Attack active directory using modern post exploitation adversary trade craft activity
Discovery
SPN Scanning
- SPN Scanning – Service Discovery without Network Port Scanning
- Active Directory: PowerShell script to list all SPNs used
- Discovering Service Accounts Without Using Privileges
Data Mining
- A Data Hunting Overview
- Push it, Push it Real Good
- Finding Sensitive Data on Domain SQL Servers using PowerUpSQL
- Sensitive Data Discovery in Email with MailSniper
- Remotely Searching for Sensitive Files
- I Hunt Sysadmins – harmj0y
User Hunting
- Hidden Administrative Accounts: BloodHound to the Rescue
- Active Directory Recon Without Admin Rights
- Gathering AD Data with the Active Directory PowerShell Module
- Using ActiveDirectory module for Domain Enumeration from PowerShell Constrained Language Mode
- PowerUpSQL Active Directory Recon Functions
- Derivative Local Admin
- Dumping Active Directory Domain Info – with PowerUpSQL!
- Local Group Enumeration
- Attack Mapping With Bloodhound
- Situational Awareness
- Commands for Domain Network Compromise
- A Pentester’s Guide to Group Scoping
LAPS
- Microsoft LAPS Security & Active Directory LAPS Configuration Recon
- Running LAPS with PowerView
- RastaMouse LAPS Part 1 & 2
AppLocker
Azure
- I’m in your cloud… reading everyone’s email. Hacking Azure AD via Active Directory
- Utilizing Azure Services for Red Team Engagements
- Blue Cloud of Death: Red Teaming Azure
- Azure AD Connect for Red Teamers
- Red Teaming Microsoft: Part 1 – Active Directory Leaks via Azure
- Attacking & Defending the Microsoft Cloud
Active Directory Federation Services
- 118 Attacking ADFS Endpoints with PowerShell Karl Fosaaen
- Using PowerShell to Identify Federated Domains
- LyncSniper: A tool for penetration testing Skype for Business and Lync deployments
- Troopers 19 – I am AD FS and So Can You
Privilege Escalation
Passwords in SYSVOL & Group Policy Preferences
- Finding Passwords in SYSVOL & Exploiting Group Policy Preferences
- Pentesting in the Real World: Group Policy Pwnage
MS14-068 Kerberos Vulnerability
- MS14-068: Vulnerability in (Active Directory) Kerberos Could Allow Elevation of Privilege
- Digging into MS14-068, Exploitation and Defence
- From MS14-068 to Full Compromise – Step by Step
DNSAdmins
- Abusing DNSAdmins privilege for escalation in Active Directory
- From DNSAdmins to Domain Admin, When DNSAdmins is More than Just DNS Administration
Kerberos Delegation
Unconstrained Delegation
- Active Directory Security Risk #101: Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain)
- Domain Controller Print Server + Unconstrained Kerberos Delegation = Pwned Active Directory Forest
- Active Directory Security Risk #101: Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain)
- Unconstrained Delegation Permissions
- Trust? Years to earn, seconds to break
- Hunting in Active Directory: Unconstrained Delegation & Forests Trusts
- Exploiting Unconstrained Delegation
Constrained Delegation
Resource-Based Constrained Delegation
- Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory
- Kerberos Resource-based Constrained Delegation: Computer Object Take Over
- Resource Based Constrained Delegation
- A Case Study in Wagging the Dog: Computer Takeover
- BloodHound 2.1’s New Computer Takeover Attack
Insecure Group Policy Object Permission Rights
- Abusing GPO Permissions
- A Red Teamer’s Guide to GPOs and OUs
- File templates for GPO Abuse
- GPO Abuse – Part 1
- SharpGPOAbuse
Insecure ACLs Permission Rights
- Exploiting Weak Active Directory Permissions With Powersploit
- Escalating privileges with ACLs in Active Directory
- Abusing Active Directory Permissions with PowerView
- BloodHound 1.3 – The ACL Attack Path Update
- Scanning for Active Directory Privileges & Privileged Accounts
- Active Directory Access Control List – Attacks and Defense
- aclpwn – Active Directory ACL exploitation with BloodHound
Domain Trusts
- A Guide to Attacking Domain Trusts
- It’s All About Trust – Forging Kerberos Trust Tickets to Spoof Access across Active Directory Trusts
- Active Directory forest trusts part 1 – How does SID filtering work?
