AD Exploitation

Follow this religiously!!

  • Look for rpcclient anonymous access.

  • ldapsearch anonymous access.

  • Sensitive information in "Description", "Comments" or other user attributes.

  • Bloodhound --> Check for "owned user" rights & "Analysis" section properly.

  • Check group memberships for all users (mainly owned users).

  • Check GetUserSPNs or GetNPUsers to look for SPNs or ASRepRoasting.

  • Check if "owned user" has Generic All or other interesting rights, using this command ->

    Invoke-AclScanner -ResolveGUIDs| ? {$_.ActiveDirectoryRights -eq "GenericAll"}

  • Use PowerView to check for ACLs!! (Bloodhound should be enough though).

  • Run, PowerUp or Winpeas if couldn't find anything!!

Lateral Movement

  1. Using mimikatz dump hashes or secrets.

  2. If there is a unknown binary or file present then try running it or understand why its there. Look for any log files related to it.

  3. Check the PS Console History file for all the users, specially Administrator's.

PreviousWindows PrivEsc (short one)NextSQLi to RCE

Last updated