Ad on MrAzoth

Enumeration & Discovery — From Windows

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Technique	Tool	Privilege Needed
Domain / forest info	Native AD cmdlets, PowerView	Domain user
User / group / computer enumeration	Get-ADUser, Get-DomainUser	Domain user
SPN discovery (Kerberoast candidates)	Get-ADUser, PowerView	Domain user
AdminSDHolder / privileged objects	Get-ADObject	Domain user
ACL enumeration	PowerView	Domain user
Local admin discovery	Find-LocalAdminAccess	Domain user
Share discovery	Find-DomainShare, Snaffler	Domain user
Full graph collection	SharpHound	Domain user
Host recon	Seatbelt	Local user (some checks need admin)
Session enumeration	SharpHound, NetSessionEnum	Local admin (remote hosts)
GPO enumeration	PowerView	Domain user
Trust mapping	Get-DomainTrust, nltest	Domain user

Native AD Cmdlets

No extra tooling required. Requires the ActiveDirectory PowerShell module, which is present on domain-joined systems with RSAT installed, or can be imported from a DC.

Kerberos Attacks — From Kali

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Attack	Tool	Hashcat Mode	Requirement
AS-REP Roasting	GetNPUsers.py / kerbrute	-m 18200	DONT_REQ_PREAUTH flag set
Kerberoasting	GetUserSPNs.py	-m 13100 (RC4) / -m 19700 (AES)	Valid domain user + SPN exists
Pass-the-Ticket	getTGT.py + impacket	N/A	Valid credentials or hash
Overpass-the-Hash	getTGT.py -aesKey	N/A	AES256 key for user
Kerbrute userenum	kerbrute	N/A	Network access to DC on port 88
Ticket conversion	ticket_converter.py	N/A	Existing .kirbi or .ccache

AS-REP Roasting

AS-REP Roasting targets accounts that have Kerberos pre-authentication disabled (DONT_REQ_PREAUTH flag set in userAccountControl). The KDC returns an AS-REP containing a portion encrypted with the user’s hash — no prior authentication required, making it requestable by anyone.

Kerberos Attacks — From Windows

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Attack	Tool	Prerequisite	Output
Kerberoasting	Rubeus, PowerView	Domain user, SPN exists	RC4/AES hash → offline crack
AS-REP Roasting	Rubeus	Domain user, pre-auth disabled on target	AS-REP hash → offline crack
Pass-the-Ticket	Rubeus, Mimikatz	Valid .kirbi or base64 ticket	Ticket injected into session
Overpass-the-Hash	Mimikatz, Rubeus	NTLM or AES hash	TGT obtained, ticket injected
Pass-the-Key	Mimikatz	AES256 hash	TGT obtained via AES pre-auth
Ticket Extraction	Rubeus, Mimikatz	Local admin (for other users’ tickets)	.kirbi files / base64 tickets
TGT Delegation	Rubeus tgtdeleg	Domain user, no local admin needed	Usable TGT
Ticket Harvesting	Rubeus harvest/monitor	Local admin	Ongoing TGT collection
Unconstrained Delegation Abuse	Rubeus monitor + coerce	Local admin on delegation host	Victim TGT captured

Hashcat Cracking Modes Reference

Mode	Hash Type	Attack Context
13100	Kerberoast — RC4 (TGS-REP)	Kerberoasting with /rc4opsec
19600	Kerberoast — AES128 (TGS-REP)	Kerberoasting with /aes
19700	Kerberoast — AES256 (TGS-REP)	Kerberoasting with /aes
18200	AS-REP — RC4 (krb5asrep)	AS-REP Roasting
17200	DPAPI masterkey	Seatbelt / Mimikatz DPAPI
1000	NTLM	Pass-the-Hash, secretsdump output
5600	NTLMv2 (Net-NTLMv2)	Responder / NTLM relay capture
7500	Kerberos 5 AS-REQ (etype 23)	Pre-auth brute force
3000	LM	Legacy — rarely seen

Kerberoasting

Kerberoasting requests Kerberos service tickets (TGS-REP) for accounts with a Service Principal Name (SPN) set. The ticket is encrypted with the service account’s password hash, enabling offline cracking.

