Active Directory Exploitation Cheat Sheet – A Comprehensive Guide To Enumeration And Attack Methods

This cheat sheet contains common enumeration and attack methods for Windows Active Directory.

This cheat sheet is inspired by the PayloadAllTheThings repo.

Summary

• Active Directory Exploitation Cheat Sheet
  • Summary
  • Tools
  • Domain Enumeration
    • Using PowerView
    • Using AD Module
    • Using BloodHound
      • Remote BloodHound
      • On Site BloodHound
    • Using Adalanche
      • Remote adalanche
    • Useful Enumeration Tools
  • Local Privilege Escalation
    • Useful Local Priv Esc Tools
  • Lateral Movement
    • Powershell Remoting
    • Remote Code Execution with PS Credentials
    • Import a PowerShell Module and Execute its Functions Remotely
    • Executing Remote Stateful commands
    • Mimikatz
    • Remote Desktop Protocol
    • URL File Attacks
    • Useful Tools
  • Domain Privilege Escalation
    • Kerberoast
    • ASREPRoast
    • Password Spray Attack
    • Force Set SPN
    • Abusing Shadow Copies
    • List and Decrypt Stored Credentials using Mimikatz
    • Unconstrained Delegation
    • Constrained Delegation
    • Resource Based Constrained Delegation
    • DNSAdmins Abuse
    • Abusing Active Directory-Integraded DNS
    • Abusing Backup Operators Group
    • Abusing Exchange
    • Weaponizing Printer Bug
    • Abusing ACLs
    • Abusing IPv6 with mitm6
    • SID History Abuse
    • Exploiting SharePoint
    • Zerologon
    • PrintNightmare
    • Active Directory Certificate Services
    • No PAC
  • Domain Persistence
    • Golden Ticket Attack
    • DCsync Attack
    • Silver Ticket Attack
    • Skeleton Key Attack
    • DSRM Abuse
    • Custom SSP
  • Cross Forest Attacks
    • Trust Tickets
    • Abuse MSSQL Servers
    • Breaking Forest Trusts

Tools

• Powersploit
• PowerUpSQL
• Powermad
• Impacket
• Mimikatz
• Rubeus -> Compiled Version
• BloodHound
• AD Module
• ASREPRoast
• Adalanche

Domain Enumeration

Using PowerView

Powerview v.3.0
Powerview Wiki

• Get Current Domain: Get-Domain
• Enumerate Other Domains: Get-Domain -Domain <DomainName>
• Get Domain SID: Get-DomainSID
• Get Domain Policy:

Get-DomainPolicy

#Will show us the policy configurations of the Domain about system access or kerberos
Get-DomainPolicy | Select-Object -ExpandProperty SystemAccess
Get-DomainPolicy | Select-Object -ExpandProperty KerberosPolicy

• Get Domain Controllers:

Get-DomainController
Get-DomainController -Domain <DomainName>

• Enumerate Domain Users:

#Save all Domain Users to a file
Get-DomainUser | Out-File -FilePath .\DomainUsers.txt

#Will return specific properties of a specific user
Get-DomainUser -Identity [username] -Properties DisplayName, MemberOf | Format-List

#Enumerate user logged on a machine
Get-NetLoggedon -ComputerName <ComputerName>

#Enumerate Session Information for a machine
Get-NetSession -ComputerName <ComputerName>

#Enumerate domain machines of the current/specified domain where specific users are logged into
Find-DomainUserLocation -Domain <DomainName> | Select-Object UserName, SessionFromName

• Enum Domain Computers:

Get-DomainComputer -Properties OperatingSystem, Name, DnsHostName | Sort-Object -Property DnsHostName

#Enumerate Live machines
Get-DomainComputer -Ping -Properties OperatingSystem, Name, DnsHostName | Sort-Object -Property DnsHostName