Building an Interactive
Active Directory Attack Reference
from Real Lab Experience
Active Directory is the backbone of almost every enterprise network I test. It is also the single most documented attack surface in offensive security — books, courses, Pro Labs, and certification exams built entirely around it. And yet, every time I sit down in front of a domain, I find myself doing the same thing: opening six browser tabs, cross-referencing BloodHound output against a Notion page, grepping through old notes from a box I did eight months ago to remember the exact Certipy flag for ESC16.
That friction was the problem I wanted to solve.
Over the past several months of working through HTB machines, the CPTS exam (Trilocor environment), and HTB Pro Labs, I built a set of living reference documents alongside my lab notes. Every time I hit a technique that worked, I wrote it down in a consistent format — the exact command, the tool, the gotchas that burned me, and a note about where I validated it. Over time those notes became two tools I am releasing publicly today.
What Was Built
AD Arsenal (ad_arsenal.html) is a standalone reference document covering twelve Active Directory attack categories from unauthenticated enumeration through cross-trust exploitation. Every technique has a copy-able command block, a tools line, a severity rating, and notes on operational gotchas.
The gotchas are the part I care most about — they are not documentation padding. They are the specific things that burned time in labs or on real engagements:
net groupwithout/domainsilently targets local groups instead of AD groups- Machine Account Quota of zero breaks every RBCD path that assumes MAQ=10
certipy shadow autoagainst a domain without PKINIT-capable DCs will fail silently- ESC16 requires the UPN swap technique, not the SubCA/ManageCertificates path most tooling documentation emphasises
- PSCredential XML files are DPAPI-bound and decrypt only in the context of the encrypting user
AD Mind Map (ad_mindmap.html) is an interactive radial mind map of the same technique set. Clicking any leaf node scrolls to the corresponding reference card. No tabs, no context switching.
Both files are standalone HTML with no server or build requirements. Open locally or serve via GitHub Pages.
What It Covers
The current version spans twelve categories with approximately 80 technique nodes:
LDAP anonymous bind, SMB null sessions, RPC null session, Kerbrute user enum, LLMNR/NBT-NS poisoning.
Lockout-aware password spray, AS-REP roasting, Kerberoasting with RC4 downgrade notes.
BloodHound collection + Cypher queries, PowerView ACL enum, NetExec sweeps, LDAP attribute queries.
Full BloodHound edge matrix — GenericAll, GenericWrite, WriteDACL, WriteOwner, DS-Replication with cleanup notes.
Unconstrained delegation with TGT capture, constrained S4U2Self/S4U2Proxy chains, full RBCD workflow.
ESC1–ESC8 and ESC16. UPN swap technique validated on HTB Fluffy.
Responder, ntlmrelayx, PetitPotam, PrinterBug, Coercer. WebDAV bypasses SMB signing via WebClient over HTTP.
Credential dumping, lateral movement, ticket attacks, persistence techniques, and cross-trust exploitation.
ESC16 exploits weak cert-to-account mapping when szOID_NTDS_CA_SECURITY_EXT is disabled. Temporarily set UPN to administrator@domain, enroll a cert, restore UPN, authenticate. The DC resolves the SAN to admin. Validated on HTB Fluffy.
The Tooling Problem This Solves
There are excellent existing references — the Orange Cyberdefense mind map, PayloadsAllTheThings, HackTricks, the Impacket examples directory. The problem is not a shortage of documentation. The problem is that none of those sources have my specific failure history embedded in them.
When the Certipy shadow command returns an LDAP error, knowing that the domain has no PKINIT-capable DC is more useful than the tool's error message. When a ntlmrelayx LDAP relay returns nothing, knowing that you left SMB enabled in Responder explains it immediately. Those micro-debugging lessons are contextual and failure-specific — they don't exist externally.
Engagement constraints matter too. A significant portion of my work is against law firm environments with strict lockout policies. In a three-attempt lockout environment, Kerberoasting and AS-REP roasting are the only safe path to initial credentials. The reference reflects that priority order throughout.
What Is Coming
This is a living document. Planned additions as labs progress:
- HTB Pro Labs: POO (in progress), Offshore
- RastaLabs, Dante, Cybernetics
- Vulnlab chains & AD configs
- TryHackMe red team paths
- CWL Active Directory material
- Additional ADCS ESC conditions
- Niche delegation abuse paths
- Cross-forest trust edge cases
- Windows-native LOTL techniques
- Groovy cheatsheet (Jenkins, Liferay)
Getting the Tools
Both files are self-contained HTML. Clone or download and open directly — no build step, no dependencies.
If a technique is wrong, outdated, or missing a gotcha, open an issue. Certipy's API has shifted enough times to matter, impacket has renamed several scripts, and newer Windows Server builds have patched some easier paths. Corrections welcome.