Powerview

Quick Reference Technique Tool Privilege Needed Domain / forest info Native AD cmdlets, PowerView Domain user User / group / computer enumeration Get-ADUser, Get-DomainUser Domain user SPN discovery (Kerberoast candidates) Get-ADUser, PowerView Domain user AdminSDHolder / privileged objects Get-ADObject Domain user ACL enumeration PowerView Domain user Local admin discovery Find-LocalAdminAccess Domain user Share discovery Find-DomainShare, Snaffler Domain user Full graph collection SharpHound Domain user Host recon Seatbelt Local user (some checks need admin) Session enumeration SharpHound, NetSessionEnum Local admin (remote hosts) GPO enumeration PowerView Domain user Trust mapping Get-DomainTrust, nltest Domain user Native AD Cmdlets No extra tooling required. Requires the ActiveDirectory PowerShell module, which is present on domain-joined systems with RSAT installed, or can be imported from a DC. ...

Delegation Attacks — From Windows Kerberos delegation allows services to impersonate users when accessing downstream resources on their behalf. Misconfigured delegation is one of the most reliable paths to domain compromise from a low-privilege Windows foothold. This guide covers all four major delegation attack classes — Unconstrained, Constrained (KCD), Resource-Based Constrained Delegation (RBCD), and Shadow Credentials — with full PowerShell and command-line tradecraft. Quick Reference Table Attack Primary Tool Required Privilege Unconstrained Delegation Rubeus monitor + coercion Local Admin on delegating host Constrained Delegation Rubeus s4u Service account creds or hash RBCD PowerMad + PowerView + Rubeus GenericWrite or WriteDACL on target computer object Shadow Credentials Whisker + Rubeus WriteProperty on msDS-KeyCredentialLink 1. Delegation Concepts 1.1 Why Delegation Exists Kerberos delegation was introduced to solve the “double-hop” problem: when a front-end web service needs to authenticate to a back-end SQL server using the identity of the connecting user, it needs the ability to forward or impersonate that user’s credentials downstream. Three delegation mechanisms exist in Active Directory, each with different security boundaries and abuse surfaces. ...

Quick Reference Attack Requirement Tool Cross-domain Kerberoast Valid domain user in child Rubeus Parent-Child escalation krbtgt hash of child Mimikatz / Rubeus Diamond Ticket cross-domain krbtgt AES256 + DA creds Rubeus One-way inbound abuse DCSync TDO object Mimikatz One-way outbound abuse DCSync TDO GUID Mimikatz Cross-forest Kerberoast Trust configured Rubeus Trust Concepts Trust Types Type Value Description DOWNLEVEL 1 Windows NT 4.0-style trust UPLEVEL 2 Active Directory (Kerberos-based) trust MIT 3 Non-Windows Kerberos realm DCE 4 Theoretical, not used in practice Parent-Child Trust — A two-way, transitive trust automatically created when a new domain is added to an existing tree. The child domain and parent domain mutually authenticate via Kerberos. ...