Summary
This document was designed to be a useful, informational asset for those looking to understand the specific tactics, techniques, and procedures (TTPs) attackers are leveraging to compromise active directory and guidance to mitigation, detection, and prevention. And understand Active Directory Kill Chain Attack and Modern Post Exploitation Adversary Tradecraft Activity.Table of Contents
- Discovery
- Privilege Escalation
- Defense Evasion
- Credential Dumping
- Lateral Movement
- Persistence
- Defense & Detection
Discovery
SPN Scanning
- SPN Scanning – Service Discovery without Network Port Scanning
- Active Directory: PowerShell script to list all SPNs used
- Discovering Service Accounts Without Using Privileges
Data Mining
- A Data Hunting Overview
- Push it, Push it Real Good
- Finding Sensitive Data on Domain SQL Servers using PowerUpSQL
- Sensitive Data Discovery in Email with MailSniper
- Remotely Searching for Sensitive Files
- I Hunt Sysadmins - harmj0y
User Hunting
- Hidden Administrative Accounts: BloodHound to the Rescue
- Active Directory Recon Without Admin Rights
- Gathering AD Data with the Active Directory PowerShell Module
- Using ActiveDirectory module for Domain Enumeration from PowerShell Constrained Language Mode
- PowerUpSQL Active Directory Recon Functions
- Derivative Local Admin
- Automated Derivative Administrator Search
- Dumping Active Directory Domain Info – with PowerUpSQL!
- Local Group Enumeration
- Attack Mapping With Bloodhound
- Situational Awareness
- Commands for Domain Network Compromise
- A Pentester’s Guide to Group Scoping
LAPS
- Microsoft LAPS Security & Active Directory LAPS Configuration Recon
- Running LAPS with PowerView
- RastaMouse LAPS Part 1 & 2
AppLocker
Active Directory Federation Services
- 118 Attacking ADFS Endpoints with PowerShell Karl Fosaaen
- Using PowerShell to Identify Federated Domains
- LyncSniper: A tool for penetration testing Skype for Business and Lync deployments
- Troopers 19 - I am AD FS and So Can You
Privilege Escalation
sAMAccountName Spoofing
Abusing Active Directory Certificate Services
PetitPotam
Zerologon
- Cobalt Strike ZeroLogon-BOF
- CVE-2020-1472 POC
- Zerologon: instantly become domain admin by subverting Netlogon cryptography (CVE-2020-1472)
Passwords in SYSVOL & Group Policy Preferences
- Finding Passwords in SYSVOL & Exploiting Group Policy Preferences
- Pentesting in the Real World: Group Policy Pwnage
MS14-068 Kerberos Vulnerability
- MS14-068: Vulnerability in (Active Directory) Kerberos Could Allow Elevation of Privilege
- Digging into MS14-068, Exploitation and Defence
- From MS14-068 to Full Compromise – Step by Step
DNSAdmins
- Abusing DNSAdmins privilege for escalation in Active Directory
- From DNSAdmins to Domain Admin, When DNSAdmins is More than Just DNS Administration
Kerberos Delegation
- Constructing Kerberos Attacks with Delegation Primitives
- No Shells Required - a Walkthrough on Using Impacket and Kerberos to Delegate Your Way to DA
- CVE-2020-17049: Kerberos Bronze Bit Attack – Overview
Unconstrained Delegation
- Domain Controller Print Server + Unconstrained Kerberos Delegation = Pwned Active Directory Forest
- Active Directory Security Risk #101: Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain)
- Unconstrained Delegation Permissions
- Trust? Years to earn, seconds to break
- Hunting in Active Directory: Unconstrained Delegation & Forests Trusts
- Exploiting Unconstrained Delegation
Constrained Delegation
Resource-Based Constrained Delegation
- Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory
- Kerberos Resource-based Constrained Delegation: Computer Object Take Over
- Resource Based Constrained Delegation
- A Case Study in Wagging the Dog: Computer Takeover
- BloodHound 2.1's New Computer Takeover Attack
Insecure Group Policy Object Permission Rights
- Abusing GPO Permissions
- A Red Teamer’s Guide to GPOs and OUs
- File templates for GPO Abuse
- GPO Abuse - Part 1
- GPO Abuse - Part 2
- SharpGPOAbuse
Insecure ACLs Permission Rights
- Exploiting Weak Active Directory Permissions With Powersploit
- Escalating privileges with ACLs in Active Directory
- Abusing Active Directory Permissions with PowerView
- BloodHound 1.3 – The ACL Attack Path Update
- Scanning for Active Directory Privileges & Privileged Accounts
- Active Directory Access Control List – Attacks and Defense
- aclpwn - Active Directory ACL exploitation with BloodHound
Domain Trusts
- A Guide to Attacking Domain Trusts
- It's All About Trust – Forging Kerberos Trust Tickets to Spoof Access across Active Directory Trusts
- Active Directory forest trusts part 1 - How does SID filtering work?