- The Forest Is Under Control. Taking over the entire Active Directory forest
- Not A Security Boundary: Breaking Forest Trusts
- The Trustpocalypse
- Pentesting Active Directory Forests
DCShadow
- Privilege Escalation With DCShadow
- DCShadow
- DCShadow explained: A technical deep dive into the latest AD attack technique
- DCShadow – Silently turn off Active Directory Auditing
- DCShadow – Minimal permissions, Active Directory Deception, Shadowception and more
RID
Microsoft SQL Server
- How to get SQL Server Sysadmin Privileges as a Local Admin with PowerUpSQL
- Compromise With Powerupsql – Sql Attacks
Red Forest
Exchange
LLMNR/NBNS
- Pwning with Responder – A Pentester’s Guide
- Practical guide to NTLM Relaying in 2017 (A.K.A getting a foothold in under 5 minutes)
- Relaying credentials everywhere with ntlmrelayx
- Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS
Lateral Movement
Microsoft SQL Server Database links
- SQL Server – Link… Link… Link… and Shell: How to Hack Database Links in SQL Server!
- SQL Server Link Crawling with PowerUpSQL
Pass The Hash
- Performing Pass-the-hash Attacks With Mimikatz
- How to Pass-the-Hash with Mimikatz
- Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy
System Center Configuration Manager (SCCM)
- Targeted Workstation Compromise With Sccm
- PowerSCCM – PowerShell module to interact with SCCM deployments
WSUS
Password Spraying
- Password Spraying Windows Active Directory Accounts – Tradecraft Security Weekly #5
- Attacking Exchange with MailSniper
- A Password Spraying tool for Active Directory Credentials by Jacob Wilkin
- SprayingToolkit
Automated Lateral Movement
- GoFetch is a tool to automatically exercise an attack plan generated by the BloodHound application
- DeathStar – Automate getting Domain Admin using Empire
- ANGRYPUPPY – Bloodhound Attack Path Automation in CobaltStrike
Defense Evasion
In-Memory Evasion
- Bypassing Memory Scanners with Cobalt Strike and Gargoyle
- In-Memory Evasions Course
- Bring Your Own Land (BYOL) – A Novel Red Teaming Technique
Endpoint Detection and Response (EDR) Evasion
- Red Teaming in the EDR age
- Sharp-Suite – Process Argument Spoofing
- Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR
- Dechaining Macros and Evading EDR
- Bypass EDR’s memory protection, introduction to hooking
- Bypassing Cylance and other AVs/EDRs by Unhooking Windows APIs
- Silencing Cylance: A Case Study in Modern EDRs
OPSEC
- Modern Defenses and YOU!
- OPSEC Considerations for Beacon Commands
- Red Team Tradecraft and TTP Guidance
- Fighting the Toolset
Microsoft ATA & ATP Evasion
- Red Team Techniques for Evading, Bypassing, and Disabling MS Advanced Threat Protection and Advanced Threat Analytics
- Red Team Revenge – Attacking Microsoft ATA
- Evading Microsoft ATA for Active Directory Domination
PowerShell ScriptBlock Logging Bypass
PowerShell Anti-Malware Scan Interface (AMSI) Bypass
- How to bypass AMSI and execute ANY malicious Powershell code
- AMSI: How Windows 10 Plans to Stop Script-Based Attacks
- AMSI Bypass: Patching Technique
- Invisi-Shell – Hide your Powershell script in plain sight. Bypass all Powershell security features
- Dynamic Microsoft Office 365 AMSI In Memory Bypass Using VBA
- AmsiScanBuffer Bypass – Part 1
- AMSI Bypass
Loading .NET Assemblies Anti-Malware Scan Interface (AMSI) Bypass
AppLocker & Device Guard Bypass
Sysmon Evasion
- Subverting Sysmon: Application of a Formalized Security Product Evasion Methodology
- sysmon-config-bypass-finder
- Shhmon — Silencing Sysmon via Driver Unload
HoneyTokens Evasion
Disabling Security Tools
Credential Dumping
NTDS.DIT Password Extraction
- How Attackers Pull the Active Directory Database (NTDS.dit) from a Domain Controller
- Extracting Password Hashes From The Ntds.dit File
SAM (Security Accounts Manager)
Kerberoasting
- Kerberoasting Without Mimikatz
- Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain
- Extracting Service Account Passwords With Kerberoasting
- Cracking Service Account Passwords with Kerberoasting
- Kerberoast PW list for cracking passwords with complexity requirements
