You have domain user creds. What’s your first AD enumeration deliverable?
A clear map of users/groups/computers and at least one plausible escalation path (from BloodHound/manual enum).
SharpHound collection is blocked by policy. What’s next?
Switch to manual enum using built-in commands/PowerShell and target specific questions (who has admin where?).
You identify SPNs for service accounts. What attack does that enable?
Kerberoasting: request service tickets and crack offline.
Password spraying is tempting. What should you confirm first?
Lockout policy and permitted testing scope; keep guesses minimal to avoid lockouts.
BloodHound shows user has GenericWrite on another user. What does that imply?
Potential to modify that user (e.g., reset password or add key/attrs) depending on rights and constraints.
You find a GPP cpassword in SYSVOL. What’s the correct action?
Decrypt/recover the password and use it to pivot/escalate, then document evidence.
Kerberos vs NTLM: why does it matter for attacks?
Ticket vs hash workflows change feasible credential abuse techniques.
You find a domain share with scripts for backups. What are you looking for?
Credentials, service accounts, and hostnames that reveal admin workflows.
You have a foothold on a domain-joined host. What’s a key next step?
Identify domain context, logged-on users, and reachable domain services; then attack path plan.
You see an account with ‘Do not require Kerberos preauthentication’. What might that allow?
AS-REP roasting: offline cracking of AS-REP responses.
You need to validate creds from a non-domain-joined box. What’s the general approach?
Attempt authenticated access to domain services (SMB/LDAP/WinRM) to confirm validity without lockouts.
Your goal is Domain Admin. What’s the best mindset?
Don’t chase random exploits—follow the shortest validated privilege path from your current node.
