# AD Red Team Study Guide ### A Mastery-Level Reference for the First-Year Operator > *"Active Directory is a beautiful, sprawling, broken castle. It was built before zero trust existed, before lateral movement was a threat model, before identity was the perimeter. Every assumption it makes — that the network is trustworthy, that machine accounts are equivalent to users, that delegation is safe, that replication should always succeed — is a foothold for someone like us. Your job is to understand the castle better than the architects who designed it."* > > — Anonymous Senior Operator, 2014 *** ## How to Use This Guide This guide is structured as a progressive curriculum. You can read it linearly to build foundational understanding, or use it as a reference once on engagement. **Every technique** is annotated with: * **\[STEALTH]** — produces minimal/no logs in default configurations; safe in mature SOCs. * **\[NOISY]** — generates clear high-signal events; use only when speed matters more than detection. * **\[CONTEXT-DEPENDENT]** — depends entirely on the target's logging maturity; profile before using. You will see the same techniques referenced from multiple angles (recon → exploitation → persistence). This is intentional: AD attacks are interconnected, and seeing the same primitive from different operational perspectives is how you internalize it. **Authorization is everything.** Every technique here is legal in three contexts: authorized penetration tests, sanctioned red team engagements, and personal lab study. Outside those contexts, every command in this guide is a felony in most jurisdictions. Know your scope. Get it in writing. Stay in lane. *** ## Table of Contents The 12 sections follow the kill-chain order. Cross-references throughout the guide use the `§N.x` notation (e.g., `§4.5` = Section 4, subsection 5). 1. **Active Directory Fundamentals (Deep Dive)** — protocols, partitions, Kerberos/NTLM/LDAP, delegation, ADCS primer. 2. **Reconnaissance & Enumeration** — LDAP recon, BloodHound tradecraft, ADCS enum, OPSEC. 3. **Initial Access Vectors** — spraying, LLMNR, mitm6, coercion family, Shadow Credentials, SCCM, Exchange. 4. **Credential Access & Harvesting** — Kerberoast, AS-REP, DCSync, NTDS extraction, LSASS, DPAPI, GPP, SCCM NAA. 5. **Privilege Escalation** — delegation abuse, ACL paths, ESC1–ESC15, GPO, Potatoes, PtH/PtT/PtK/OPtH. 6. **Lateral Movement** — WMI/WinRM/PsExec/atexec/DCOMexec/RDP/SCCM with stealth comparisons. 7. **Domain Dominance** — Golden, Silver, Diamond, Sapphire tickets; DSRM; cross-forest attacks. 8. **Persistence Mechanisms** — AdminSDHolder, ACL, GPO, WMI subscriptions, ADFS DKM, ADCS templates, DCShadow. 9. **Defensive Evasion & OPSEC** — AMSI/ETW patching, PowerShell logging evasion, EDR hooks, LOLBINs. 10. **Tools & Frameworks** — Impacket, BloodHound, Mimikatz, Rubeus, Certipy, NetExec (nxc), C2 frameworks. 11. **Real-World Engagement Scenarios** — five end-to-end case studies. 12. **Learning Path & Study Plan** — 16-week curriculum, lab environments, certifications, knowledge base discipline. *** ## Appendices * **Command Quick Reference** — goal-indexed one-liners across every phase. * **Concept Index** — every AD attack concept mapped to the section that covers it deepest. * **Operator Notes** — cross-reference tables, decision trees, OPSEC heatmap. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://hackeroverflow.ping.my.id/readme.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.