- PowerShell script execution
- Download execute cradle
- Invoke-CradleCrafter (https://github.com/danielbohannon/Invoke-CradleCrafter)
- ADSI
- .NET Classes (
System.DirectoryServices.ActiveDirectory) - Native Executable
- WMI using PS
- AD Module
- Execution policy
- Remoting (psexec)
- Detections
- System-wide transcription'
- script block logging
- AMSI
- CLM - Integrated with AppLocker and WDAC (Device Guard)
- Bypass
- Invishell -> https://github.com/OmerYa/Invisi-Shell/blob/master/InvisiShellProfier/InvisiShellProfiler.cpp
- https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/profiling/profiling-overview
- https://github.com/t3hbb/DefenderCheck
- https://github.com/danielbohannon/Invoke-Obfuscation
- https://github.com/RythmStick/AMSITrigger
- https://github.com/samratashok/ADModule
- https://www.labofapenetrationtester.com/2018/10/domain-enumeration-from-PowerShell-CLM.html
- Enumeration
- GPO
- OU
- ACLs
- Trusts
- Forests
- User Hunting
- https://github.com/BloodHoundAD/BloodHound
- Privilege Escalation
- Local (https://github.com/antonioCoco/RemotePotato0, PowerUp, WinPEAS)
- Jenkins (http://www.labofapenetrationtester.com/2014/06/hacking-jenkins-servers.html, http://www.labofapenetrationtester.com/2014/08/script-execution-and-privilege-esc-jenkins.html)
- Kerberoast (https://files.sans.org/summit/hackfest2014/PDFs/Kicking%20the%20Guard%20Dog%20of%20Hades%20-%20Attacking%20Microsoft%20Kerberos%20%20-%20Tim%20Medin%281%29.pdf)
- AS-REP Roasting (https://github.com/HarmJ0y/ASREPRoast)
- Set SPN (http://www.harmj0y.net/blog/activedirectory/targeted-kerberoasting/, https://room362.com/post/2016/kerberoast-pt3/)
- Kerberos Delegation (https://labs.f-secure.com/archive/trust-years-to-earn-seconds-to-break/, http://www.labofapenetrationtester.com/2016/02/getting-domain-admin-with-kerberos-unconstrained-delegation.html, https://adsecurity.org/?p=1667, https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn466518(v=ws.11)
- Unconstrained Delegation
- Printer Bug (http://www.harmj0y.net/blog/redteaming/not-a-security-boundary-breaking-forest-trusts/)
- Contrained Delegation (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/3bff5864-8135-400e-bdd9-33b552051d94, https://www.secureauth.com/blog/kerberos-delegation-spns-and-more)
- Resource Based Constrained Delegation (https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html)
- ==Cross Trust==
- Child to Parent using trust tickets (https://adsecurity.org/?p=1588)
- Child to Parent using krbtgt hash (http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/)
- ==Cross Forest==
- Using Trust Tickets -> https://adsecurity.org/?p=1588
- AD CS Abuse (https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf)
- ESC 3
- ESC 6
- ESC 1
- Certify -> https://github.com/GhostPack/Certify
- MSSQL
- PowerUpSQL
- Lateral Movement
- Mimikatz -> Mimikatz – Active Directory Security (adsecurity.org), https://github.com/gentilkiwi/mimikatz
- Credential Extraction from LSASS
- OverPass-the-hash (https://www.alteredsecurity.com/post/fantastic-windows-logon-types-and-where-to-find-credentials-in-them)
- Rubeus -> https://github.com/GhostPack/Rubeus/
- DCSync
- Offensive .NET
- Kerberos
- Golden, Silver, Diamond Tickets (https://www.trustedsec.com/blog/a-diamond-in-the-ruff)
- http://passing-the-hash.blogspot.com/2014/09/pac-validation-20-minute-rule-and.html
- Krbtgt hash could also be dumped from NTDS.di.
- https://adsecurity.org/?page_id=183
- Skeleton Key -> http://www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis/
- DSRM -> https://adsecurity.org/?p=1785, https://adsecurity.org/?p=1714
- Persistence
- Security Support Provider (SSP) (https://attack.mitre.org/wiki/Technique/T1101, https://docs.microsoft.com/en-us/windows/win32/secauthn/ssp-packages-provided-by-Microsoft)
- ACL Persistence
- AdminSDHolder (https://adsecurity.org/?p=1906, https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory, https://docs.microsoft.com/en-us/previous-versions/technet-magazine/ee361593(v=msdn.10), https://www.ossir.org/paris/supports/2017/2017-04-11/2017-04-11_Active_directory_v2.5.pdf, http://www.harmj0y.net/blog/redteaming/abusing-active-directory-permissions-with-powerview/)
- Rights Abuse
- Security Descriptors
- WMI (https://docs.microsoft.com/en-us/archive/blogs/wmi/scripting-wmi-namespace-security-part-1-of-3)
- Remote Registry (https://posts.specterops.io/remote-hash-extraction-on-demand-via-host-security-descriptor-modification-2cf505ec5c40, https://github.com/HarmJ0y/DAMP)
- Detection
- https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how-to-configure-protected-accounts#BKMK_AddtoProtectedUsers, https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group, https://docs.microsoft.com/en-us/previous-versions/mt227395(v=msdn.10)
- Time Bound Administration
- JIT
- JEA
- Tier Model
- Control Restrictions
- Logon Restrictions
- Credential Guard (https://www.blackhat.com/docs/us-15/materials/us-15-Moore-Defeating%20Pass-the-Hash-Separation-Of-Powers-wp.pdf)
- Device Guard (https://docs.microsoft.com/en-us/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies)
- MDI (https://docs.microsoft.com/en-us/defender-for-identity/)
- Golden and Silver Ticket, Skeleton Key, DSRM, Malicious SSP, Kerberoast (https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview), ACL Attacks (ADACLScanner), Trust Tickets
- Deception
- https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory, https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access