Active Directory Kill Chain Attack 101

Attack active directory using modern post exploitation adversary trade craft activity


SPN Scanning

Data Mining

User Hunting




Active Directory Federation Services

Privilege Escalation

Passwords in SYSVOL & Group Policy Preferences

MS14-068 Kerberos Vulnerability


Kerberos Delegation

Unconstrained Delegation

Constrained Delegation

Resource-Based Constrained Delegation

Insecure Group Policy Object Permission Rights

Insecure ACLs Permission Rights

Domain Trusts



Microsoft SQL Server

Red Forest



Lateral Movement

Microsoft SQL Server Database links

Pass The Hash

System Center Configuration Manager (SCCM)


Password Spraying

Automated Lateral Movement

Defense Evasion

In-Memory Evasion

Endpoint Detection and Response (EDR) Evasion


Microsoft ATA & ATP Evasion

PowerShell ScriptBlock Logging Bypass

PowerShell Anti-Malware Scan Interface (AMSI) Bypass

Loading .NET Assemblies Anti-Malware Scan Interface (AMSI) Bypass

AppLocker & Device Guard Bypass

Sysmon Evasion

HoneyTokens Evasion

Disabling Security Tools

Credential Dumping

NTDS.DIT Password Extraction

SAM (Security Accounts Manager)


Kerberos AP-REP Roasting

Windows Credential Manager/Vault


LLMNR/NBT-NS Poisoning



Golden Ticket

SID History

Silver Ticket



Group Policy Object

Skeleton Keys


Security Support Provider

Directory Services Restore Mode

ACLs & Security Descriptors

Tools & Scripts

  • PowerView – Situational Awareness PowerShell framework
  • BloodHound – Six Degrees of Domain Admin
  • Impacket – Impacket is a collection of Python classes for working with network protocols
  • – Active Directory ACL exploitation with BloodHound
  • CrackMapExec – A swiss army knife for pentesting networks
  • ADACLScanner – A tool with GUI or command linte used to create reports of access control lists (DACLs) and system access control lists (SACLs) in Active Directory
  • zBang – zBang is a risk assessment tool that detects potential privileged account threats
  • SafetyKatz – SafetyKatz is a combination of slightly modified version of @gentilkiwi’s Mimikatz project and @subTee’s .NET PE Loader.
  • SharpDump – SharpDump is a C# port of PowerSploit’s Out-Minidump.ps1 functionality.
  • PowerUpSQL – A PowerShell Toolkit for Attacking SQL Server
  • Rubeus – Rubeus is a C# toolset for raw Kerberos interaction and abuses
  • ADRecon – A tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment
  • Mimikatz – Utility to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory but also perform pass-the-hash, pass-the-ticket or build Golden tickets
  • Grouper – A PowerShell script for helping to find vulnerable settings in AD Group Policy.
  • Powermad – PowerShell MachineAccountQuota and DNS exploit tools
  • RACE – RACE is a PowerShell module for executing ACL attacks against Windows targets.
  • DomainPasswordSpray – DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain.
  • MailSniper – MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.)
  • LAPSToolkit – Tool to audit and attack LAPS environments.
  • CredDefense – Credential and Red Teaming Defense for Windows Environments


Cheat Sheets

Other Resources


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s