This cheat sheet contains common enumeration and attack methods for Windows Active Directory.

This cheat sheet is inspired by the PayloadAllTheThings repo.


  • Active Directory Exploitation Cheat Sheet
    • Summary
    • Tools
    • Domain Enumeration
      • Using PowerView
      • Using AD Module
      • Using BloodHound
        • Remote BloodHound
        • On Site BloodHound
      • Using Adalanche
        • Remote adalanche
      • Useful Enumeration Tools
    • Local Privilege Escalation
      • Useful Local Priv Esc Tools
    • Lateral Movement
      • Powershell Remoting
      • Remote Code Execution with PS Credentials
      • Import a PowerShell Module and Execute its Functions Remotely
      • Executing Remote Stateful commands
      • Mimikatz
      • Remote Desktop Protocol
      • URL File Attacks
      • Useful Tools
    • Domain Privilege Escalation
      • Kerberoast
      • ASREPRoast
      • Password Spray Attack
      • Force Set SPN
      • Abusing Shadow Copies
      • List and Decrypt Stored Credentials using Mimikatz
      • Unconstrained Delegation
      • Constrained Delegation
      • Resource Based Constrained Delegation
      • DNSAdmins Abuse
      • Abusing Active Directory-Integraded DNS
      • Abusing Backup Operators Group
      • Abusing Exchange
      • Weaponizing Printer Bug
      • Abusing ACLs
      • Abusing IPv6 with mitm6
      • SID History Abuse
      • Exploiting SharePoint
      • Zerologon
      • PrintNightmare
      • Active Directory Certificate Services
      • No PAC
    • Domain Persistence
      • Golden Ticket Attack
      • DCsync Attack
      • Silver Ticket Attack
      • Skeleton Key Attack
      • DSRM Abuse
      • Custom SSP
    • Cross Forest Attacks
      • Trust Tickets
      • Abuse MSSQL Servers
      • Breaking Forest Trusts


Domain Enumeration

Using PowerView

Powerview v.3.0
Powerview Wiki

  • Get Current Domain: Get-Domain
  • Enumerate Other Domains: Get-Domain -Domain <DomainName>
  • Get Domain SID: Get-DomainSID
  • Get Domain Policy:

#Will show us the policy configurations of the Domain about system access or kerberos
Get-DomainPolicy | Select-Object -ExpandProperty SystemAccess
Get-DomainPolicy | Select-Object -ExpandProperty KerberosPolicy
  • Get Domain Controllers:
Get-DomainController -Domain <DomainName>
  • Enumerate Domain Users:
#Save all Domain Users to a file
Get-DomainUser | Out-File -FilePath .\DomainUsers.txt

#Will return specific properties of a specific user
Get-DomainUser -Identity [username] -Properties DisplayName, MemberOf | Format-List

#Enumerate user logged on a machine
Get-NetLoggedon -ComputerName <ComputerName>

#Enumerate Session Information for a machine
Get-NetSession -ComputerName <ComputerName>

#Enumerate domain machines of the current/specified domain where specific users are logged into
Find-DomainUserLocation -Domain <DomainName> | Select-Object UserName, SessionFromName
  • Enum Domain Computers:
Get-DomainComputer -Properties OperatingSystem, Name, DnsHostName | Sort-Object -Property DnsHostName

#Enumerate Live machines
Get-DomainComputer -Ping -Properties OperatingSystem, Name, DnsHostName | Sort-Object -Property DnsHostName