Active Directory

BloodHoundopen in new window
- Graph out AD relationships
- For testing and a Python script w/ queries (!), see: BloodHound-Toolsopen in new window
Active Directory Integrated DNS dump toolopen in new window
- Also see this articleopen in new window
Kerberoastingopen in new window
- Explainer that looks decent: Kerberoasting Attacks Explainedopen in new window
ADReconopen in new window
- Does what you think
ADSearchopen in new window
- Tool written for Cobalt Strike <command> to make things more efficient
windapsearchopen in new window
- Enumerate Windows domain
Grouperopen in new window
- AD group policy checks
generate-ad-usernameopen in new window
- Also see: Username Anarchyopen in new window
Script for spraying empty passwordopen in new window
Active Directory Integrated DNS dump toolopen in new window
- Export all DNS records in the domain or forest DNS zones
adPEASopen in new window
- Wraps multiple common tools
PingCastleopen in new window
- AD audit tool
AD Explorer (Sysinternals)open in new window
- GUI-based tools for exploring a domain
AD-control-pathsopen in new window
- Similar to BloodHound
bloodyADopen in new window
- AD privilege escalation framework
ASREPRoastopen in new window
- For users without attribute requiring Kerberos pre-auth
Shadow Credentialsopen in new window
- Requirement: editable msDS-KeyCredentialLink
kerbruteopen in new window
- Kerberos pre-auth bruteforcing
Powermadopen in new window
- MachineAccountQuota and DNS exploit tools
Adalancheopen in new window
- AD ACL visualization/explorer
Group3ropen in new window
- Find vulns in AD Group Policy
Roast in the Middleopen in new window
- Original article: New Attack Paths? AS Requested Service Ticketsopen in new window
- Python implementationopen in new window
AD_delegation_huntingopen in new window
- Tool by NotSoSecure that automates hunting for AD delegation access
ADACLScanneropen in new window
- Scan AD ACLs + profit
certsyncopen in new window
- Dump NTDS with golden certificates and UnPAC the hash
ADExplorter on Engagementsopen in new window
certifyopen in new window
- ADCS enum + abuse
certipyopen in new window
- ADCS enum + abuse
DCShadow: detecting a rogue domain controller replicating malicious changes to your Active Directoryopen in new window
- dcshadow.comopen in new window

Resources/Articles

AD Resourcesopen in new window
Exploring Users With Multiple Accounts In BloodHoundopen in new window
MachineAccountQuota is USEFUL Sometimes: Exploiting One of Active Directory's Oddest Settingsopen in new window
- Written by the same person that wrote PowerMad
AD cheatsheetopen in new window
AD methodologyopen in new window
Active Directory Securityopen in new window
Getting in the Zone: dumping Active Directory DNS using adidnsdumpopen in new window
AS-REP Roastingopen in new window
- Note the extra reference at the bottom: Kerberos AD Attacks - More Roasting with AS-REPopen in new window

ADCS

Certified Pre-Owned Abusing Active Directory Certificate Servicesopen in new window
- Shorter article on Medium: https://posts.specterops.io/certified-pre-owned-d95910965cd2
Active Directory Certificate Services: Risky Settings and How to Remediate Themopen in new window
ADCS + PetitPotam NTLM Relay: Obtaining krbtgt Hash with Domain Controller Machine Certificateopen in new window