# Active Directory AD Attacks
{% embed url="" %}
## Attack Methodology
| Phase | Page |
| -------------------------- | ----------------------------------------------------------------------------------------------- |
| AD Fundamentals | [AD Overview](/domain-controllers/ad-overview.md) |
| Initial Enumeration (LotL) | [AD Enumeration Commands](/domain-controllers/ad-enumeration-commands.md) |
| LLMNR/NBT-NS Poisoning | [LLMNR/NBT-NS Poisoning](/domain-controllers/llmnr-nbt-ns-poisoning.md) |
| Password Spraying | [Password Spraying](/domain-controllers/password-spraying.md) |
| Credentialed Enumeration | [Credentialed AD Enumeration](/domain-controllers/credentialed-enumeration.md) |
| Kerberos Attacks | [Pentesting Kerberos](/domain-controllers/kerberos.md) |
| ACL Abuse | [ACL Abuse](/domain-controllers/acl-abuse.md) |
| DCSync | [DCSync](/domain-controllers/dcsync.md) |
| Domain Trust Abuse | [Domain Trust Abuse](/domain-controllers/domain-trust-abuse.md) |
| Misc Misconfigurations | [Miscellaneous AD Misconfigurations](/domain-controllers/miscellaneous-ad-misconfigurations.md) |
## AD Enumeration Tools
* [SharpView](https://github.com/dmchell/SharpView) - .NET port of PowerView\.ps1
* [Windapsearch](https://github.com/ropnop/windapsearch) - LDAP Enumeration
* [ldapsearch-ad](https://github.com/yaap7/ldapsearch-ad) - LDAP Enumeration
* [Get-ADGroupMemberDate](https://raw.githubusercontent.com/proxb/PowerShell_Scripts/master/Get-ADGroupMemberDate.ps1) - Retrieve date a user was added
## Active Directory GPO Tools
* [SharpGPOAbuse](https://github.com/FSecureLABS/SharpGPOAbuse) - Abuse GPO edit rights
* [Group3r](https://github.com/Group3r/Group3r) - Enumerate and identify exploitable GPO misconfigurations
* [GPOwned](https://github.com/X-C3LL/GPOwned)
* [pyGPOAbuse](https://github.com/Hackndo/pyGPOAbuse) - Python partial implementation of SharpGPOAbuse
## AD Misc Tools
* [GoldenGMSA](https://github.com/Semperis/GoldenGMSA) - C# tool for abusing Group Managed Service Accounts (gMSA)
## AD Lateral Movement Tools
* [SharpRDP](https://github.com/0xthirteen/SharpRDP) - .NET non-graphical RCE via RDP
* [SharpNoPSExec](https://github.com/juliourena/SharpNoPSExec) - Leverages existing services without creating new ones
* [NimExec](https://github.com/frkngksl/NimExec) - Fileless remote command execution via MS-SCMR
* [EvilWinRM](https://github.com/Hackplayers/evil-winrm)
* [SharpWSUS](https://github.com/nettitude/SharpWSUS) - Lateral movement through WSUS
* [KrbRelayUp](https://github.com/Dec0ne/KrbRelayUp) - Wrapper around Rubeus and KrbRelay
* [KrbRelay](https://github.com/cube0x0/KrbRelay) - Kerberos Relaying
* [SharpSystemTriggers](https://github.com/cube0x0/SharpSystemTriggers) - Remote authentication triggers
* [SpoolSample](https://github.com/leechristensen/SpoolSample) - PrinterBug Attack (Unconstrained Delegation)
## Windows Attack Boxes
* [Commando VM](https://github.com/mandiant/commando-vm) - Mandiant Windows security distribution
* [Flare VM](https://github.com/mandiant/flare-vm) - Mandiant reverse engineering environment
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://book.ice-wzl.xyz/domain-controllers.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.