Active Directory
Initial Enumeration
Command | Description |
---|---|
| Used to query the domain name system and discover the IP address to domain name mapping of the target entered from a Linux-based host. |
| Used to start capturing network packets on the network interface proceeding the |
| Used to start responding to & analyzing |
| Performs a ping sweep on the specified network segment from a Linux-based host. |
| Performs an nmap scan that with OS detection, version detection, script scanning, and traceroute enabled ( |
| Uses |
| Used to list compiling options that are possible with |
| Used to compile a |
| Used to test the chosen complied |
| Used to move the |
| Runs the Kerbrute tool to discover usernames in the domain ( |
LLMNR/NTB-NS Poisoning
Command | Description |
---|---|
| Used to display the usage instructions and various options available in |
| Uses |
| Using the |
| Used to output many of the options & functionality available with |
| Starts |
| Starts the |
| PowerShell script used to disable NBT-NS on a Windows host. |
Password Spraying & Password Policies
Command | Description |
---|---|
| Bash script used to generate |
| Uses |
| Uses |
| Uses |
| Uses |
| Uses |
| Uses |
| Used to enumerate the password policy in a Windows domain from a Windows-based host. |
| Uses the Import-Module cmd-let to import the |
| Used to enumerate the password policy in a target Windows domain from a Windows-based host. |
| Uses |
| Uses rpcclient to discover user accounts in a target Windows domain from a Linux-based host. |
| Uses |
| Uses |
| Uses the python tool |
| Bash one-liner used to perform a password spraying attack using |
| Uses |
| Uses |
| Uses |
| Uses |
| Used to import the PowerShell-based tool |
| Performs a password spraying attack and outputs (-OutFile) the results to a specified file ( |
Enumerating Security Controls
Command | Description |
---|---|
| PowerShell cmd-let used to check the status of |
| PowerShell cmd-let used to view |
| PowerShell script used to discover the |
| A |
| A |
| A |
Credentialed Enumeration
Command | Description |
---|---|
| Connects to a Windows target using valid credentials. Performed from a Linux-based host. |
| Authenticates with a Windows target over |
| Authenticates with a Windows target over |
| Authenticates with a Windows target over |
| Authenticates with a Windows target over |
| Authenticates with a Windows target over |
| Enumerates the target Windows domain using valid credentials and lists shares & permissions available on each within the context of the valid credentials used and the target Windows host ( |
| Enumerates the target Windows domain using valid credentials and performs a recursive listing ( |
| Enumerates a target user account in a Windows domain using its relative identifier ( |
| Discovers user accounts in a target Windows domain and their associated relative identifiers ( |
| Impacket tool used to connect to the |
| Impacket tool used to connect to the |
| Used to display the options and functionality of windapsearch.py. Performed from a Linux-based host. |
| Used to enumerate the domain admins group ( |
| Used to perform a recursive search ( |
| Executes the python implementation of BloodHound ( |
Enumeration by Living Off the Land
Command | Description |
---|---|
| PowerShell cmd-let used to list all available modules, their version and command options from a Windows-based host. |
| Loads the |
| PowerShell cmd-let used to gather Windows domain information from a Windows-based host. |
| PowerShell cmd-let used to enumerate user accounts on a target Windows domain and filter by |
| PowerShell cmd-let used to enumerate any trust relationships in a target Windows domain and filters by any ( |
| PowerShell cmd-let used to enumerate groups in a target Windows domain and filters by the name of the group ( |
| PowerShell cmd-let used to search for a specifc group ( |
| PowerShell cmd-let used to discover the members of a specific group ( |
| PowerView script used to append results to a |
| PowerView script used to convert a |
| PowerView script used to request the kerberos ticket for a specified service principal name ( |
| PowerView script used tol return the AD object for the current (or specified) domain. Performed from a Windows-based host. |
| PowerView script used to return a list of the target domain controllers for the specified target domain. Performed from a Windows-based host. |
| PowerView script used to return all users or specific user objects in AD. Performed from a Windows-based host. |
| PowerView script used to return all computers or specific computer objects in AD. Performed from a Windows-based host. |
| PowerView script used to eturn all groups or specific group objects in AD. Performed from a Windows-based host. |
| PowerView script used to search for all or specific OU objects in AD. Performed from a Windows-based host. |
| PowerView script used to find object |
| PowerView script used to return the members of a specific domain group. Performed from a Windows-based host. |
| PowerView script used to return a list of servers likely functioning as file servers. Performed from a Windows-based host. |
| PowerView script used to return a list of all distributed file systems for the current (or specified) domain. Performed from a Windows-based host. |
