Ok that subject is massive…so this is a bit more of a targeted thought process to consider.

Each network is unique and technology deployments vary. One time I was in a network that was almost entirely Apple MacBooks and a door control panel…. which was ‘fun’.

So this is a general list of some things to consider if you have tech deployed such as:

  • Active Directory
  • Printers
  • SCCM

This is considering that the threat actors has line or site (routable) or physical adjacent (inside a VLAN/SUBNET) access.

This is NOT every single thing you could do, it’s meant give people an idea of the routes an attacker could take! You need to work through your own networks to see what you have, the services that are running, the network segments, routes etc.

DNS Zone TransferNo
Responder (local subnet)No
Find open writeable shares to inject a malicious link/responder linkNo
Username enumeration (LDAPNOMNOM)No
Username enumeration (Kerberos)No
Username enumeration (SMB)No
Rouge DHCP (v4)No
Responder + SMB RelayNo
Password Spray (commone account names)No
Brute Force (common account names)No
Password Spray (enumerated users via OSINT)No
Password Spray (enumerated users via TCP/IP connected methods)No
Can you access any priner admin panels?No
Unauthenticated PXE spoofingNo
NTLM DowngradeNo
Run pingcastleYes
Dump AD (ADExplorer)Yes
Dump AD (Bloodhound)Yes
Dump AD (Adalanche)Yes
LDAP SearchesYes
Copy Sysvol and hunt for credentialsYes
GPP Passwords?Yes
Passwords in description field?Yes
Search shares for credentialsYes
Check if you can RDP to any server/workstationYes
Check if you have admin rights anywhereYes
Can you join your own clean VM to the domain?Yes
Can you write DNS records via LDAP and responder more users? (e.g. add DNS wildcard/wpad etc.)Yes
Can you Kerberoast?Yes
Can you Escalate using ADCS paths?Yes
Do you have mailbox/teams access? If so phish for creds?Yes
Can you access SharePoint? Can you find creds?Yes
If you have a domain joined machine, can you find any creds in the system?Yes
PCAP domain joined machine and try and find creds over the wireYes
Can you write to any Shares? Can you drop a poisoned link for responder?Yes
Misconfigured ACLS/DACLS in ADDS that you can abuse?Yes
Can you access any databases?Yes
Can you access any printer admin panels?Yes
Spray your creds everywhere to see what you can access e.g. other PCs or ServersYes
Can you modify any GPOs?Yes
Can you create any GPOs?Yes
Can you read LAPS?Yes
Can you find any creds hardcoded in apps?Yes
What scripts are in sysvol, can they help you?Yes
Can you identify any IAM/PAM services you might be able to attack?Yes
Can you identify and backup services you might be able to attack?Yes
Can you find any backups on file shares?Yes
Can you escalate via SCCM?Yes
Can you add a computer and abuse Resource-based constrained delegation (RBCD)Yes

So as a defender you should probably consider how to defend against these vectors and approaches.