- DerbyCon 2019 – Kerberoasting Revisited
Kerberos AP-REP Roasting
Windows Credential Manager/Vault
DCSync
- Mimikatz and DCSync and ExtraSids, Oh My
- Mimikatz DCSync Usage, Exploitation, and Detection
- Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync
LLMNR/NBT-NS Poisoning
Others
Persistence
Golden Ticket
SID History
Silver Ticket
- How Attackers Use Kerberos Silver Tickets to Exploit Systems
- Sneaky Active Directory Persistence #16: Computer Accounts & Domain Controller Silver Tickets
DCShadow
AdminSDHolder
- Sneaky Active Directory Persistence #15: Leverage AdminSDHolder & SDProp to (Re)Gain Domain Admin Rights
- Persistence Using Adminsdholder And Sdprop
Group Policy Object
Skeleton Keys
- Unlocking All The Doors To Active Directory With The Skeleton Key Attack
- Skeleton Key
- Attackers Can Now Use Mimikatz to Implant Skeleton Key on Domain Controllers & BackDoor Your Active Directory Forest
SeEnableDelegationPrivilege
- The Most Dangerous User Right You (Probably) Have Never Heard Of
- SeEnableDelegationPrivilege Active Directory Backdoor
Security Support Provider
Directory Services Restore Mode
- Sneaky Active Directory Persistence #11: Directory Service Restore Mode (DSRM)
- Sneaky Active Directory Persistence #13: DSRM Persistence v2
ACLs & Security Descriptors
- An ACE Up the Sleeve: Designing Active Directory DACL Backdoors
- Shadow Admins – The Stealthy Accounts That You Should Fear The Most
- The Unintended Risks of Trusting Active Directory
Tools & Scripts
- PowerView – Situational Awareness PowerShell framework
- BloodHound – Six Degrees of Domain Admin
- Impacket – Impacket is a collection of Python classes for working with network protocols
- aclpwn.py – Active Directory ACL exploitation with BloodHound
- CrackMapExec – A swiss army knife for pentesting networks
- ADACLScanner – A tool with GUI or command linte used to create reports of access control lists (DACLs) and system access control lists (SACLs) in Active Directory
- zBang – zBang is a risk assessment tool that detects potential privileged account threats
- SafetyKatz – SafetyKatz is a combination of slightly modified version of @gentilkiwi’s Mimikatz project and @subTee’s .NET PE Loader.
- SharpDump – SharpDump is a C# port of PowerSploit’s Out-Minidump.ps1 functionality.
- PowerUpSQL – A PowerShell Toolkit for Attacking SQL Server
- Rubeus – Rubeus is a C# toolset for raw Kerberos interaction and abuses
- ADRecon – A tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment
- Mimikatz – Utility to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory but also perform pass-the-hash, pass-the-ticket or build Golden tickets
- Grouper – A PowerShell script for helping to find vulnerable settings in AD Group Policy.
- Powermad – PowerShell MachineAccountQuota and DNS exploit tools
- RACE – RACE is a PowerShell module for executing ACL attacks against Windows targets.
- DomainPasswordSpray – DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain.
- MailSniper – MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.)
- LAPSToolkit – Tool to audit and attack LAPS environments.
- CredDefense – Credential and Red Teaming Defense for Windows Environments
Ebooks
- The Dog Whisperer’s Handbook – A Hacker’s Guide to the BloodHound Galaxy
- Varonis eBook: Pen Testing Active Directory Environments
Cheat Sheets
- Tools Cheat Sheets – Tools (PowerView, PowerUp, Empire, and PowerSploit)
- DogWhisperer – BloodHound Cypher Cheat Sheet (v2)
- PowerView-3.0 tips and tricks
- PowerView-2.0 tips and tricks
- BloodhoundAD-Queries
- Kerberos Attacks Cheat Sheet
- Bloodhound Cypher Cheatsheet
Other Resources
- Tactics, Techniques and Procedures for Attacking Active Directory BlackHat Asia 2019
- Bloodhound walkthrough. A Tool for Many Tradecrafts
- Attack Methods for Gaining Domain Admin Rights in Active Directory
- PowerShell Is Dead Epic Learnings
- Finding Our Path: How We’re Trying to Improve Active Directory Security
- SteelCon 2019: Getting Splunky With Kerberos – Ross Bingham and Tom MacDonald