AD Attack Paths
Beta

Active Directory Attack Lessons

Learn Windows Active Directory attacks through structured lessons. Each attack is explained from first principles.

View the full Attack Map
Start Here
Available

Kerberoasting

Extract service account credentials from Kerberos tickets

19 slides

All Attack Paths

Kerberos

Coming Soon

AS-REP Roasting

Request AS-REP for accounts without Kerberos pre-authentication and crack offline

Available

Kerberoasting

Request TGS for SPNs and crack service account passwords offline

Coming Soon

Targeted Kerberoasting

Set SPN on user you control then Kerberoast their account

Coming Soon

Pass-the-Ticket

Import Kerberos ticket into session for authentication

Coming Soon

Overpass-the-Hash

Use NTLM hash to request Kerberos TGT

Coming Soon

Silver Ticket

Forge service ticket using service account NTLM hash

Coming Soon

Golden Ticket

Forge TGT using krbtgt NTLM hash for unlimited domain access

Coming Soon

Trust Abuse

Exploit forest/domain trusts for cross-boundary access

Credential Theft

Coming Soon

Zerologon

CVE-2020-1472: Exploit Netlogon AES-CFB8 cryptographic flaw to reset DC password

Coming Soon

GPP cPassword

Extract AES-encrypted passwords from Group Policy Preferences XML

Coming Soon

DCSync

Replicate credentials from DC using MS-DRSR GetNCChanges

Coming Soon

DPAPI Backup Key

Extract domain DPAPI backup key to decrypt any user's secrets

NTLM Relay

Coming Soon

NTLM Relay to SMB

Relay captured NTLM auth to SMB service for remote code execution

Coming Soon

NTLM Relay to LDAP

Relay NTLM to LDAP for AD object modification (RBCD, Shadow Creds)

Coming Soon

NTLM Relay to AD CS

Relay NTLM to AD CS HTTP enrollment to obtain user/machine certificate

ACL Abuse

Coming Soon

Shadow Credentials

Add Key Credentials to msDS-KeyCredentialLink for PKINIT auth

Coming Soon

SPN-Jacking

Hijack service by setting SPN to machine you control

Coming Soon

DNSAdmins Abuse

Load arbitrary DLL into dns.exe via ServerLevelPluginDll

Delegation

Coming Soon

Resource-Based Constrained Delegation

Configure RBCD on target to impersonate any user to that service

Coming Soon

Unconstrained Delegation

Extract TGT from memory of machine trusted for delegation

Coming Soon

Constrained Delegation

S4U2Self + S4U2Proxy to impersonate users to allowed services

AD CS

Coming Soon

ESC1

Enroll in misconfigured template allowing arbitrary SAN

Coming Soon

ESC4

Modify vulnerable certificate template to enable ESC1

Coming Soon

ESC8

Relay NTLM to ADCS HTTP enrollment endpoint

Persistence

Coming Soon

DCShadow

Register rogue DC to push malicious changes via replication

Coming Soon

Skeleton Key

Patch LSASS to accept master password for any account

Coming Soon

AdminSDHolder

Modify AdminSDHolder ACL to persist admin access

Coming Soon

SID History Injection

Inject privileged SID into user's SID history attribute

Coercion

Coming Soon

PetitPotam

Coerce DC authentication via EfsRpcOpenFileRaw

Coming Soon

PrinterBug

Coerce machine authentication via MS-RPRN SpoolService

Coming Soon

DFSCoerce

Coerce machine authentication via MS-DFSNM