- Kerberos Clock Synchronization
- Active Directory Recon
- Using BloodHound
- Using PowerView
- Using AD Module
- From CVE to SYSTEM shell on DC
- MS14-068 Checksum Validation
- ZeroLogon
- PrintNightmare
- samAccountName spoofing
- Open Shares
- SCF and URL file attack against writeable share
- SCF Files
- URL Files
- Windows Library Files
- Windows Search Connectors Files
- Passwords in SYSVOL & Group Policy Preferences
- Exploit Group Policy Objects GPO
- Find vulnerable GPO
- Abuse GPO with SharpGPOAbuse
- Abuse GPO with PowerGPOAbuse
- Abuse GPO with pyGPOAbuse
- Abuse GPO with PowerView
- Abuse GPO with StandIn
- Dumping AD Domain Credentials
- DCSync Attack
- Volume Shadow Copy
- Extract hashes from ntds.dit
- Using Mimikatz sekurlsa
- Crack NTLM hashes with hashcat
- NTDS Reversible Encryption
- User Hunting
- Password spraying
- Kerberos pre-auth bruteforcing
- Spray a pre-generated passwords list
- Spray passwords against the RDP service
- BadPwdCount attribute
- Password in AD User comment
- Password of Pre-Created Computer Account
- Reading LAPS Password
- Reading GMSA Password
- Forging Golden GMSA
- Kerberos Tickets
- Dump Kerberos Tickets
- Replay Kerberos Tickets
- Convert Kerberos Tickets
- Pass-the-Ticket Golden Tickets
- Using Mimikatz
- Using Meterpreter
- Using a ticket on Linux
- Pass-the-Ticket Silver Tickets
- Pass-the-Ticket Diamond Tickets
- Pass-the-Ticket Sapphire Tickets
- Kerberoasting
- KRB_AS_REP Roasting
- CVE-2022-33679
- Timeroasting
- Pass-the-Hash
- OverPass-the-Hash (pass the key)
- Using impacket
- Using Rubeus
- Capturing and cracking Net-NTLMv1/NTLMv1 hashes
- Capturing and cracking Net-NTLMv2/NTLMv2 hashes
- Man-in-the-Middle attacks & relaying
- MS08-068 NTLM reflection
- LDAP signing not required and LDAP channel binding disabled
- SMB Signing Disabled and IPv4
- SMB Signing Disabled and IPv6
- Drop the MIC
- Ghost Potato – CVE-2019-1384
- RemotePotato0 DCOM DCE RPC relay
- DNS Poisonning – Relay delegation with mitm6
- Relaying with WebDav Trick
- Active Directory Certificate Services
- ESC1 – Misconfigured Certificate Templates
- ESC2 – Misconfigured Certificate Templates
- ESC3 – Misconfigured Enrollment Agent Templates
- ESC4 – Access Control Vulnerabilities
- ESC6 – EDITF_ATTRIBUTESUBJECTALTNAME2
- ESC7 – Vulnerable Certificate Authority Access Control
- ESC8 – AD CS Relay Attack
- ESC9 – No Security Extension
- ESC11 – Relaying NTLM to ICPR
- Certifried CVE-2022-26923
- Pass-The-Certificate
- UnPAC The Hash
- Shadow Credentials
- Active Directory Groups
- Dangerous Built-in Groups Usage
- Abusing DNS Admins Group
- Abusing Schema Admins Group
- Abusing Backup Operators Group
- Active Directory Federation Services
- ADFS – Golden SAML
- Active Directory Integrated DNS
- Abusing Active Directory ACLs/ACEs
- GenericAll
- GenericWrite
- GenericWrite and Remote Connection Manager
- WriteDACL
- WriteOwner
- ReadLAPSPassword
- ReadGMSAPassword
- ForceChangePassword
- DCOM Exploitation
- DCOM via MMC Application Class
- DCOM via Excel
- DCOM via ShellExecute
- Trust relationship between domains
- Child Domain to Forest Compromise – SID Hijacking
- Forest to Forest Compromise – Trust Ticket
- Privileged Access Management (PAM) Trust
- Kerberos Unconstrained Delegation
- SpoolService Abuse with Unconstrained Delegation
- MS-EFSRPC Abuse with Unconstrained Delegation
- Kerberos Constrained Delegation
- Kerberos Resource Based Constrained Delegation
- Kerberos Service for User Extension
- S4U2self – Privilege Escalation
- Kerberos Bronze Bit Attack – CVE-2020-17049
- PrivExchange attack
- SCCM Deployment
- SCCM Network Access Accounts
- SCCM Shares
- WSUS Deployment
- RODC – Read Only Domain Controller
- RODC Golden Ticket
- RODC Key List Attack
- RODC Computer Object
- PXE Boot image attack
- DSRM Credentials
- DNS Reconnaissance
- Linux Active Directory
- CCACHE ticket reuse from /tmp
- CCACHE ticket reuse from keyring
- CCACHE ticket reuse from SSSD KCM
- CCACHE ticket reuse from keytab
- Extract accounts from /etc/krb5.keytab
- Extract accounts from /etc/sssd/sssd.conf