- The Forest Is Under Control. Taking over the entire Active Directory forest
- Not A Security Boundary: Breaking Forest Trusts
- The Trustpocalypse
- Pentesting Active Directory Forests
- Security Considerations for Active Directory (AD) Trusts
- Kerberos Golden Tickets are Now More Golden
DCShadow
- Privilege Escalation With DCShadow
- DCShadow
- DCShadow explained: A technical deep dive into the latest AD attack technique
- DCShadow - Silently turn off Active Directory Auditing
- DCShadow - Minimal permissions, Active Directory Deception, Shadowception and more
RID
Microsoft SQL Server
- How to get SQL Server Sysadmin Privileges as a Local Admin with PowerUpSQL
- Compromise With Powerupsql – Sql Attacks
Red Forest
Exchange
NTLM Relay & LLMNR/NBNS
- Pwning with Responder – A Pentester’s Guide
- Practical guide to NTLM Relaying in 2017 (A.K.A getting a foothold in under 5 minutes)
- Relaying credentials everywhere with ntlmrelayx
- Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS
- Combining NTLM Relaying and Kerberos delegation
- mitm6 – compromising IPv4 networks via IPv6
- The worst of both worlds: Combining NTLM Relaying and Kerberos delegation
Lateral Movement
Microsoft SQL Server Database links
- SQL Server – Link… Link… Link… and Shell: How to Hack Database Links in SQL Server!
- SQL Server Link Crawling with PowerUpSQL
Pass The Hash
- Performing Pass-the-hash Attacks With Mimikatz
- How to Pass-the-Hash with Mimikatz
- Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy
System Center Configuration Manager (SCCM)
- Targeted Workstation Compromise With Sccm
- PowerSCCM - PowerShell module to interact with SCCM deployments
WSUS
Password Spraying
- Password Spraying Windows Active Directory Accounts - Tradecraft Security Weekly #5
- Attacking Exchange with MailSniper
- A Password Spraying tool for Active Directory Credentials by Jacob Wilkin
- SprayingToolkit
Automated Lateral Movement
- GoFetch is a tool to automatically exercise an attack plan generated by the BloodHound application
- DeathStar - Automate getting Domain Admin using Empire
- ANGRYPUPPY - Bloodhound Attack Path Automation in CobaltStrike
Defense Evasion
In-Memory Evasion
- Bypassing Memory Scanners with Cobalt Strike and Gargoyle
- In-Memory Evasions Course
- Bring Your Own Land (BYOL) – A Novel Red Teaming Technique
Endpoint Detection and Response (EDR) Evasion
- Red Teaming in the EDR age
- Sharp-Suite - Process Argument Spoofing
- Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR
- Dechaining Macros and Evading EDR
- Bypass EDR’s memory protection, introduction to hooking
- Bypassing Cylance and other AVs/EDRs by Unhooking Windows APIs
- Silencing Cylance: A Case Study in Modern EDRs
OPSEC
- Modern Defenses and YOU!
