Active Directory Methodology

Active Directory Pentest Methodology

Welcome to my Active Directory penetration testing notes.

These notes are organized as a methodology‑first playbook, not a lab walkthrough. I use this notes to document how I approach Active Directory environments,

• what I enumerate first
• how trust and permissions usually break
• and how small misconfigurations can be chained into full domain compromise.

Each section links to focused notes covering enumeration patterns, common abuse techniques, and attack decision points that I tend to see over and over again

---

Overview

1. Pre-Authentication Attacks
2. Authenticated Enumeration
3. BloodHound & Graph-Based Analysis
4. Credential Access
5. Privilege Escalation
6. Lateral Movement
7. Kerberos & Ticket Abuse
8. Domain & Forest Dominance
9. Persistence
10. OPSEC
11. Evasion & Detection Awareness

---

1. Pre-Authentication Attacks (No Credentials)

Attacks possible with only network connectivity.

• Name Resolution Poisoning (LLMNR / NBT-NS / MDNS)
• IPv6 Abuse (mitm6 / DHCPv6 / DNS Takeover)
• Kerberos User Enumeration
• Password Spraying (Kerberos / NTLM)
• AS-REP Roasting (No-Preauth Accounts)
• NTLM Relay Overview
  • SMB Relay
  • LDAP / LDAPS Relay
  • AD CS Relay

---

2. Authenticated Enumeration

Performed once any valid domain account is obtained.

• Domain Object Enumeration
  • Users
  • Groups
  • Computers
  • OUs
  • Trusts
• RID Brute Force & SID Enumeration
• LDAP Enumeration & Custom Queries
• Share Enumeration & SYSVOL Analysis
• GPO Enumeration & Policy Weaknesses
• Password Policy & Kerberos Settings
• Service Discovery (MSSQL, IIS, CA, SCCM)

---

3. BloodHound & Graph-Based Analysis

Mapping effective control paths, not just permissions.

• BloodHound Collection Techniques
• SharpHound vs Python Collectors
• Attack Path Analysis
• Common Escalation Graphs
• Custom Cypher Queries

---

4. Credential Access

Obtaining reusable authentication material.

• Kerberoasting
• Targeted Kerberoasting (SPN Abuse)
• NTDS & SecretsDump Techniques
• LSASS Memory Attacks
• DPAPI Master Keys
• LAPS Abuse
• GMSA Abuse
• Credential Hunting (Configs, Scripts, Shares)

---

5. Privilege Escalation

Abusing delegated trust and misconfiguration.

• Group-Based Abuse
• ACL Abuse
  • GenericAll
  • GenericWrite
  • WriteDACL
  • WriteOwner
  • ForceChangePassword
• Backup Operators Abuse
• Delegation Abuse
  • Unconstrained Delegation
  • Constrained Delegation (S4U2Self / S4U2Proxy)
  • Resource-Based Constrained Delegation (RBCD)
• AD CS Abuse (ESC1–ESC13)
• Shadow Credentials (Key Trust)

---

6. Lateral Movement

Using credentials, tickets, or delegated rights to move.

• Pass-the-Hash
• Pass-the-Ticket
• Overpass-the-Hash
• SMB / WMI / DCOM / WinRM Execution
• RDP Abuse & Session Hijacking
• SQL Server Lateral Movement

---

7. Kerberos Ticket Abuse (Deep Dive)

Forging, modifying, and abusing Kerberos tickets.

• Golden Tickets
• Silver Tickets
• Diamond Tickets
• Sapphire Tickets
• Bronze Tickets
• Platinum Tickets
• Ticket Lifetime & PAC Manipulation
• Delegation Ticket Abuse
• Cross-Realm & Trust Tickets

---

8. Domain & Forest Dominance

Actions requiring replication or forest-level trust.

• DCSync
• DCShadow
• NTDS.dit Extraction
• Trust Abuse & Forest Escalation
• Domain Backup Key Extraction

---

9. Persistence Techniques

Maintaining long-term or stealth access.

• Golden Ticket Persistence
• Silver Ticket Persistence
• AdminSDHolder Abuse
• SID History Injection
• DSRM Abuse
• Machine Account Abuse
• Shadow Credentials Persistence

---

10. OPSEC

Managing risk, noise, and exposure during Active Directory operations.

• Authentication Hygiene & Logon Choices
• Kerberos vs NTLM OPSEC Considerations
• Ticket Usage & Lifetime Awareness
• Avoiding Credential Burn
• Service Account & Machine Account OPSEC
• BloodHound & Enumeration OPSEC
• DCSync / Replication OPSEC
• Persistence OPSEC & Cleanup

---

11. Evasion & Detection Awareness

Operational security considerations.

• AMSI Bypass Techniques
• ETW Patching & Blinding
• Token Manipulation
• Kerberos Logging & Detection Points
• Replication & DCSync Detection

---

Usage Notes

• This index is intentionally exhaustive.
• Each linked page should focus on why an attack works, not just commands.
• Tool usage is secondary to understanding trust relationships and control paths.
• Treat this as a living playbook, not static documentation.