| PowerView script used to return all GPOs or specific GPO objects in AD. Performed from a Windows-based host. |
| PowerView script used to return the default domain policy or the domain controller policy for the current domain. Performed from a Windows-based host. |
| PowerView script used to enumerate local groups on a local or remote machine. Performed from a Windows-based host. |
| PowerView script enumerate members of a specific local group. Performed from a Windows-based host. |
| PowerView script used to return a list of open shares on a local (or a remote) machine. Performed from a Windows-based host. |
| PowerView script used to return session information for the local (or a remote) machine. Performed from a Windows-based host. |
| PowerView script used to test if the current user has administrative access to the local (or a remote) machine. Performed from a Windows-based host. |
| PowerView script used to find machines where specific users are logged into. Performed from a Windows-based host. |
| PowerView script used to find reachable shares on domain machines. Performed from a Windows-based host. |
| PowerView script that searches for files matching specific criteria on readable shares in the domain. Performed from a Windows-based host. |
| PowerView script used to find machines on the local domain where the current user has local administrator access Performed from a Windows-based host. |
| PowerView script that returns domain trusts for the current domain or a specified domain. Performed from a Windows-based host. |
| PowerView script that returns all forest trusts for the current forest or a specified forest. Performed from a Windows-based host. |
| PowerView script that enumerates users who are in groups outside of the user's domain. Performed from a Windows-based host. |
| PowerView script that enumerates groups with users outside of the group's domain and returns each foreign member. Performed from a Windows-based host. |
| PowerView script that enumerates all trusts for current domain and any others seen. Performed from a Windows-based host. |
| PowerView script used to list all the members of a target group ( |
| PowerView script used to find users on the target Windows domain that have the |
| Runs a tool called |
Transfering Files
Command | Description |
---|---|
| Starts a python web server for quick hosting of files. Performed from a Linux-basd host. |
| PowerShell one-liner used to download a file from a web server. Performed from a Windows-based host. |
| Starts a impacket |
Kerberoasting
Command | Description |
---|---|
| Used to install Impacket from inside the directory that gets cloned to the attack host. Performed from a Linux-based host. |
| Impacket tool used to display the options and functionality of |
| Impacket tool used to get a list of |
| Impacket tool used to download/request ( |
| Impacket tool used to download/request ( |
| Impacket tool used to download/request a TGS ticket for a specific user account and write the ticket to a file ( |
| Attempts to crack the Kerberos ( |
| Used to enumerate |
| PowerShell script used to download/request the TGS ticket of a specific user from a Windows-based host. |
| Used to download/request all TGS tickets from a WIndows-based host. |
|
|
|
|
| Used to prepare the base64 formatted TGS ticket for cracking from Linux-based host. |
| Used to output a file ( |
| Used to extract the |
| Used to modify the |
| Used to view the prepared hash from a Linux-based host. |
| Used to crack the prepared Kerberos ticket hash ( |
| Uses PowerView tool to extract |
| PowerView tool used to download/request the TGS ticket of a specific ticket and automatically format it for |
| Exports all TGS tickets to a |
| Used to view the contents of the .csv file from a Windows-based host. |
| Used to view the options and functionality possible with the tool |
| Used to check the kerberoast stats ( |
| Used to request/download TGS tickets for accounts with the |
| Used to request/download a TGS ticket for a specific user ( |
| PowerView tool used to check the |
| Used to attempt to crack the ticket hash using a wordlist ( |
ACL Enumeration & Tactics
Command | Description |
---|---|
| PowerView tool used to find object ACLs in the target Windows domain with modification rights set to non-built in objects from a Windows-based host. |
| Used to import PowerView and retrieve the |
| Used to find all Windows domain objects that the user has rights over by mapping the user's |
| Used to perform a reverse search & map to a |
| Used to discover a domain object's ACL by performing a search based on GUID's ( |
| Used to discover a group of user accounts in a target Windows domain and add the output to a text file ( |
| A |
| Used to create a |
| Used to create a |
| PowerView tool used to change the password of a specifc user ( |
| PowerView tool used view the members of a target security group ( |
| PowerView tool used to add a specifc user ( |
| PowerView tool used to view the members of a specific security group ( |
| PowerView tool used create a fake |
| PowerView tool used to remove the fake |
| PowerView tool used to remove a specific user ( |
| PowerShell cmd-let used to covert an |
DCSync
Command | Description |
---|---|
