Skill UI

This guide details the exploitation of the Active Directory Certificate Services (AD CS) ESC1 vulnerability. By leveraging misconfigurations, an attacker can request certificates impersonating high-privileged users (e.g., Domain Admins). The workflow covers AD enumeration, forging certificates with arbitrary Subject Alternative Names (SANs), authenticating via PKINIT, and ultimately escalating domain privileges using tools like mimikatz. Essential for authorized red team and penetration testing.

BloodHound is a powerful, graph-based reconnaissance tool specifically designed for Active Directory environments. It utilizes graph theory to map deep, hidden relationships and potential attack paths—such as privilege escalation chains—from compromised low-value accounts to high-value targets like Domain Admins. This tool is essential for authorized red team exercises and penetration testing engagements.

This technique details how to exploit misconfigurations within Kerberos Constrained Delegation (KCD) in Active Directory. By leveraging S4U2self and S4U2proxy extensions, attackers can impersonate highly privileged users (e.g., Domain Admins) to request service tickets, enabling lateral movement and full domain compromise during authorized red teaming or penetration testing.

A comprehensive guide detailing the Kerberoasting technique (T1558.003) used in Active Directory environments. This method exploits service accounts by requesting and subsequently cracking Kerberos TGS tickets offline, allowing attackers to compromise credentials. Instructions cover enumeration, ticket request, cracking with tools like Hashcat/John the Ripper, and credential validation, for authorized red team and penetration testing purposes.

This skill details exploiting the noPac vulnerability chain, combining CVE-2021-42278 (sAMAccountName spoofing) and CVE-2021-42287 (KDC PAC confusion). It allows an authenticated standard domain user to escalate privileges to Domain Admin, potentially compromising the entire domain. It is designed for authorized red team exercises and penetration testing against vulnerable Active Directory environments.

This skill details the exploitation of the critical Zerologon vulnerability (CVE-2020-1472) found in the Microsoft Netlogon Remote Protocol. It allows an unauthenticated attacker to compromise a domain controller by resetting its machine account password. The guide covers the complete attack chain, including initial exploitation, credential dumping via DCSync, and subsequent privilege escalation in Active Directory environments. Used exclusively for authorized red teaming and security testing.

This guide details how to hunt for DCSync attacks, a technique used to steal password hashes from Active Directory. It involves analyzing Windows Event ID 4662 to identify unauthorized DS-Replication-Get-Changes requests originating from non-domain-controller accounts. Essential for incident response and threat detection.

This skill provides advanced threat hunting capabilities to detect NTLM relay attacks within Active Directory environments. It analyzes critical Windows Security Event 4624 logs, specifically focusing on logon type 3 using NTLMSSP authentication. The detection logic identifies suspicious patterns, including IP-to-hostname mismatches, rapid multi-host authentications, and lack of SMB signing enforcement, helping SOC analysts pinpoint unauthorized credential access attempts.

BloodHound is an open-source reconnaissance tool that leverages graph theory to analyze Active Directory relationships. This guide details the process of collecting AD data using SharpHound and visualizing complex attack paths. It helps identify potential privilege escalation chains, trust abuses, and misconfigurations necessary for an attacker to move from a low-privilege user account to Domain Admin, making it essential for advanced red-teaming and security auditing.

A comprehensive guide for incident responders detailing how to investigate Active Directory (AD) compromises. This skill covers analyzing critical components like NTDS.dit integrity, detecting Kerberos anomalies (Golden/Silver Tickets), tracing lateral movement, and identifying Group Policy abuse to reconstruct attacker activity and determine the full scope of a breach.

This skill systematically enumerates and audits Active Directory forest trust relationships using advanced techniques like SID filtering analysis, detecting SID history abuse, and assessing inter-realm Kerberos ticket configurations. It is designed for red-teaming and security auditing to identify potential lateral movement paths and trust vulnerabilities across organizational boundaries.

Conducts a comprehensive Active Directory penetration test, covering domain enumeration, misconfiguration discovery, and attack path analysis using BloodHound. Techniques include exploiting Kerberos weaknesses (Kerberoasting, AS-REP Roasting) and escalating privileges via DCSync and constrained delegation, culminating in domain compromise demonstration.