Active Directory
Where can we go, once we are in?

AD Guides and Reference

Active Directory Basics and Collections

Active Directory Domain Services Overview
docsmsft

Domain Controllers

Domain Groups

Active Directory Security Groups - Windows security
docsmsft

Group Policy

Group Policy Overview
docsmsft

Kerberos

Kerberos Authentication Overview
docsmsft

AD Tips

CheatSheets

Attacking AD

Queries and Commands for Active Directory

AD Tools

​Bloodhound

The Active Directory Mapping tool. Used by Red and Blue teamers to map out their Active Directory environment and look for the shortest path to compromise Domain Admin

Bloodhound Basics

  • Uses graph theory to reveal the hidden and unintended relationships in an AD environment.
  • Easily identity highly complex attack paths - can be used by defenders ad well.
  • Bloodhound works by running an ingestor that queries AD for users, groups and hosts. It will then connect to each system to enumerate logged in users sessions and permissions. ***WARNING: VERY LOUD*** There is a stealth option but its limited.
  • Two Verisons
  • Multiple connection Methods you might need to specify
    • Group - group membership info
    • LocalGroup - Collect local admin info
    • Session - session info
    • SessionLoop - Continuously collection session info until killed
    • Trust - enumerate domain trust data
    • ACL - collect ACL data
    • ComputerOnly - local admin and session data
    • GPOLocalGroup - collects local admin info via group policy objects
    • LoggedOn - Collects session info using privileged methods (needs admin)
    • ObjectProps - collects node property info for users and devices.
    • Default - collects Group membership, local admin,sessions, and domain trusts
  • Commands

Offensive Tools

  • AD reconnasaince and numeration
    • ​ADExplorer by Sysinternals - An advanced Active Directory (AD) viewer and editor. You can use AD Explorer to easily navigate an AD database, define favorite locations, view object properties and attributes without having to open dialog boxes, edit permissions, view an object's schema, and execute sophisticated searches that you can save and re-execute.
    • ​ADRecon - ADRecon is a tool which extracts and combines various artifacts (as highlighted below) out of an AD environment.
    • ​ACLight -A tool for advanced discovery of Privileged Accounts - including Shadow Admins.
    • ​TruffleSnout - Iterative AD discovery toolkit for offensive operators. Situational awareness and targeted low noise enumeration.
    • ​Snaffler - It gets a list of Windows computers from Active Directory, then spreads out its snaffly appendages to them all to figure out which ones have file shares, and whether you can read them.
  • ​CrackMapExec - CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of "Living off the Land": abusing built-in Active Directory features/protocols to achieve it's functionality and allowing it to evade most endpoint protection/IDS/IPS solutions.
  • ​LAPSToolkit - Tool to audit and attack LAPS environments.
  • ​Powermad - PowerShell MachineAccountQuota and DNS exploit tools

Defensive/Hardening Tools

  • ​PingCastle - A tool designed to assess quickly the Active Directory security level with a methodology based on risk assessment and a maturity framework
  • ​Aorato Skeleton Key Malware Remote DC Scanner - Remotely scans for the existence of the Skeleton Key Malware
  • ​RiskySPN - RiskySPNs is a collection of PowerShell scripts focused on detecting and abusing accounts associated with SPNs (Service Principal Name).
  • ​Deploy-Deception - A PowerShell module to deploy active directory decoy objects
  • ​SpoolerScanner - Check if MS-RPRN is remotely available with powershell/c#
  • ​dcept - A tool for deploying and detecting use of Active Directory honeytokens
  • ​DCSYNCMonitor - Monitors for DCSYNC and DCSHADOW attacks and create custom Windows Events for these events
  • ​jackdaw - Jackdaw is here to collect all information in your domain, store it in a SQL database and show you nice graphs on how your domain objects interact with each-other an how a potential attacker may exploit these interactions. It also comes with a handy feature to help you in a password-cracking project by storing/looking up/reporting hashes/passowrds/users.

AD Certificate Services

Implement and manage Active Directory Certificate Services - Learn
docsmsft

AD Enumeration

AD Credential Harvesting

AD Privilege Escalation

AD Persistence

Special AD Targets

Microsoft SQL Server

Red Forest

Exchange