Credential Attacks — From Windows

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Attack	Tool	Privilege Required
LSASS dump (live)	Mimikatz	LocalAdmin + SeDebugPrivilege
LSASS dump (ProcDump)	ProcDump / comsvcs.dll	LocalAdmin
DCSync	Mimikatz lsadump::dcsync	Domain Admin (or replication rights)
Local SAM	reg save + secretsdump	LocalAdmin
LSA Secrets	Mimikatz lsadump::lsa	SYSTEM
Cached domain creds	Mimikatz lsadump::cache	SYSTEM
GPP passwords	PowerSploit Get-GPPPassword	Domain User (SYSVOL read)
DPAPI triage	SharpDPAPI	LocalAdmin (backup key needs DA)
WDigest cleartext	Mimikatz sekurlsa::wdigest	LocalAdmin + WDigest enabled
Skeleton key	Mimikatz misc::skeleton	Domain Admin (DC access)
SSP injection	Mimikatz misc::memssp	SYSTEM on DC
Password spray	DomainPasswordSpray / Rubeus	Domain User
PPL bypass	mimidrv.sys kernel driver	SYSTEM + vulnerable driver

Mimikatz — Core Commands

Mimikatz is the primary credential extraction tool for Windows. Most operations require SeDebugPrivilege at minimum, and many require SYSTEM.

Credential Attacks & Relay — From Kali

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Technique	Tool	Prerequisite	Output
LLMNR/NBT-NS Poisoning	Responder	Network access, no SMB signing required	NTLMv1/v2 hashes
SMB Relay	ntlmrelayx.py	SMB signing disabled on target	SAM dump / shell
LDAP Relay	ntlmrelayx.py	LDAP on DC accessible	Computer accounts / RBCD
IPv6 Poisoning	mitm6 + ntlmrelayx	IPv6 not disabled on network	LDAP relay → DA
Coercion + Relay	PetitPotam / printerbug	Auth path to coerced machine	NTLM relay or TGT
DCSync	secretsdump.py	Domain Admin or replication rights	All NTLM hashes + AES keys
LSASS Dump	lsassy	Local admin on target	Plaintext / hashes
GPP Passwords	nxc -M gpp_password	Domain user	Cleartext credential
Password Spraying	nxc smb/ldap	Valid username list	Valid credentials

LLMNR/NBT-NS Poisoning with Responder

LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) are fallback name resolution protocols used by Windows when DNS fails. When a host cannot resolve a name, it broadcasts an LLMNR/NBT-NS query to the local subnet. Responder answers these queries with the attacker’s IP, forcing the victim to authenticate — capturing NTLMv1 or NTLMv2 hashes.

Delegation Attacks — From Kali

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Attack	Tool	Required Privileges
Unconstrained Delegation Abuse	impacket, Responder, coercion tools	Compromise of delegated host
Constrained Delegation (KCD)	getST.py	Control of account with KCD configured
RBCD Setup + Abuse	addcomputer.py, rbcd.py, getST.py	GenericWrite or WriteDACL on target computer
Shadow Credentials	pywhisker.py, getnthash.py	WriteProperty on msDS-KeyCredentialLink
Coerce Authentication (PetitPotam)	PetitPotam.py	Valid domain credentials
Coerce Authentication (PrinterBug)	printerbug.py	Valid domain credentials

Delegation Overview

Kerberos delegation allows a service to impersonate users when accessing other services on their behalf. There are three types, each with different risk profiles and abuse paths.

Lateral Movement — From Kali

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Technique	Tool	Auth Type	Notes
Pass-the-Hash	psexec.py, wmiexec.py, nxc	NTLM hash	No plaintext needed
Pass-the-Ticket	psexec.py -k, wmiexec.py -k	Kerberos ccache	Set KRB5CCNAME first
Evil-WinRM	evil-winrm	Password / Hash / Ticket	WinRM port 5985/5986
WMI Execution	wmiexec.py	Password / Hash	Output shown, less noisy
DCOM Execution	dcomexec.py	Password / Hash	Multiple COM objects
RDP PtH	xfreerdp /pth	NTLM hash	Requires Restricted Admin mode
SMB Exec	psexec.py, smbexec.py	Password / Hash	Different noise levels
Proxychains	proxychains + any tool	Any	Internal network pivoting

Pass-the-Hash (PtH) from Linux

Concept

NTLM authentication does not require knowledge of the plaintext password — it only requires the NT hash. The NT hash is the MD4 hash of the Unicode password, and it is used directly in the NTLM challenge-response exchange. A valid NT hash is sufficient to authenticate against any service using NTLM.

