AD Basics
https://www.youtube.com/watch?v=Whh3kPS0FdA
Installing AD server
http://www.rebeladmin.com/2014/07/step-by-step-guide-to-setup-active-directory-on-windows-server-2012/ https://scriptdotsh.com/index.php/2018/08/26/active-directory-penetration-dojo-setup-of-ad-penetration-lab-part-2/ https://scriptdotsh.com/index.php/tag/active-directory/ https://1337red.wordpress.com/building-and-attacking-an-active-directory-lab-with-powershell/
Setting up a automated lab https://github.com/AutomatedLab/AutomatedLab
Installing AD server https://sethsec.blogspot.com/2017/06/pentest-home-lab-0x2-building-your-ad.html
Enumeration:
All Active Directory attacks
https://adsecurity.org/?page_id=4031
Active Directory Penetration Dojo – AD Environment Enumeration -1
https://scriptdotsh.com/index.php/2019/01/01/active-directory-penetration-dojo-ad-environment-enumeration-1/
Low Privilege Active Directory Enumeration from a non-Domain Joined Host
https://www.attackdebris.com/?p=470
Kerberos Domain Username Enumeration
https://www.attackdebris.com/?p=311
SPN SCanning
SPN Scanning – Service Discovery without Network Port Scanning https://adsecurity.org/?p=1508
Active Directory Pentest Recon Part 1: SPN Scanning aka Mining Kerberos Service Principal Names https://adsecurity.org/?p=230
Kerberoasting
https://adsecurity.org/?p=2293 Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain. Explains kerberoasting and how the exploitation takes place.
https://github.com/nidem/kerberoast Steps for kerberoasting
https://blog.stealthbits.com/extracting-service-account-passwords-with-kerberoasting/ Another blog listing out the steps for kerberoasting. It also has a couple of other attacks
https://blog.stealthbits.com/discovering-service-accounts-without-using-privileges/ DISCOVERING SERVICE ACCOUNTS WITHOUT USING PRIVILEGES
Kerberoasting explained. Also has kerberoasting with rubeus https://posts.specterops.io/kerberoasting-revisited-d434351bd4d1
Kerberoasting without Mimikatz https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/
https://pentestlab.blog/2018/06/12/kerberoast/
https://www.blackhillsinfosec.com/a-toast-to-kerberoast/
https://room362.com/post/2016/kerberoast-pt2/
AS-REP Roasting
https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/
Golden Ticket
https://pentestlab.blog/tag/krbtgt/
Kerberos & KRBTGT: Active Directory’s Domain Kerberos Service Account https://adsecurity.org/?p=483
https://blog.stealthbits.com/complete-domain-compromise-with-golden-tickets/
https://www.morgantechspace.com/2014/12/What-is-the-use-of-krbtgt-account-in-Active-Directory.html
Bloodhound
https://www.c0d3xpl0it.com/2018/06/mapping-network-using-sharphound.html
https://www.gerrenmurphy.com/running-sharphound-from-a-non-domain-pc/
https://www.c0d3xpl0it.com/2018/08/bloodhound-20-walkthrough-on-kali-2018.html
Attacking Domain Trusts
http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
Pentesting AD
AD Pentest links:
a list of possible ad pentesting https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse
https://markitzeroday.com/pass-the-hash/crack-map-exec/2018/03/04/da-from-outside-the-domain.html
https://hausec.com/2019/03/05/penetration-testing-active-directory-part-i/
https://hausec.com/2019/03/12/penetration-testing-active-directory-part-ii/
Mimikatz and active directory attacks https://adsecurity.org/?p=556
Unofficial guide to mimikatz https://adsecurity.org/?page_id=1821
https://1337red.wordpress.com/building-and-attacking-an-active-directory-lab-with-powershell/
https://blog.stealthbits.com/exploiting-weak-active-directory-permissions-with-powersploit/
https://www.hackingarticles.in/penetration-testing-windowsactive-directory-crackmapexec/
https://blog.stealthbits.com/lateral-movement-with-crackmapexec/
https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/
https://1337red.wordpress.com/using-a-scf-file-to-gather-hashes/
https://pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/
A Red Teamer’s Guide to GPOs and OUs https://wald0.com/?p=179
Sean Metcalf presentations https://adsecurity.org/?page_id=1352
Attacking kerberos https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493862736.pdf
Ace up your sleep. https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
Attack Methods for Gaining Domain Admin Rights in Active Directory https://adsecurity.org/?p=2362
How Attackers Extract Credentials (Hashes) From LSASS https://adsecurity.org/?p=462
How Attackers Dump Active Directory Database Credentials https://adsecurity.org/?p=2398
Scanning for Active Directory Privileges & Privileged Accounts https://adsecurity.org/?p=3658
Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory https://adsecurity.org/?p=1515
http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
Pass-the-Cache to Domain Compromise https://medium.com/@jamie.shaw/pass-the-cache-to-domain-compromise-320b6e2ff7da
Attacking sql server trusts http://www.labofapenetrationtester.com/2017/03/using-sql-server-for-attacking-forest-trust.html
Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS
https://github.com/eladshamir/Internal-Monologue
https://www.andreafortuna.org/2018/03/26/retrieving-ntlm-hashes-without-touching-lsass-the-internal-monologue-attack/
Understanding AD
Using SQL servers for attacking a forest trust https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/understanding-the-active-directory-logical-model
Hacking SQL Server Procedures – Part 4: Enumerating Domain Accounts https://blog.netspi.com/hacking-sql-server-procedures-part-4-enumerating-domain-accounts/
Null Session Domain Controller Enumeration https://inner-tech.blogspot.com/2015/09/null-session-domain-controller.html
ATTACK Mitre
https://attack.mitre.org/techniques/T1086/ https://attack.mitre.org/techniques/T1003/ https://attack.mitre.org/techniques/T1208/
Tools
AD Recon https://github.com/balaasif6789/ADRecon
Attacking ACLS https://github.com/fox-it/Invoke-ACLPwn
Get AD credentials https://github.com/DanMcInerney/icebreaker
GoFetch is a tool to automatically exercise an attack plan generated by the BloodHound application https://github.com/GoFetchAD/GoFetch
Crackmapexec : Swiss army knife for pentester https://github.com/byt3bl33d3r/CrackMapExec
RedSnarf is a pen-testing / red-teaming tool for Windows environments https://github.com/nccgroup/redsnarf
Automate getting Domain Admin using Empire https://github.com/byt3bl33d3r/DeathStar
Get plaintext active directory credentials https://github.com/DanMcInerney/icebreaker
Rubeus https://github.com/GhostPack/Rubeus#compile-instructions
Powershell scripts for AD Reconhttps://github.com/PyroTek3/PowerShell-AD-Recon
Bloodhound https://hausec.com/2017/10/26/using-bloodhound-to-map-the-user-network/ Introducing bloodhound https://wald0.com/?p=68
https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/
Interesting blogs
https://dirkjanm.io/
http://www.harmj0y.net/blog/category/activedirectory/
https://hausec.com
https://github.com/PaulSec/awesome-windows-domain-hardening
https://pentestlab.blog
Red Teaming Links
https://techbeacon.com/security/modern-red-teaming-21-resources-your-security-team Link containing more links
https://blog.cobaltstrike.com/2015/09/30/advanced-threat-tactics-course-and-notes/ Link containing more links
https://vincentyiu.co.uk/red-team-tips
https://www.blackhillsinfosec.com