Cyber security

Active Directory Exploitation Cheat Sheet – A Comprehensive Guide To Enumeration And Attack Methods

This cheat sheet contains common enumeration and attack methods for Windows Active Directory.

This cheat sheet is inspired by the PayloadAllTheThings repo.

Summary

  • Active Directory Exploitation Cheat Sheet
    • Summary
    • Tools
    • Domain Enumeration
      • Using PowerView
      • Using AD Module
      • Using BloodHound
        • Remote BloodHound
        • On Site BloodHound
      • Using Adalanche
        • Remote adalanche
      • Useful Enumeration Tools
    • Local Privilege Escalation
      • Useful Local Priv Esc Tools
    • Lateral Movement
      • Powershell Remoting
      • Remote Code Execution with PS Credentials
      • Import a PowerShell Module and Execute its Functions Remotely
      • Executing Remote Stateful commands
      • Mimikatz
      • Remote Desktop Protocol
      • URL File Attacks
      • Useful Tools
    • Domain Privilege Escalation
      • Kerberoast
      • ASREPRoast
      • Password Spray Attack
      • Force Set SPN
      • Abusing Shadow Copies
      • List and Decrypt Stored Credentials using Mimikatz
      • Unconstrained Delegation
      • Constrained Delegation
      • Resource Based Constrained Delegation
      • DNSAdmins Abuse
      • Abusing Active Directory-Integraded DNS
      • Abusing Backup Operators Group
      • Abusing Exchange
      • Weaponizing Printer Bug
      • Abusing ACLs
      • Abusing IPv6 with mitm6
      • SID History Abuse
      • Exploiting SharePoint
      • Zerologon
      • PrintNightmare
      • Active Directory Certificate Services
      • No PAC
    • Domain Persistence
      • Golden Ticket Attack
      • DCsync Attack
      • Silver Ticket Attack
      • Skeleton Key Attack
      • DSRM Abuse
      • Custom SSP
    • Cross Forest Attacks
      • Trust Tickets
      • Abuse MSSQL Servers
      • Breaking Forest Trusts

Tools

Domain Enumeration

Using PowerView

Powerview v.3.0
Powerview Wiki

  • Get Current Domain: Get-Domain
  • Enumerate Other Domains: Get-Domain -Domain <DomainName>
  • Get Domain SID: Get-DomainSID
  • Get Domain Policy:
Get-DomainPolicy

#Will show us the policy configurations of the Domain about system access or kerberos
Get-DomainPolicy | Select-Object -ExpandProperty SystemAccess
Get-DomainPolicy | Select-Object -ExpandProperty KerberosPolicy
  • Get Domain Controllers:
Get-DomainController
Get-DomainController -Domain <DomainName>
  • Enumerate Domain Users:
#Save all Domain Users to a file
Get-DomainUser | Out-File -FilePath .\DomainUsers.txt

#Will return specific properties of a specific user
Get-DomainUser -Identity [username] -Properties DisplayName, MemberOf | Format-List

#Enumerate user logged on a machine
Get-NetLoggedon -ComputerName <ComputerName>

#Enumerate Session Information for a machine
Get-NetSession -ComputerName <ComputerName>

#Enumerate domain machines of the current/specified domain where specific users are logged into
Find-DomainUserLocation -Domain <DomainName> | Select-Object UserName, SessionFromName
  • Enum Domain Computers:
Get-DomainComputer -Properties OperatingSystem, Name, DnsHostName | Sort-Object -Property DnsHostName

#Enumerate Live machines
Get-DomainComputer -Ping -Properties OperatingSystem, Name, DnsHostName | Sort-Object -Property DnsHostName
Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

How Do I Do Reverse Image Search

Have you ever come across a picture on the internet and wondered where it came…

5 days ago

WhatsMyName App – Find Anyone Across 640+ Platforms

Overview WhatsMyName is a free, community-driven OSINT tool designed to identify where a username exists…

2 weeks ago

Analyzing Directory Size Linux Tools Explained

Managing disk usage is a crucial task for Linux users and administrators alike. Understanding which…

2 weeks ago

Understanding Disk Usage with du Command

Efficient disk space management is vital in Linux, especially for system administrators who manage servers…

2 weeks ago

How to Check Directory Size in Linux

Knowing how to check directory sizes in Linux is essential for managing disk space and…

2 weeks ago

Essential Commands for Linux User Listing

Managing user accounts is a core responsibility for any Linux administrator. Whether you’re securing a…

2 weeks ago