> For the complete documentation index, see [llms.txt](https://hackeroverflow.ping.my.id/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://hackeroverflow.ping.my.id/readme.md).

# AD Red Team Study Guide

### A Mastery-Level Reference for the First-Year Operator

> *"Active Directory is a beautiful, sprawling, broken castle. It was built before zero trust existed, before lateral movement was a threat model, before identity was the perimeter. Every assumption it makes — that the network is trustworthy, that machine accounts are equivalent to users, that delegation is safe, that replication should always succeed — is a foothold for someone like us. Your job is to understand the castle better than the architects who designed it."*
>
> — Anonymous Senior Operator, 2014

***

## How to Use This Guide

This guide is structured as a progressive curriculum. You can read it linearly to build foundational understanding, or use it as a reference once on engagement. **Every technique** is annotated with:

* **\[STEALTH]** — produces minimal/no logs in default configurations; safe in mature SOCs.
* **\[NOISY]** — generates clear high-signal events; use only when speed matters more than detection.
* **\[CONTEXT-DEPENDENT]** — depends entirely on the target's logging maturity; profile before using.

You will see the same techniques referenced from multiple angles (recon → exploitation → persistence). This is intentional: AD attacks are interconnected, and seeing the same primitive from different operational perspectives is how you internalize it.

**Authorization is everything.** Every technique here is legal in three contexts: authorized penetration tests, sanctioned red team engagements, and personal lab study. Outside those contexts, every command in this guide is a felony in most jurisdictions. Know your scope. Get it in writing. Stay in lane.

***

## Table of Contents

The 12 sections follow the kill-chain order. Cross-references throughout the guide use the `§N.x` notation (e.g., `§4.5` = Section 4, subsection 5).

1. **Active Directory Fundamentals (Deep Dive)** — protocols, partitions, Kerberos/NTLM/LDAP, delegation, ADCS primer.
2. **Reconnaissance & Enumeration** — LDAP recon, BloodHound tradecraft, ADCS enum, OPSEC.
3. **Initial Access Vectors** — spraying, LLMNR, mitm6, coercion family, Shadow Credentials, SCCM, Exchange.
4. **Credential Access & Harvesting** — Kerberoast, AS-REP, DCSync, NTDS extraction, LSASS, DPAPI, GPP, SCCM NAA.
5. **Privilege Escalation** — delegation abuse, ACL paths, ESC1–ESC15, GPO, Potatoes, PtH/PtT/PtK/OPtH.
6. **Lateral Movement** — WMI/WinRM/PsExec/atexec/DCOMexec/RDP/SCCM with stealth comparisons.
7. **Domain Dominance** — Golden, Silver, Diamond, Sapphire tickets; DSRM; cross-forest attacks.
8. **Persistence Mechanisms** — AdminSDHolder, ACL, GPO, WMI subscriptions, ADFS DKM, ADCS templates, DCShadow.
9. **Defensive Evasion & OPSEC** — AMSI/ETW patching, PowerShell logging evasion, EDR hooks, LOLBINs.
10. **Tools & Frameworks** — Impacket, BloodHound, Mimikatz, Rubeus, Certipy, NetExec (nxc), C2 frameworks.
11. **Real-World Engagement Scenarios** — five end-to-end case studies.
12. **Learning Path & Study Plan** — 16-week curriculum, lab environments, certifications, knowledge base discipline.

***

## Appendices

* **Command Quick Reference** — goal-indexed one-liners across every phase.
* **Concept Index** — every AD attack concept mapped to the section that covers it deepest.
* **Operator Notes** — cross-reference tables, decision trees, OPSEC heatmap.
