Skip to content
All Skills

Executing Active Directory Attack Simulation

Executes authorized attack simulations against Active Directory environments to identify misconfigurations, weak credentials, dangerous privilege paths, and exploitable trust relationships that could lead to domain compromise. The tester uses BloodHound for attack path analysis, Mimikatz for credential extraction, and Impacket for protocol-level attacks including Kerberoasting, AS-REP Roasting, and delegation abuse. Activates for requests involving Active Directory pentest, AD attack simulation, domain compromise testing, or Kerberos attack assessment.

Security & Compliance|v1|Updated 7/2/2026|GitHub source
MCP get_skill({ skillId: "executing-active-directory-attack-simulation-b94e6091" })

Use this skill with your agent

Create a free account and connect via MCP

Get Started Free
# Executing Active Directory Attack Simulation

## When to Use

- Assessing the security of an Active Directory domain and forest against common and advanced attack techniques
- Identifying attack paths from low-privilege domain user to Domain Admin using privilege relationship analysis
- Validating that Kerberos security configurations, credential policies, and delegation settings resist known attacks
- Testing detection capabilities of the SOC and EDR tools against Active Directory-specific TTPs
- Evaluating the effectiveness of tiered administration models and privileged access workstations

**Do not use** without explicit written authorization from the domain owner, against production domain controllers during business hours unless approved, or for testing that could cause account lockouts affecting real users without prior coordination.

## Prerequisites

- Written authorization specifying the target AD domain, testing constraints, and any off-limits accounts or systems
- Low-privilege domain user account (minimum starting point) to simulate realistic attacker position
- Testing workstation joined to the domain or network access to domain controllers on ports 88, 135, 139, 389, 445, 636, 3268, 3269
- BloodHound Community Edition or Enterprise with SharpHound/AzureHound collectors
- Impacket toolkit, Mimikatz (or pypykatz), Rubeus, and CrackMapExec installed on the attack platform
- Hashcat or John the Ripper with current wordlists (rockyou.txt, SecLists) for offline credential cracking

## Workflow

### Step 1: Active Directory Reconnaissance

Enumerate the AD environment from a low-privilege domain user position:

- **Domain enumeration**: `Get-ADDomain` or `crackmapexec smb <dc_ip> -u <user> -p <pass> --domains` to identify domain name, functional level, domain controllers, and forest trusts
- **User enumeration**: `Get-ADUser -Filter * -Properties ServicePrincipalName,AdminCount,PasswordLastSet` to identify service accounts, privileged accounts, and stale passwords
- **Group enumeration**: Map membership of high-value groups (Domain Admins, Enterprise Admins, Schema Admins, Account Operators, Backup Operators) using `net group "Domain Admins" /domain`
- **GPO enumeration**: `Get-GPO -All | Get-GPOReport -ReportType XML` to identify Group Policy configurations including password policies, audit settings, and software deployment
- **Trust enumeration**: `nltest /domain_trusts /all_trusts` to map inter-domain and inter-forest trusts, noting trust direction and transitivity
- **LDAP queries**: Use `ldapsearch` or ADExplorer to search for accounts with `userAccountControl` flags indicating "password never expires", "password not required", or "DES-only Kerberos"

### Step 2: BloodHound Attack Path Analysis

Collect and analyze AD relationship data to identify the shortest paths to Domain Admin:

- Run SharpHound collector: `SharpHound.exe -c All,GPOLocalGroup --outputdirectory C:\temp\` to collect users, groups, sessions, ACLs, trusts, and GPO data
- Import the JSON output into BloodHound and run built-in queries:
  - "Shortest Paths to Domain Admins from Owned Principals"
  - "Find Principals with DCSync Rights"
  - "Find Computers where Domain Users are Local Admin"
  - "Shortest Paths to Unconstrained Delegation Systems"
  - "Find All Paths from Kerberoastable Users"
- Mark the compromised user as "owned" in BloodHound and analyze the resulting attack paths
- Identify ACL-based attack paths: GenericAll, GenericWrite, WriteDACL, WriteOwner, ForceChangePassword on high-value objects
- Document each identified attack path with the chain of relationships and affected objects

### Step 3: Kerberos Attacks

Continue reading

Sign up for a free account to view the full skill content

Login / Register
#mukul-cybersecurity-skills#security#cybersecurity#active#directorypythonpowershellactive-directorybloodhoundmimikatzimpacketrubeuscrackmapexechashcatjohn-the-ripper
Executing Active Directory Attack Simulation - AgentArmory Skill — AgentArmory