Enumeration
Unauthenticated and authenticated AD recon: BloodHound, PowerView, bloodyAD, ACL sweeps
Kerberoasting
Request TGS for SPN-registered accounts and crack the service account hash offline
AS-REP Roasting
Extract AS-REP for accounts with pre-auth disabled, no credentials required
Credential Dumping
SAM, LSASS, NTDS.dit: extracting hashes from memory, registry, and the AD database
Pass Attacks
PTH, PTT, Overpass-the-Hash, Pass-the-Certificate: authenticate without cracking
ACL Abuse
Exploit misconfigured ACEs: GenericAll, WriteDACL, WriteOwner, ForceChangePassword, shadow creds
Delegation
Unconstrained, constrained, and RBCD: abuse Kerberos delegation to impersonate privileged users
ADCS
Certificate template misconfigs (ESC1–ESC11): forge certs to authenticate as any domain user
Trusts
Cross-domain and cross-forest trusts: ExtraSids attack to escalate from child to parent domain