> ## Documentation Index
> Fetch the complete documentation index at: https://notes.chaelsoo.me/llms.txt
> Use this file to discover all available pages before exploring further.

# Active Directory

Active Directory attack chains typically follow: enumerate → credential access → lateral movement → privilege escalation → domain dominance. Each concept below is a node in that chain.

<CardGroup cols={2}>
  <Card title="Enumeration" icon="magnifying-glass" href="./enumeration">
    Unauthenticated and authenticated AD recon: BloodHound, PowerView, bloodyAD, ACL sweeps
  </Card>

  <Card title="Kerberoasting" icon="key" href="./kerberoasting">
    Request TGS for SPN-registered accounts and crack the service account hash offline
  </Card>

  <Card title="AS-REP Roasting" icon="lock" href="./asrep-roasting">
    Extract AS-REP for accounts with pre-auth disabled, no credentials required
  </Card>

  <Card title="Credential Dumping" icon="database" href="./credential-dumping">
    SAM, LSASS, NTDS.dit: extracting hashes from memory, registry, and the AD database
  </Card>

  <Card title="Pass Attacks" icon="repeat" href="./pass-attacks">
    PTH, PTT, Overpass-the-Hash, Pass-the-Certificate: authenticate without cracking
  </Card>

  <Card title="ACL Abuse" icon="triangle-exclamation" href="./acl-abuse">
    Exploit misconfigured ACEs: GenericAll, WriteDACL, WriteOwner, ForceChangePassword, shadow creds
  </Card>

  <Card title="Delegation" icon="users" href="./delegation">
    Unconstrained, constrained, and RBCD: abuse Kerberos delegation to impersonate privileged users
  </Card>

  <Card title="ADCS" icon="award" href="./adcs">
    Certificate template misconfigs (ESC1–ESC11): forge certs to authenticate as any domain user
  </Card>

  <Card title="Trusts" icon="code-branch" href="./trusts">
    Cross-domain and cross-forest trusts: ExtraSids attack to escalate from child to parent domain
  </Card>
</CardGroup>

## Quick Attack Flow

```wrap theme={"theme":{"light":"night-owl","dark":"night-owl"}}
Foothold (low-priv user)
  → Enumerate with BloodHound + PowerView
  → AS-REP Roast / Kerberoast → crack hashes
  → PTH / PTT with obtained hashes
  → ACL abuse / delegation → higher-priv account
  → DCSync or NTDS.dit dump → full domain compromise
```