- OPSEC Considerations for Beacon Commands
- Red Team Tradecraft and TTP Guidance
- Fighting the Toolset
Microsoft ATA & ATP Evasion
- Red Team Techniques for Evading, Bypassing, and Disabling MS Advanced Threat Protection and Advanced Threat Analytics
- Red Team Revenge - Attacking Microsoft ATA
- Evading Microsoft ATA for Active Directory Domination
PowerShell ScriptBlock Logging Bypass
PowerShell Anti-Malware Scan Interface (AMSI) Bypass
- How to bypass AMSI and execute ANY malicious Powershell code
- AMSI: How Windows 10 Plans to Stop Script-Based Attacks
- AMSI Bypass: Patching Technique
- Invisi-Shell - Hide your Powershell script in plain sight. Bypass all Powershell security features
- Dynamic Microsoft Office 365 AMSI In Memory Bypass Using VBA
- AmsiScanBuffer Bypass - Part 1
- AMSI Bypass
Loading .NET Assemblies Anti-Malware Scan Interface (AMSI) Bypass
AppLocker & Device Guard Bypass
Sysmon Evasion
- Subverting Sysmon: Application of a Formalized Security Product Evasion Methodology
- sysmon-config-bypass-finder
- Shhmon — Silencing Sysmon via Driver Unload
HoneyTokens Evasion
Disabling Security Tools
Credential Dumping
NTDS.DIT Password Extraction
- How Attackers Pull the Active Directory Database (NTDS.dit) from a Domain Controller
- Extracting Password Hashes From The Ntds.dit File
SAM (Security Accounts Manager)
Kerberoasting
- Kerberoasting Without Mimikatz
- Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain
- Extracting Service Account Passwords With Kerberoasting
- Cracking Service Account Passwords with Kerberoasting
- Kerberoast PW list for cracking passwords with complexity requirements
- DerbyCon 2019 - Kerberoasting Revisited
Kerberos AP-REP Roasting
Windows Credential Manager/Vault
DCSync
- Mimikatz and DCSync and ExtraSids, Oh My
- Mimikatz DCSync Usage, Exploitation, and Detection
- Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync
LLMNR/NBT-NS Poisoning
Others
Persistence
Diamond Ticket
Golden Ticket
SID History
Silver Ticket
- How Attackers Use Kerberos Silver Tickets to Exploit Systems
- Sneaky Active Directory Persistence #16: Computer Accounts & Domain Controller Silver Tickets
DCShadow
AdminSDHolder
- Sneaky Active Directory Persistence #15: Leverage AdminSDHolder & SDProp to (Re)Gain Domain Admin Rights
- Persistence Using Adminsdholder And Sdprop
Group Policy Object
Skeleton Keys
- Unlocking All The Doors To Active Directory With The Skeleton Key Attack
- Skeleton Key
- Attackers Can Now Use Mimikatz to Implant Skeleton Key on Domain Controllers & BackDoor Your Active Directory Forest
SeEnableDelegationPrivilege
- The Most Dangerous User Right You (Probably) Have Never Heard Of
- SeEnableDelegationPrivilege Active Directory Backdoor
Security Support Provider
Directory Services Restore Mode
- Sneaky Active Directory Persistence #11: Directory Service Restore Mode (DSRM)
- Sneaky Active Directory Persistence #13: DSRM Persistence v2
ACLs & Security Descriptors
- An ACE Up the Sleeve: Designing Active Directory DACL Backdoors
- Shadow Admins – The Stealthy Accounts That You Should Fear The Most
- The Unintended Risks of Trusting Active Directory
Tools & Scripts
- AD_Miner - AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses.
- Certify - Certify is a C# tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS).
- PSPKIAudit - PowerShell toolkit for auditing Active Directory Certificate Services (AD CS).
