Active Directory Attacks Cheatsheet
Quick reference for AD enumeration, Kerberos attacks, lateral movement, and domain compromise.
Bloodhound
AD Attack Methodology — From Zero to Domain Admin
Step-by-step methodology for attacking Active Directory — the chain I follow on every AD box.
BloodHound — Setup and Usage Guide
How I set up and use BloodHound CE for AD enumeration — collection, import, and finding attack paths.
HTB Active Writeup — Kerberoasting & GPP Passwords (2026)
My first AD box ever. Null session on SMB → GPP password in SYSVOL → Kerberoasting the Administrator → Domain Admin.
HTB Blackfield Writeup — LSASS Dump & VSS Shadow Copies (2026)
Hard AD box. AS-REP Roasting → BloodHound → ForceChangePassword → lsass.DMP → SeBackupPrivilege → VSS snapshot → NTDS.dit → Domain Admin.
HTB Forest Writeup — AS-REP Roasting, BloodHound & DCSync (2026)
Second AD box. AS-REP Roasting with no creds, BloodHound attack path through 5 nested groups, ACL abuse to DCSync.