Lateral Movement — From Windows

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Technique	Tool	Requirement
Pass-the-Hash (PtH)	Mimikatz, Invoke-TheHash, PsExec	Local Admin / NTLM hash
Pass-the-Ticket (PtT)	Rubeus, Mimikatz	Valid Kerberos ticket (.kirbi / base64)
Overpass-the-Hash	Mimikatz, Rubeus	NTLM or AES256 hash
WMI Exec	PowerShell WMI, wmic, SharpWMI	Local Admin on target
DCOM Exec	PowerShell COM objects	Local Admin / DCOM permissions
PowerShell Remoting	Enter-PSSession, Invoke-Command	WinRM enabled, appropriate rights
PsExec	Sysinternals PsExec	Local Admin, ADMIN$ writable
Remote Service	sc.exe	Local Admin on target
Scheduled Task	schtasks.exe	Local Admin / valid credentials
Token Impersonation	Incognito, Invoke-TokenManipulation	SeImpersonatePrivilege
RDP	mstsc, tscon	RDP enabled, valid credentials or SYSTEM

Pass-the-Hash (PtH)

Pass-the-Hash abuses the NTLM authentication protocol by presenting a captured password hash directly instead of the cleartext password. The target authenticates the hash without needing the plaintext credential.

Domain & Forest Trusts — From Kali

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Attack	Requirement	Tool
Cross-domain Kerberoasting	Valid low-priv creds in child domain	GetUserSPNs.py
Cross-domain AS-REP Roasting	Valid low-priv creds in child domain	GetNPUsers.py
SID History Injection (parent-child)	Domain Admin in child domain, child krbtgt hash	ticketer.py
Cross-domain DCSync	Replication rights or DA in target domain	secretsdump.py
One-way inbound trust abuse	DA in trusted domain, inter-realm key	ticketer.py (silver), getST.py
One-way outbound trust abuse	DA in trusting domain, TDO GUID	secretsdump.py, getTGT.py
Cross-forest Kerberoasting	Bidirectional forest trust, valid creds	GetUserSPNs.py
Golden ticket cross-domain	Child krbtgt hash + parent domain SID	ticketer.py
BloodHound trust mapping	Valid creds, network access to DC	bloodhound-python

Trust Concepts

Trust Types

A Trust is a relationship between two domains that allows security principals in one domain to authenticate to resources in another. Trust information is stored in Active Directory as Trusted Domain Objects (TDOs) under CN=System.

Persistence — From Kali

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Technique	Requirement	Detection Risk
DCSync	Domain Admin or explicit replication rights	High — replication request from non-DC
Golden Ticket	krbtgt NTLM + AES256 hash, domain SID	Medium — no TGT event (4768) on DC
Silver Ticket	Service account NTLM hash, domain SID, SPN	Low — no DC contact at all
Diamond Ticket	krbtgt AES256, valid user credentials	Low — based on a real TGT
NTDS.dit VSS	Shell on DC, local admin	High — shadow copy creation event
DPAPI Backup Key	Domain Admin, DC access	Medium — LDAP/RPC request to DC
ACL-based (DCSync rights)	WriteDACL or GenericAll on domain root	Low — ACL change may not alert
Machine Account creation	Any user with MachineAccountQuota > 0	Low
Pass-the-Hash persistence	Local admin hash, no domain rights needed	Low — appears as normal auth

DCSync

What It Is

DCSync abuses the Directory Replication Service (DRS) protocol. Domain controllers use DRS to replicate directory data between themselves. The GetNCChanges function is the core RPC call used. Any account with the following rights on the domain root object can invoke this:

Advanced Techniques — From Windows

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Technique	Tool	Requirement	Impact
KrbRelayUp (RBCD)	KrbRelayUp + Rubeus	Domain-joined, no LDAP signing	Low-priv → SYSTEM
gMSA password read	GMSAPasswordReader	Authorized principal	Lateral movement
LAPS password read	Get-AdmPwdPassword / PowerView	Read perm on ms-Mcs-AdmPwd	Local admin on target
PPL bypass (mimidrv)	Mimikatz + mimidrv.sys	Local admin	LSASS dump despite PPL
PPL bypass (PPLdump)	PPLdump	Local admin	LSASS dump despite PPL
LSASS dump (comsvcs)	LOLBAS / rundll32	Local admin	Credential extraction
WebDAV coercion trigger	PowerShell	Shell on target	Force HTTP auth for relay
Shadow credentials	Whisker	GenericWrite on account	PKINIT auth, NT hash

KrbRelayUp — Local Privilege Escalation to SYSTEM

What KrbRelayUp Is

KrbRelayUp abuses Resource-Based Constrained Delegation (RBCD) to escalate from a low-privilege domain user with a local shell to NT AUTHORITY\SYSTEM on the same machine. The attack creates a new machine account, configures RBCD on the target machine to trust that new account, then uses S4U2Self + S4U2Proxy to get a Kerberos service ticket impersonating Administrator (or any domain user) for the current machine — then uses that ticket to spawn a SYSTEM process.

Azure AD Hybrid Attacks — From Kali

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Attack	Requirement	Impact
MSOL Account DCSync	Local admin on AAD Connect server	Full domain + cloud compromise
AZUREADSSOACC$ Abuse	DCSync rights or DA	Forge Azure AD tokens
PHS Hash Extraction	MSOL DCSync rights	Cloud account takeover
PTA Abuse	On-prem DC compromise	Transparent cloud auth bypass
Golden SAML	ADFS signing cert theft	Persistent cloud access

Azure AD Connect Abuse (MSOL Account)

Azure AD Connect synchronizes on-premises Active Directory to Azure AD. During setup, it creates a service account named MSOL_xxxxxxxx in the on-premises domain. This account is granted DS-Replication-Get-Changes and DS-Replication-Get-Changes-All on the domain root — the exact permissions required for DCSync. Its password is stored encrypted in a SQL LocalDB instance on the AAD Connect server.

GPO Abuse — From Windows

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Technique	Tool	Requirement	Effect
Immediate Scheduled Task	SharpGPOAbuse	Write on GPO	Code exec as SYSTEM on all linked machines
Restricted Groups	SharpGPOAbuse	Write on GPO	Add attacker to local Admins
User Rights Assignment	SharpGPOAbuse	Write on GPO	Grant SeDebugPrivilege / SeImpersonatePrivilege
Manual XML task	PowerShell / SYSVOL write	Write on GPO or SYSVOL	Arbitrary command as SYSTEM
New GPO + Link	PowerView / RSAT	CreateGPO right + link permission	Full control over target OU
GPO Delegation read	PowerView / BloodHound	Any domain user	Map attack surface

GPO Fundamentals

Group Policy Objects (GPOs) are containers of policy settings applied to users and computers. They are linked to Organizational Units (OUs), Sites, or the Domain. When a machine or user logs in, the domain controller delivers applicable GPOs via SYSVOL (a shared folder replicated to all DCs). The machine then applies them every 90 minutes by default (± 30-minute random offset), or immediately on gpupdate /force.

Advanced Techniques — From Kali

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Technique	Tool	Requirement	Impact
WebDAV Coercion → LDAP relay	ntlmrelayx + PetitPotam	WebClient running on target	RBCD, shadow creds, DA
gMSA password read	gMSADumper / nxc	Authorized principal	Lateral movement
Zerologon	cve-2020-1472	Network access to DC (pre-patch)	Instant DA
noPac (CVE-2021-42278/42287)	noPac.py	Domain user	DA via KDC spoofing
LAPS read	nxc / ldapsearch	Read perm on ms-Mcs-AdmPwd	Local admin on target
LSASS dump (offline parse)	pypykatz	LSASS dump file	Credential extraction
KrbRelayUp pre-check	nxc ldap	Network access	Identify LDAP signing state

WebDAV Coercion — Bypass SMB Signing for NTLM Relay

Why WebDAV Coercion Works

Standard NTLM relay from SMB to LDAP is blocked when SMB signing is required (which is enforced on DCs by default). WebDAV coercion forces the target to authenticate over HTTP instead of SMB. HTTP authentication does not enforce signing, so it can be relayed to LDAP even when the target has SMB signing enabled.