Situational Active Directory

Question 2

What tool to use to check for misconfigured service permissions?

Answer 2

AccessChk (Sysinternals)

Question 3

How to perform Pass-the-Hash?

Answer 3

Mimikatz sekurlsa::pth or Impacket’s wmiexec.py with -hashes flag

Question 4

What tool to use for extracting hashes from memory?

Answer 4

Mimikatz sekurlsa::logonpasswords

Question 5

What to check when you have SeImpersonatePrivilege?

Answer 5

JuicyPotato or RoguePotato for privilege escalation

Question 6

How to enumerate Active Directory from a non-domain machine?

Answer 6

BloodHound (SharpHound)

Question 7

How to dump NTDS.dit from a domain controller?

Answer 7

vssadmin create shadow

Question 8

What attack can be performed with unconstrained delegation?

Answer 8

Extract TGTs from memory using Mimikatz sekurlsa::tickets /export

Question 9

How to exploit resource-based constrained delegation?

Answer 9

Create machine account

Question 10

What tool to use to exploit Kerberoasting?

Answer 10

Rubeus kerberoast or GetUserSPNs.ps1 from PowerView

Question 11

How to find accounts vulnerable to Kerberoasting?

Answer 11

GetUserSPNs.py from Impacket or PowerView’s Get-DomainUser -SPN

Question 12

What tool to use to perform AS-REP Roasting?

Answer 12

Rubeus asreproast or GetNPUsers.py from Impacket

Question 13

What permissions allow for DCSync attacks?

Answer 13

Replication rights (DS-Replication-Get-Changes & DS-Replication-Get-Changes-All)

Question 14

What tool to use to perform a DCSync attack?

Answer 14

Mimikatz lsadump::dcsync /domain:example.com /user:krbtgt

Question 15

How to bypass AMSI in PowerShell?

Answer 15

Use AMSI bypass scripts (e.g.

Question 16

How to enumerate local privilege escalation opportunities?

Answer 16

WinPEAS

Question 17

What tool to use to check ACL misconfigurations?

Answer 17

BloodHound

Question 18

What tool to use to find unquoted service paths?

Answer 18

wmic service get name

Question 19

How to execute arbitrary code via GPO abuse?

Answer 19

Modify a GPO that applies to a target

Question 20

What tool to use to exploit LAPS misconfiguration?

Answer 20

PowerView Get-DomainObject

Question 21

How to exploit PrintNightmare vulnerability?

Answer 21

Invoke-Nightmare or Mimikatz via printer bug exploitation

Question 22

What attack can be performed when SeBackupPrivilege is enabled?

Answer 22

Copy SAM & SYSTEM files to extract hashes

Question 23

What attack to perform when you have SeRestorePrivilege?

Answer 23

Overwrite SAM with known administrator credentials

Question 24

What is the attack when SeTakeOwnershipPrivilege is enabled?

Answer 24

Take ownership of sensitive files (SAM

Question 25

What is the attack when SeLoadDriverPrivilege is enabled?

Answer 25

Load a vulnerable driver to execute arbitrary code as SYSTEM

Question 26

How to maintain persistence on a compromised AD?

Answer 26

Golden Ticket (forging TGTs)

Question 27

What tool to use to create a Golden Ticket?

Answer 27

Mimikatz kerberos::golden /domain:example.com /sid:S-1-5-21-XXXX /krbtgt:HASH

Question 28

How to escalate privileges with a writable service binary?

Answer 28

Replace service executable and restart service

Question 29

What to check when you have a writable DLL in a service path?

Answer 29

Perform DLL hijacking by replacing the DLL with a malicious version

Question 30

How to bypass UAC on Windows?

Answer 30

Use fodhelper

Question 31

What tool to use to check for open SMB shares?

Answer 31

CrackMapExec

Question 32

What tool to use to relay NTLM authentication?

Answer 32

Impacket’s ntlmrelayx.py

Question 33

What attack can be performed with NTLM relay?

Answer 33

Relay authentication to LDAP

Question 34

How to enumerate domain trusts?

Answer 34

nltest /domain_trusts

Question 35

What is the attack when you find a writable Group Policy Preference (GPP)?

Answer 35

Extract credentials from cpassword in SYSVOL and decrypt with GpprefDecrypt.py

Question 36

What attack can be performed with Shadow Credentials?

Answer 36

Forge certificates and authenticate as other users (PetitPotam abuse)

Question 37

What tool to use to perform Shadow Credentials attack?

Answer 37

Certipy

Question 38

What tool to use to find Kerberos ticket vulnerabilities?

Answer 38

Rubeus

Question 39

How to perform a Silver Ticket attack?

Answer 39

Forge TGS with Mimikatz kerberos::golden and target specific services

Question 40

What is the attack when you have constrained delegation enabled?

Answer 40

Perform S4U2Self + S4U2Proxy attack using Rubeus or Mimikatz

Question 41

What tool to use to check for weak Kerberos encryption types?

Answer 41

Rubeus tgtdeleg /nowrap

Question 42

How to escalate privileges using RBCD?

Answer 42

Add a new machine account and modify msDS-AllowedToActOnBehalfOfOtherIdentity

Question 43

How to persist with AdminSDHolder abuse?

Answer 43

Modify ACLs on AdminSDHolder object to maintain admin access

Question 44

How to check for vulnerable drivers for privilege escalation?

Answer 44

Use DriverQuery.exe

Question 45

What tool to use to exploit insecure Active Directory permissions?

Answer 45

BloodHound (for mapping ACLs)

Question 46

How to check for weak passwords in Active Directory?

Answer 46

CrackMapExec --pass-pol

Question 47

What attack to perform if you find an unprotected LSASS process?

Answer 47

Dump LSASS memory using Mimikatz or Procdump.exe

Question 48

How to check for domain controllers with missing security patches?

Answer 48

nmap --script smb-vuln-ms17-010

Question 49

What is the attack when LDAP signing is disabled?

Answer 49

Intercept and modify LDAP traffic (LDAP relay attacks)

Question 50

What tool to use to dump Active Directory data remotely?

Answer 50

ADExplorer.exe