Reconnaissance

Purpose: Establish the model for the entire AD attack lifecycle.

Prerequisites for the Overall attack

Starting Access Level What You Can Do Typical Entry Methods
True External OSINT credential gathering. Password spraying against public portals (VPN, OWA, O365) External penetratoin tests, public credential breaches.
Unauthenticated Internal Network (On LAN, No Credentials) AS-REP roasting (if DC port 88 is reachable), LLMNR/NBT-NS poisoning (e.g Responder) Physical network drop, rogue Wi-Fi, NAC bypass.
Domain user / Machine Account (no local admin) AD enumeration (LDAP queries, BloodHound). Kerberoasting. Limited lateral movement to other systems with basic user rights. Phishing, password spray, breach pivot
Local admin on 1+ machines Credential harvesting (LSASS dumping, SAM Dumping). Token theft and impersonation. Pass-the-hash to other systems. Disabling local antivirus/EDR. Local privilege escalation, local misconfigurations, or client-side exploits.
Physical access Boot to USB/Linux, disable defender offline, dump SAM On-prem physical assessment
SYSTEM on 1+ machines Full credential extraction, Accessing the network under the machine account’s context (MachineName$). Local admin → UAC bypass → SYSTEM
Domain Admin / DC Access DCSync (extracting password hashes of all domain users). Skeleton key (implanting backdoors in LSASS on the DC). Creating Golden and Silver Tickets. Exploiting AD certificate Services, abusing delegation or migrating sessions of domain administrators.

** Minimum starting position: Domain user credentials (username, password). Valid Domain User credentials (username/password) OR a compromised Machine Account (MachineName$). Without authenticated access, you cannot fully enumerate or perform authenticated queries against LDAP, SMB, or Kerberos.

The overall attack chain

Phase 1: Initial Access 
         (Phishing, External Vulnerabilities, or Password Spraying)
               │
               ▼
Phase 2: Enumeration & Discovery 
         (BloodHound, LDAP mapping, scanning for misconfigurations)
               │
               ▼
Phase 3: Local Privilege Escalation 
         (Standard User ──> Local Admin / SYSTEM on the host)
               │
               ▼
Phase 4: Credential Access 
         (Dumping LSASS/SAM, Harvesting cleartext passwords/tokens)
               │
               ▼
Phase 5: Lateral Movement (LAT) 
         (Using credentials/hashes to jump to other machines via WinRM/RDP)
               │
               ▼
Phase 6: Domain Privilege Escalation (ESC) 
         (Abusing ADCS, Delegation, or GPOs to become Domain Admin)
               │
               ▼
Phase 7: Persistence 
         (Golden Tickets, DC backdoors, or rogue ACL modifications)
               │
               ▼
Phase 8: Action on Objectives 
         (Data exfiltration, ransomware deployment, or specific assessment goals)