attack Tool Required Privileges Unconstrained Delegation Abuse impacket, Responder, coercion tools Compromise of delegated host Constrained Delegation (KCD) getST.py Control of account with KCD configured RBCD Setup + Abuse addcomputer.py, rbcd.py, getST.py GenericWrite or WriteDACL on target computer Shadow Credentials pywhisker.py, getnthash.py WriteProperty on msDS-KeyCredentialLink Coerce Authentication (PetitPotam) PetitPotam.py Valid domain credentials Coerce Authentication (PrinterBug) printerbug.py Valid domain credentials Delegation Overview Kerberos delegation allows a service to impersonate users when accessing other services on their behalf. There are three types, each with different risk profiles and abuse paths. ...

Quick Reference Technique Tool Auth Type Notes Pass-the-Hash psexec.py, wmiexec.py, nxc NTLM hash No plaintext needed Pass-the-Ticket psexec.py -k, wmiexec.py -k Kerberos ccache Set KRB5CCNAME first Evil-WinRM evil-winrm Password / Hash / Ticket WinRM port 5985/5986 WMI Execution wmiexec.py Password / Hash Output shown, less noisy DCOM Execution dcomexec.py Password / Hash Multiple COM objects RDP PtH xfreerdp /pth NTLM hash Requires Restricted Admin mode SMB Exec psexec.py, smbexec.py Password / Hash Different noise levels Proxychains proxychains + any tool Any Internal network pivoting Pass-the-Hash (PtH) from Linux Concept NTLM authentication does not require knowledge of the plaintext password — it only requires the NT hash. The NT hash is the MD4 hash of the Unicode password, and it is used directly in the NTLM challenge-response exchange. A valid NT hash is sufficient to authenticate against any service using NTLM. ...

Quick Reference Technique Tool Requirement Pass-the-Hash (PtH) Mimikatz, Invoke-TheHash, PsExec Local Admin / NTLM hash Pass-the-Ticket (PtT) Rubeus, Mimikatz Valid Kerberos ticket (.kirbi / base64) Overpass-the-Hash Mimikatz, Rubeus NTLM or AES256 hash WMI Exec PowerShell WMI, wmic, SharpWMI Local Admin on target DCOM Exec PowerShell COM objects Local Admin / DCOM permissions PowerShell Remoting Enter-PSSession, Invoke-Command WinRM enabled, appropriate rights PsExec Sysinternals PsExec Local Admin, ADMIN$ writable Remote Service sc.exe Local Admin on target Scheduled Task schtasks.exe Local Admin / valid credentials Token Impersonation Incognito, Invoke-TokenManipulation SeImpersonatePrivilege RDP mstsc, tscon RDP enabled, valid credentials or SYSTEM Pass-the-Hash (PtH) Pass-the-Hash abuses the NTLM authentication protocol by presenting a captured password hash directly instead of the cleartext password. The target authenticates the hash without needing the plaintext credential. ...

Quick Reference Attack Requirement Tool Cross-domain Kerberoasting Valid low-priv creds in child domain GetUserSPNs.py Cross-domain AS-REP Roasting Valid low-priv creds in child domain GetNPUsers.py SID History Injection (parent-child) Domain Admin in child domain, child krbtgt hash ticketer.py Cross-domain DCSync Replication rights or DA in target domain secretsdump.py One-way inbound trust abuse DA in trusted domain, inter-realm key ticketer.py (silver), getST.py One-way outbound trust abuse DA in trusting domain, TDO GUID secretsdump.py, getTGT.py Cross-forest Kerberoasting Bidirectional forest trust, valid creds GetUserSPNs.py Golden ticket cross-domain Child krbtgt hash + parent domain SID ticketer.py BloodHound trust mapping Valid creds, network access to DC bloodhound-python Trust Concepts Trust Types A Trust is a relationship between two domains that allows security principals in one domain to authenticate to resources in another. Trust information is stored in Active Directory as Trusted Domain Objects (TDOs) under CN=System. ...

Quick Reference Technique Requirement Detection Risk DCSync Domain Admin or explicit replication rights High — replication request from non-DC Golden Ticket krbtgt NTLM + AES256 hash, domain SID Medium — no TGT event (4768) on DC Silver Ticket Service account NTLM hash, domain SID, SPN Low — no DC contact at all Diamond Ticket krbtgt AES256, valid user credentials Low — based on a real TGT NTDS.dit VSS Shell on DC, local admin High — shadow copy creation event DPAPI Backup Key Domain Admin, DC access Medium — LDAP/RPC request to DC ACL-based (DCSync rights) WriteDACL or GenericAll on domain root Low — ACL change may not alert Machine Account creation Any user with MachineAccountQuota > 0 Low Pass-the-Hash persistence Local admin hash, no domain rights needed Low — appears as normal auth DCSync What It Is DCSync abuses the Directory Replication Service (DRS) protocol. Domain controllers use DRS to replicate directory data between themselves. The GetNCChanges function is the core RPC call used. Any account with the following rights on the domain root object can invoke this: ...

