Executing Active Directory Attack Simulation

When to Use

• Assessing the security of an Active Directory domain and forest against common and advanced attack techniques
• Identifying attack paths from low-privilege domain user to Domain Admin using privilege relationship analysis
• Validating that Kerberos security configurations, credential policies, and delegation settings resist known attacks
• Testing detection capabilities of the SOC and EDR tools against Active Directory-specific TTPs
• Evaluating the effectiveness of tiered administration models and privileged access workstations

Do not use without explicit written authorization from the domain owner, against production domain controllers during business hours unless approved, or for testing that could cause account lockouts affecting real users without prior coordination.

Prerequisites

• Written authorization specifying the target AD domain, testing constraints, and any off-limits accounts or systems
• Low-privilege domain user account (minimum starting point) to simulate realistic attacker position
• Testing workstation joined to the domain or network access to domain controllers on ports 88, 135, 139, 389, 445, 636, 3268, 3269
• BloodHound Community Edition or Enterprise with SharpHound/AzureHound collectors
• Impacket toolkit, Mimikatz (or pypykatz), Rubeus, and CrackMapExec installed on the attack platform
• Hashcat or John the Ripper with current wordlists (rockyou.txt, SecLists) for offline credential cracking