| PowerView tool used to view the group membership of a specific user ( |
| Used to create a variable called SID that is set equal to the SID of a user account. Then uses PowerView tool |
| Impacket tool sed to extract NTLM hashes from the NTDS.dit file hosted on a target Domain Controller ( |
| Uses |
Privileged Access
Command | Description |
---|---|
| PowerView based tool to used to enumerate the |
| PowerView based tool to used to enumerate the |
| Creates a variable ( |
| Creates a variable ( |
| Uses the PowerShell cmd-let |
| Used to establish a PowerShell session with a Windows target from a Linux-based host using |
| Used to import the |
| PowerUpSQL tool used to enumerate SQL server instances from a Windows-based host. |
| PowerUpSQL tool used to connect to connect to a SQL server and query the version ( |
| Impacket tool used to display the functionality and options provided with |
| Impacket tool used to connect to a MSSQL server from a Linux-based host. |
| Used to display mssqlclient.py options once connected to a MSSQL server. |
| Used to enable |
| Used to enumerate rights on a system using |
NoPac
Command | Description |
---|---|
| Used to clone a |
| Runs |
| Used to exploit the |
| Used to exploit the |
PrintNightmare
Command | Description |
---|---|
| Used to clone a PrintNightmare exploit using git from a Linux-based host. |
| Used to ensure the exploit author's ( |
| Used to check if a Windows target has |
| Used to generate a DLL payload to be used by the exploit to gain a shell session. Performed from a Windows-based host. |
| Used to create an SMB server and host a shared folder ( |
| Executes the exploit and specifies the location of the DLL payload. Performed from a Linux-based host. |
PetitPotam
Command | Description |
---|---|
| Impacket tool used to create an |
| Used to clone the |
| Used to execute the PetitPotam exploit by specifying the IP address of the attack host ( |
| Uses |
| Impacket tool used to perform a DCSync attack and retrieve one or all of the |
|
|
| Used to submit TGS requests using |
| Impacket tool used to extract hashes from |
| Uses Rubeus to request a TGT and perform a |
| Performs a DCSync attack using |
Miscellaneous Misconfigurations
Command | Description |
---|---|
| Used to import the module |
| SecurityAssessment.ps1 based tool used to enumerate a Windows target for |
| Used to resolve all records in a DNS zone over |
| Used to resolve unknown records in a DNS zone by performing an |
| PowerView tool used to display the description field of select objects ( |
| PowerView tool used to check for the |
| Used to list the contents of a share hosted on a Windows target from the context of a currently logged on user. Performed from a Windows-based host. |
Group Policy Enumeration & Attacks
Command | Description |
---|---|
| Tool used to decrypt a captured |
| Locates and retrieves a |
| Locates and retrieves any credentials stored in the |
| PowerView tool used to enumerate GPO names in a target Windows domain from a Windows-based host. |
| PowerShell cmd-let used to enumerate GPO names. Performed from a Windows-based host. |
| Creates a variable called |
| PowerView tool that is used to check if the |
| PowerShell cmd-let used to display the name of a GPO given a |
ASREPRoasting
Command | Description |
---|---|
| PowerView based tool used to search for the |
| Uses |
| Uses |
| Enumerates users in a target Windows domain and automatically retrieves the |
Trust Relationships - Child > Parent Trusts
Command | Description |
---|---|
| Used to import the |
| PowerShell cmd-let used to enumerate a target Windows domain's trust relationships. Performed from a Windows-based host. |
| PowerView tool used to enumerate a target Windows domain's trust relationships. Performed from a Windows-based host. |
| PowerView tool used to perform a domain trust mapping from a Windows-based host. |
| PowerView tools used to enumerate users in a target child domain from a Windows-based host. |
| Uses Mimikatz to obtain the |
| PowerView tool used to get the SID for a target child domain from a Windows-based host. |
| PowerView tool used to obtain the |
| Used to attempt to list the contents of the C drive on a target Domain Controller. Performed from a Windows-based host. |
| Uses |
| Uses |
| Uses |
| Impacket tool used to perform a DCSync attack from a Linux-based host. |
| Impacket tool used to perform a |
| Impacket tool used to retrieve the SID of a target Windows domain from a Linux-based host. |
| Impacket tool used to retrieve the |
| Impacket tool used to create a |
| Used to set the |
| Impacket tool used to establish a shell session with a target Domain Controller from a Linux-based host. |
| Impacket tool that automatically performs an attack that escalates from child to parent domain. |
Trust Relationships - Cross-Forest
Command | Description |
---|---|
| PowerView tool used to enumerate accounts for associated |
| PowerView tool used to enumerate the |
| Uses |
| PowerView tool used to enumerate groups with users that do not belong to the domain from a Windows-based host. |
| PowerShell cmd-let used to remotely connect to a target Windows system from a Windows-based host. |
| Impacket tool used to request ( |
| Runs the Python implementation of |
| Used to compress multiple files into 1 single |
Last updated