Active Directory Attack Path
From initial foothold to domain admin. A step-by-step approach to enumerating and attacking Active Directory environments during authorized penetration tests.
Initial Enumeration
Once you have a foothold on a domain-joined machine (or credentials), start mapping the environment. Enumerate users, groups, computers, group policies, trust relationships, and ACLs. This gives you the lay of the land and reveals potential attack paths before you start making noise.
Tools for this step
BloodHound
CrackMapExec
enum4linux-ngTip: BloodHound is the single most important tool here. SharpHound collects the data, BloodHound visualizes attack paths to Domain Admin. Run it first, study the output, plan your moves. CrackMapExec does quick checks across the network without BloodHound's collection overhead.
Credential Harvesting
Look for credentials everywhere. Check for Kerberoastable accounts (service accounts with SPNs), AS-REP roastable accounts (no pre-authentication required), cached credentials, credentials in Group Policy Preferences, LSASS dumps, and passwords in shares or scripts.
Tools for this step
Rubeus
Kerbrute
Mimikatz
LaZagneTip: Rubeus handles Kerberoasting, AS-REP roasting, and ticket manipulation. Mimikatz dumps credentials from memory. LaZagne recovers passwords stored by browsers, mail clients, and other software. CrackMapExec can spray passwords across the domain to find reuse.
Coercion and Relay Attacks
Force machines to authenticate to you, then relay those credentials to other services. This is one of the most powerful attack chains in AD - coerce a domain controller to authenticate to your machine, relay that authentication to AD Certificate Services, and get a certificate you can use for domain admin access.
Tools for this step
PetitPotam
Coercer
Responder
ImpacketTip: PetitPotam coerces authentication via MS-EFSRPC. Coercer tries multiple coercion methods automatically. Responder captures hashes from LLMNR/NBT-NS poisoning. Impacket's ntlmrelayx relays captured authentication to target services. The PetitPotam to AD CS relay chain is devastating when it works.
Lateral Movement
Move through the network using the credentials and access you've gathered. Use WinRM, SMB, WMI, or DCOM to execute commands on remote machines. Pivot through compromised hosts to reach network segments you couldn't access from your initial position.
Tools for this step
Evil-WinRM
Ligolo-ng
ChiselTip: Evil-WinRM gives you a PowerShell session on remote machines via WinRM. CrackMapExec executes commands across multiple hosts simultaneously. Ligolo-ng and Chisel create tunnels for pivoting through compromised networks. Keep track of which credentials work on which machines.
Privilege Escalation
Escalate from your current access level to Domain Admin. BloodHound's analysis often reveals the shortest path. Common routes include abusing GenericAll/GenericWrite permissions on privileged groups, exploiting certificate templates via AD CS, shadow credentials attacks, and resource-based constrained delegation abuse.
Tools for this step
Whisker
Certipy
PowerSploitTip: Whisker adds shadow credentials for stealthy Kerberos authentication. Certipy finds and exploits vulnerable AD CS certificate templates. PowerSploit's PowerView module helps enumerate ACL-based attack paths. Re-run SharpHound after compromising new accounts - you may see new paths.
Persistence and Domain Dominance
Once you have Domain Admin, demonstrate the full impact. Extract the NTDS.dit database, create golden/silver tickets, and document the complete attack chain. In a real engagement, this proves the business impact and helps the client understand what needs to be fixed and in what order.
Tools for this step
Tip: Impacket's secretsdump.py extracts all domain hashes remotely. Document every step of your attack chain with timestamps and evidence. The client needs to understand not just that you got Domain Admin, but how, so they can fix the path.
Other Workflows
OSINT Investigation Workflow
A structured approach to open-source intelligence gathering, from target identification through to reporting. Covers passive reconnaissance, social media analysis, email and phone lookups, and data correlation.
Web Application Penetration Test
A systematic approach to testing web applications for security vulnerabilities. Covers reconnaissance, mapping, vulnerability discovery, exploitation, and reporting.
Cryptocurrency Tracing Workflow
Tracing cryptocurrency transactions from a known address through the blockchain. Covers wallet identification, transaction graph analysis, exchange detection, and entity attribution.