Enumeration & Discovery — From Windows

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Technique	Tool	Privilege Needed
Domain / forest info	Native AD cmdlets, PowerView	Domain user
User / group / computer enumeration	Get-ADUser, Get-DomainUser	Domain user
SPN discovery (Kerberoast candidates)	Get-ADUser, PowerView	Domain user
AdminSDHolder / privileged objects	Get-ADObject	Domain user
ACL enumeration	PowerView	Domain user
Local admin discovery	Find-LocalAdminAccess	Domain user
Share discovery	Find-DomainShare, Snaffler	Domain user
Full graph collection	SharpHound	Domain user
Host recon	Seatbelt	Local user (some checks need admin)
Session enumeration	SharpHound, NetSessionEnum	Local admin (remote hosts)
GPO enumeration	PowerView	Domain user
Trust mapping	Get-DomainTrust, nltest	Domain user

Native AD Cmdlets

No extra tooling required. Requires the ActiveDirectory PowerShell module, which is present on domain-joined systems with RSAT installed, or can be imported from a DC.

Delegation Attacks — From Windows

Mon, 01 Jan 0001 00:00:00 +0000

Abusing Kerberos delegation (Unconstrained, Constrained, RBCD, Shadow Credentials) from a Windows foothold using Rubeus, PowerView, and PowerMad.

Domain & Forest Trusts — From Windows

Mon, 01 Jan 0001 00:00:00 +0000

Enumerating and exploiting Active Directory domain and forest trusts from a Windows foothold: SID history injection, golden ticket cross-domain, inter-realm key abuse.

Powerview on MrAzoth

Enumeration & Discovery — From Windows

Quick Reference

Native AD Cmdlets

Delegation Attacks — From Windows

Domain & Forest Trusts — From Windows