Table of Content :

Mindmaps

Orange-CyberDefense : https://orange-cyberdefense.github.io/ocd-mindmaps/
Mahyar Cheatsheet (All in One) : https://tajdini.net/blog/wp-content/uploads/2021/09/Active-Directory-Penetration-Manual.pdf
WADComs - Interactive cheat sheet For Active Directory Similar to LOLBins and GTFOBins : https://wadcoms.github.io/
- ARTTOOLKIT - https://arttoolkit.github.io

Domain Enumeration Tools

Untitled

For Enumeration We can use the following tools :
- The Active Directory PowerShell Module (MS Signed and works even in Powershell CLM (Contrained Language Mode)) - For Manual Enumeration
  - https://docs.microsoft.com/en-us/powershell/module/addsadministration/?view=win10-ps
  - https://learn.microsoft.com/en-us/powershell/module/activedirectory/?view=windowsserver2022-ps
  - https://github.com/samratashok/ADModule
  - To import the Active Directory Powershell Module run ,
```
Import-Module C:\\AD\\Tools\\ADModule-master\\Microsoft.ActiveDirectory.Management.dll
Import-Module C:\\AD\\Tools\\ADModule-master\\ActiveDirectory\\ActiveDirectory.psd1
```
- BloodHound (C# and PowerShell Collectors) - For Automated Enumeration
  - Using BloodHound’s Collectors produces a lot of unnecessary noise, Make sure to use it in possible stealth mode.
  - https://github.com/BloodHoundAD/BloodHound
  - https://bloodhound.readthedocs.io/en/latest/data-collection/sharphound.html
- PowerView/PowerSploit (Powershell) - For manual Enumeration
  - https://github.com/ZeroDayLab/PowerSploit/blob/master/Recon/PowerView.ps1
  - https://github.com/ZeroDayLab/PowerSploit/tree/master/Recon#readme
  - https://powersploit.readthedocs.io/en/latest/Recon/
```
. C:\\AD\\Tools\\PowerView.ps1
OR
Import-Module C:\\AD\\Tools\\PowerView.ps1
```
  - PowerView Linux
    - PywerView (Python Powerview Alternative) - https://github.com/the-useless-one/pywerview
    - [Better] PowerView.py (Less noisy powerview alternative) - https://github.com/aniqfakhrul/powerview.py
- SharpView (C#) - Doesn’t Support filtering using Pipeline
  - https://github.com/tevora-threat/SharpView/
- SharpADWS - Enumeration using ADWS , Without LDAP Queries : https://github.com/wh0amitz/SharpADWS
- SOAPHound - ADWS bloodhound collector
- Blogs
  - MDSec AD Enum for Red Team : https://www.mdsec.co.uk/2024/02/active-directory-enumeration-for-red-teams/
  - https://cravaterouge.com/articles/ldapad-logging/
- Other AD Enum Tools
  - SoaPy (Stealthy enumeration of Active Directory environments through ADWS**)** : https://securityintelligence.com/x-force/stealthy-enumeration-of-active-directory-environments-through-adws/
  - AD Review Tools
    - BloodyAD : https://github.com/CravateRouge/autobloody
    - https://www.semperis.com/purple-knight (https://semperis.com/downloads/tools/pk/PurpleKnight-Community.zip)
    - https://www.semperis.com/forest-druid/ (https://semperis.com/downloads/tools/fd/ForestDruid-Community.zip)
    - https://github.com/netwrix/pingcastle
    - https://github.com/CobblePot59/ADcheck
    - https://github.com/adrecon/ADRecon
    - https://github.com/canix1/ADACLScanner
    - https://github.com/techspence/ADeleginator
    - https://github.com/0xJs/domain_audit
    - https://github.com/61106960/adPEAS
    - https://github.com/Leo4j/Invoke-ADEnum
    - https://github.com/phillips321/adaudit
    - https://github.com/ClaudioMerola/ADxRay
  - Group3r ( find vulnerabilities in AD Group Policy ) : https://github.com/Group3r/Group3r
  - NetTools : https://nettools.net/features/
  - ADMiner (GUI) : https://github.com/Mazars-Tech/AD_Miner
  - [Must Run] Domain Audit : https://github.com/0xJs/domain_audit
  - WinPWN : https://github.com/S3cur3Th1sSh1t/WinPwn
  - Invoke-ADEnum : Automate Active Directory Enumeration using PowerView
    - https://github.com/Leo4j/Invoke-ADEnum
  - SharpADWS : https://github.com/wh0amitz/SharpADWS
  - adPeas - Powershell tool to automate Active Directory enumeration : https://github.com/61106960/adPEAS
  - ADSearch
    - A tool written for cobalt-strike's execute-assembly command that allows for more efficent querying of AD.
      - https://github.com/tomcarver16/ADSearch
  - ADRecon
    - https://github.com/adrecon/ADRecon
    - https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/bloodhound#adrecon
  - ADExplorer (AdExplorer over Socks) (Snapshot functionality is great , also snapshot data can be converted to Bloodhound Data with some tools)
    - https://github.com/bik3te/myPortableKB/blob/master/tools/ADExplorer.md
    - AdExplorer to Bloodhound : https://github.com/c3c/ADExplorerSnapshot.py
    - https://learn.microsoft.com/en-us/sysinternals/downloads/adexplorer
    - https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/bloodhound#ad-explorer
  - Group3r
    - https://github.com/Group3r/Group3r
    - https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/bloodhound#group3r
  - PingCastle
  - Adalanche : https://github.com/lkarlslund/Adalanche
  - Standin
  - Check More Tools here
  - Pywerview (Python port of PowerView) : https://github.com/the-useless-one/pywerview/tree/develop
  - Ldeep - In-depth ldap enumeration utility (Python) : https://github.com/franc-pentest/ldeep
  - ADeleginator - A companion tool that uses ADeleg to find insecure trustee and resource delegations in Active Directory : https://github.com/techspence/ADeleginator
  - go-windapsearch : https://github.com/ropnop/go-windapsearch
  - Adeleg - Active Directory delegation management tool - https://github.com/mtth-bfft/adeleg
  - ScriptSentry - finds misconfigured and dangerous logon scripts : https://github.com/techspence/ScriptSentry
  - LockSmith - Find Misconguration in ADCS : https://github.com/TrimarcJake/Locksmith/tree/main?tab=readme-ov-file#Mode1

BOFs (Beacon Object Files)

Can be used with C2 or with BOF Loaders.

BOFLoaders
Situational awareness BOFs : https://github.com/trustedsec/CS-Situational-Awareness-BOF
Outflank BOFs : https://github.com/outflanknl/C2-Tool-Collection