Quick Reference Technique Tool Requirement Impact KrbRelayUp (RBCD) KrbRelayUp + Rubeus Domain-joined, no LDAP signing Low-priv → SYSTEM gMSA password read GMSAPasswordReader Authorized principal Lateral movement LAPS password read Get-AdmPwdPassword / PowerView Read perm on ms-Mcs-AdmPwd Local admin on target PPL bypass (mimidrv) Mimikatz + mimidrv.sys Local admin LSASS dump despite PPL PPL bypass (PPLdump) PPLdump Local admin LSASS dump despite PPL LSASS dump (comsvcs) LOLBAS / rundll32 Local admin Credential extraction WebDAV coercion trigger PowerShell Shell on target Force HTTP auth for relay Shadow credentials Whisker GenericWrite on account PKINIT auth, NT hash KrbRelayUp — Local Privilege Escalation to SYSTEM What KrbRelayUp Is KrbRelayUp abuses Resource-Based Constrained Delegation (RBCD) to escalate from a low-privilege domain user with a local shell to NT AUTHORITY\SYSTEM on the same machine. The attack creates a new machine account, configures RBCD on the target machine to trust that new account, then uses S4U2Self + S4U2Proxy to get a Kerberos service ticket impersonating Administrator (or any domain user) for the current machine — then uses that ticket to spawn a SYSTEM process. ...

Quick Reference Attack Requirement Impact MSOL Account DCSync Local admin on AAD Connect server Full domain + cloud compromise AZUREADSSOACC$ Abuse DCSync rights or DA Forge Azure AD tokens PHS Hash Extraction MSOL DCSync rights Cloud account takeover PTA Abuse On-prem DC compromise Transparent cloud auth bypass Golden SAML ADFS signing cert theft Persistent cloud access Azure AD Connect Abuse (MSOL Account) Azure AD Connect synchronizes on-premises Active Directory to Azure AD. During setup, it creates a service account named MSOL_xxxxxxxx in the on-premises domain. This account is granted DS-Replication-Get-Changes and DS-Replication-Get-Changes-All on the domain root — the exact permissions required for DCSync. Its password is stored encrypted in a SQL LocalDB instance on the AAD Connect server. ...

Quick Reference Technique Tool Requirement Effect Immediate Scheduled Task SharpGPOAbuse Write on GPO Code exec as SYSTEM on all linked machines Restricted Groups SharpGPOAbuse Write on GPO Add attacker to local Admins User Rights Assignment SharpGPOAbuse Write on GPO Grant SeDebugPrivilege / SeImpersonatePrivilege Manual XML task PowerShell / SYSVOL write Write on GPO or SYSVOL Arbitrary command as SYSTEM New GPO + Link PowerView / RSAT CreateGPO right + link permission Full control over target OU GPO Delegation read PowerView / BloodHound Any domain user Map attack surface GPO Fundamentals Group Policy Objects (GPOs) are containers of policy settings applied to users and computers. They are linked to Organizational Units (OUs), Sites, or the Domain. When a machine or user logs in, the domain controller delivers applicable GPOs via SYSVOL (a shared folder replicated to all DCs). The machine then applies them every 90 minutes by default (± 30-minute random offset), or immediately on gpupdate /force. ...

Quick Reference Technique Tool Requirement Impact WebDAV Coercion → LDAP relay ntlmrelayx + PetitPotam WebClient running on target RBCD, shadow creds, DA gMSA password read gMSADumper / nxc Authorized principal Lateral movement Zerologon cve-2020-1472 Network access to DC (pre-patch) Instant DA noPac (CVE-2021-42278/42287) noPac.py Domain user DA via KDC spoofing LAPS read nxc / ldapsearch Read perm on ms-Mcs-AdmPwd Local admin on target LSASS dump (offline parse) pypykatz LSASS dump file Credential extraction KrbRelayUp pre-check nxc ldap Network access Identify LDAP signing state WebDAV Coercion — Bypass SMB Signing for NTLM Relay Why WebDAV Coercion Works Standard NTLM relay from SMB to LDAP is blocked when SMB signing is required (which is enforced on DCs by default). WebDAV coercion forces the target to authenticate over HTTP instead of SMB. HTTP authentication does not enforce signing, so it can be relayed to LDAP even when the target has SMB signing enabled. ...