How to use this guide?

Active Directory Attack Guide: Your Flexible Toolkit

Think of this Active Directory (AD) guide as a flexible toolkit—not a rigid playbook. There’s no single "correct" sequence to follow. Treat it like a buffet: start wherever your current access allows.

• Got basic domain access? Begin with authentication attacks.

• Already landed on a workstation? Explore lateral movement.

• Identified exposed services or credentials? Follow that lead immediately.

Every environment is different, and success depends on your ability to adapt. The key principle is simple: stay opportunistic. Work with the access you have now—not what you wish you had.

And above all: enumerate constantly. Stuck? Enumerate again. Compromised a new user or host? Enumerate again.

Every new foothold offers fresh visibility. Enumeration isn't just discovery—it’s how you uncover viable attack paths.

• Found service accounts with SPNs? Kerberoasting becomes viable.

• Discovered accounts with no pre-authentication required? You’re ready for AS-REP roasting.

• Identified machines where users are logged in? Start planning lateral movement.

Each new asset or credential expands your field of vision. You may uncover:

• Hostnames and shares revealing key relationships

• Misconfigured services or legacy protocols

• Domain trust paths and overlooked sessions

So remember:

• When in doubt: enumerate

• When you’re gaining ground: enumerate

• When you think you’ve seen it all: enumerate one more time

Because that final round of enumeration often reveals the path from “I’m in” to “I control the environment.”