What is PowerShell and how do attackers use it?
Microsoft automation/scripting framework. Used for exploitation (payloads), persistence (tasks/registry), and automation.
What does Mimikatz do?
Dumps plaintext passwords, hashes, and Kerberos tickets from memory.
What is Rubeus used for?
Kerberos ticket abuse (request, renew, forge) for lateral movement or privilege escalation.
What does Certify target?
Active Directory Certificate Services (AD CS) to escalate privileges or persist.
What is Seatbelt used for?
Situational awareness — enumerates creds, security settings, configs.
What is Evil-WinRM?
Remote PowerShell console used post-exploitation for command execution.
What does PsExec do?
Executes processes remotely over SMB.
What are LOLBins and why do attackers use them?
Legit Windows binaries (rundll32, msbuild, regsvr32) abused to execute code stealthily and evade detection.
What is Pass-the-Hash?
Using a stolen NTLM hash to authenticate without cracking it.
What is Pass-the-Ticket?
Using a stolen Kerberos ticket (TGT/TGS) to impersonate a user.
What is a Golden Ticket?
A forged Kerberos TGT granting domain admin rights.
How do attackers use the Windows Registry?
For persistence (autoruns, malicious services) and credential storage (SAM, DPAPI keys).
What is WMI used for in attacks?
Remote code execution, lateral movement, reconnaissance.
What is WinRM used for in attacks?
Remote PowerShell sessions over HTTP(S) for lateral movement.
Why is RDP a common attack vector?
Allows remote desktop access; often brute-forced or exploited.
Why is SMB a common attack vector?
File sharing protocol used for lateral movement and exploited by attacks like EternalBlue.
What is LDAP used for and how is it abused?
Directory queries (user/computer enumeration). 636 is secure LDAP (LDAPS).
