Skip to main content
Active Directory attack chains typically follow: enumerate → credential access → lateral movement → privilege escalation → domain dominance. Each concept below is a node in that chain.

Enumeration

Unauthenticated and authenticated AD recon: BloodHound, PowerView, bloodyAD, ACL sweeps

Kerberoasting

Request TGS for SPN-registered accounts and crack the service account hash offline

AS-REP Roasting

Extract AS-REP for accounts with pre-auth disabled, no credentials required

Credential Dumping

SAM, LSASS, NTDS.dit: extracting hashes from memory, registry, and the AD database

Pass Attacks

PTH, PTT, Overpass-the-Hash, Pass-the-Certificate: authenticate without cracking

ACL Abuse

Exploit misconfigured ACEs: GenericAll, WriteDACL, WriteOwner, ForceChangePassword, shadow creds

Delegation

Unconstrained, constrained, and RBCD: abuse Kerberos delegation to impersonate privileged users

ADCS

Certificate template misconfigs (ESC1–ESC11): forge certs to authenticate as any domain user

Trusts

Cross-domain and cross-forest trusts: ExtraSids attack to escalate from child to parent domain

Quick Attack Flow