- PowerView - Situational Awareness PowerShell framework
- BloodHound - Six Degrees of Domain Admin
- Impacket - Impacket is a collection of Python classes for working with network protocols
- aclpwn.py - Active Directory ACL exploitation with BloodHound
- CrackMapExec - A swiss army knife for pentesting networks
- ADACLScanner - A tool with GUI or command linte used to create reports of access control lists (DACLs) and system access control lists (SACLs) in Active Directory
- zBang - zBang is a risk assessment tool that detects potential privileged account threats
- SafetyKatz - SafetyKatz is a combination of slightly modified version of @gentilkiwi's Mimikatz project and @subTee's .NET PE Loader.
- SharpDump - SharpDump is a C# port of PowerSploit's Out-Minidump.ps1 functionality.
- PowerUpSQL - A PowerShell Toolkit for Attacking SQL Server
- Rubeus - Rubeus is a C# toolset for raw Kerberos interaction and abuses
- ADRecon - A tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment
- Mimikatz - Utility to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory but also perform pass-the-hash, pass-the-ticket or build Golden tickets
- Grouper - A PowerShell script for helping to find vulnerable settings in AD Group Policy.
- Powermad - PowerShell MachineAccountQuota and DNS exploit tools
- RACE - RACE is a PowerShell module for executing ACL attacks against Windows targets.
- DomainPasswordSpray - DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain.
- MailSniper - MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.)
- LAPSToolkit - Tool to audit and attack LAPS environments.
- CredDefense - Credential and Red Teaming Defense for Windows Environments
- ldapdomaindump - Active Directory information dumper via LDAP
- SpoolSample - PoC tool to coerce Windows hosts authenticate to other machines via the MS-RPRN RPC interface
- adconnectdump - Azure AD Connect password extraction
- o365recon - Script to retrieve information via O365 with a valid cred
- ROADtools - ROADtools is a framework to interact with Azure AD. I
- Stormspotter - Stormspotter creates an “attack graph” of the resources in an Azure subscription.
- AADInternals - AADInternals is PowerShell module for administering Azure AD and Office 365
- MicroBurst: A PowerShell Toolkit for Attacking Azure - MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping.
- sam-the-admin - Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user
- CVE-2021-42287/CVE-2021-42278 Scanner & Exploiter. - CVE-2021-42287/CVE-2021-42278 Scanner & Exploiter. Yet another low effort domain user to domain admin exploit.
- ADModule - Microsoft signed ActiveDirectory PowerShell module
- ImproHound - Identify the attack paths in BloodHound breaking your AD tiering
- ADExplorerSnapshot.py - ADExplorerSnapshot.py is an AD Explorer snapshot ingestor for BloodHound.
- orpheus - Bypassing Kerberoast Detections with Modified KDC Options and Encryption Types
- BackupOperatorToolkit
Ebooks
- The Dog Whisperer’s Handbook – A Hacker’s Guide to the BloodHound Galaxy
- Varonis eBook: Pen Testing Active Directory Environments
Cheat Sheets
- Tools Cheat Sheets - Tools (PowerView, PowerUp, Empire, and PowerSploit)
- DogWhisperer - BloodHound Cypher Cheat Sheet (v2)
- PowerView-3.0 tips and tricks
- PowerView-2.0 tips and tricks
- BloodhoundAD-Queries
- Kerberos Attacks Cheat Sheet
- Bloodhound Cypher Cheatsheet
- Kerberos cheatsheet
- Active Directory Exploitation Cheat Sheet
- Pentesting Active Directory Mindmaps
Other Resources
- Tactics, Techniques and Procedures for Attacking Active Directory BlackHat Asia 2019
- Bloodhound walkthrough. A Tool for Many Tradecrafts
- Attack Methods for Gaining Domain Admin Rights in Active Directory
- PowerShell Is Dead Epic Learnings
- Finding Our Path: How We’re Trying to Improve Active Directory Security
- SteelCon 2019: Getting Splunky With Kerberos - Ross Bingham and Tom MacDonald
- AD-security-workshop