Decision-driven Active Directory attack reference.
Focused on practical attack path decisions for PNPT and CPTS preparation.
This is not a tutorial.
It is a structured command and decision reference built during preparation for PNPT and CPTS.
The focus is on attack selection logic:
- When to use one technique over another
- Tool trade-offs per environment
- Kerberos vs NTLM considerations
- Relay vs direct exploitation
- Token vs hash vs ticket decisions
Organized by attack phase:
| # | Tab | Covers |
|---|---|---|
| 01 | Flowchart | Visual attack flow overview |
| 02 | Recon | Subfinder, nmap, kerbrute, username-anarchy, dnsrecon |
| 03 | Web | Directory fuzzing, SQLi, LFI, file upload |
| 04 | SMB/AD | Enumeration, relay, LLMNR, mitm6, RDP, spider_plus |
| 05 | Cred Check | Protocol validation, ADCS, RBCD, Shadow Creds, bloodyAD, LAPS |
| 06 | Cred Dump | Kerberoasting, AS-REP roasting, DCSync, LSASS, Mimikatz, hashcat |
| 07 | Exploit | Listeners, reverse shells, TTY upgrade, msfvenom |
| 08 | Post Exploit | WinPEAS, LinPEAS, PowerUp, Potato, PrintNightmare, GPP |
| 09 | PS Operational | PowerView commands, AMSI bypass, PS remoting |
| 10 | BloodHound | Collection (bloodhound-python + nxc ldap), queries, ACL abuse, DCSync paths |
| 11 | Lateral | PTH, PTT, Overpass-the-Hash, Evil-WinRM, pivoting |
| 12 | Post-DA Impact | Trust enumeration, blast radius, krbtgt proof |
| 13 | File Transfer | HTTP, SMB, certutil, base64, SCP |
| 14 | Cleanup | Artifact removal, log awareness, end-of-engagement |
| 15 | GTFOBins | SUID, capabilities, common binaries |
| 16 | Checklist | Phase-by-phase engagement checklist with position checks |
| 17 | Reporting | Evidence collection, screenshot discipline, report structure, finding templates |
| 18 | Beyond PNPT | Golden/Silver Ticket, RBCD, AD CS (ESC1–8), forest trust, shadow credentials |
Each decision card answers:
When do I choose this over an alternative?
Tabs 01–17 cover the PNPT core exam path.
Tab 18 (Beyond PNPT) covers advanced techniques relevant to CPTS and post-PNPT engagements. Not required for the standard PNPT exam path.
Version 1 — Initial public release
Intended for lab environments, certification preparation, and authorized security testing only.