Post-enumeration is the stage after you’ve gained Initial access to the Active Directory (AD) environment. The goal is to turn raw access into actionable intelligence, find privileged accounts, discover sensitive credentials, map attack paths, and identify misconfigurations that let you move laterally or escalate privileges.
Confirms what you can access (users, groups, shares, GPOs) and how (paths, trusts, exposed services).
Reveals attack paths: which low-privilege accounts can reach higher-privilege assets via group membership, ACLs, or delegated rights.
Surfaces secrets and credentials that enable lateral movement and persistence.
Helps defenders prioritize fixes by showing real-world exploitation opportunities.
Learning objectives for this lab
Enumerate domain objects and relationships to build an AD map.
Extract and interpret credential material and hashes safely in a lab.
Use graphing and analysis to find privilege escalation routes.
Demonstrate common post-exploitation techniques used in assessments (for defensive hardening).
Topic overview
In this we’ll explore common techniques attackers use after getting into Active Directory, from mapping the domain to stealing passwords and escalating privileges.
Domain enumeration (PowerView) Use PowerShell-based enumeration to list domains, domain controllers, users, groups, shares, GPOs, and ACLs. The aim is a fast, scripted reconnaissance of AD objects and relationships.
BloodHound and grabbing data Collect domain data (users, groups, sessions, ACLs, trusts) and import it into BloodHound to visualize attack paths and highlight highly privileged accounts or misconfigurations.
Password/secret discovery Methods to discover stored secrets (service account passwords, LSA secrets, cached credentials, etc.) that may be retrievable from compromised hosts. We’ll focus on what to look for and how those secrets are used.
NTLM password cracking (Hashcat) Once hashes are obtained, use offline cracking tools to recover plaintext credentials. Understand hash types, attack modes (wordlists, hybrid, rules), and realistic success rates.
URL / file-based attacks Techniques where malicious URLs or files are used to capture credentials or execute payloads (e.g., file servers, web delivery, or SMB/drive-by scenarios). Emphasis on lab-safe demos and detection signals.
Password dumping (Mimikatz) Demonstrate how credentials can be extracted from memory or LSA on Windows hosts, why this happens, and what protections (Credential Guard, LSA protection) can mitigate it.
Golden Ticket attack (KRBTGT abuse) Explain the concept of forging Kerberos TGTs using a compromised KRBTGT hash, the impact on domain-wide impersonation, and detection/mitigation strategies.
Practical lab flow
Enumerate domain objects and collect baseline data from a compromised host.
Harvest secrets and hashes from the host where possible.
Attempt controlled offline cracking of hashes (lab wordlists).
Import collected data into BloodHound and analyze privilege paths.
Demonstrate escalation or lateral movement in a contained environment (e.g., service account use, SMB access).
Wrap up with mitigation and detection recommendations.
