Active Directory — Offensive Testing Methodology

Quick Workflow

1. Recon AD structure offline (BloodHound, ADExplorer snapshot) — minimize live queries
2. Harvest creds via poisoning, Kerberoasting, ASREProast, or LSASS where allowed
3. Map attack paths to Domain Admin / Enterprise Admin / Tier 0
4. Execute path with lowest detection cost, validate at each hop
5. Establish persistence and document every action with timestamps

Reconnaissance

BloodHound Collection

# SharpHound (CSharp collector) — most stealthy with throttling
SharpHound.exe -c All,GPOLocalGroup --Throttle 1000 --Jitter 30 --ZipFileName recon.zip