By default, Windows is configured to search for a Proxy Auto-Config (PAC) file via the Web Proxy Auto-Discovery (WPAD). Automatic discovery of the PAC file is useful in an organization without doing any configuration on the client. However, requesting a PAC file through WPAD does not require authentication of the user who is sending the proxying file, which allows an adversary to send a spoofed answer and ask for the user’s credential.

Password Spraying is a technique that brute-forcing the system using commonly used usernames and passwords. In a traditional brute force attack, the adversary attempts to gain unauthorized access to a single account by guessing the password repeatedly in a very short period of time. However, most organizations have employed countermeasures through their domain policy to lock out accounts after three to five failed attempts. By using the password spraying technique, the adversary can circumvent these common countermeasures, such as the account lockout, by spraying the same password across many accounts before trying another password.

PowerView is a PowerShell tool to enumerate and test security on Windows domains. It contains a set of pure-PowerShell replacements for various windows "net *" commands, which utilize PowerShell AD hooks and underlying Win32 API functions to perform useful Windows domain functionality. The recon module within PowerView toolset is a collection of PowerShell scripts that can be used to enumerate, update and create Active Directory objects during penetration testing.

An access control list (ACL) is a list of access control entries (ACE). Each ACE in an ACL identifies a trustee and specifies the access rights allowed, denied, or audited for that trustee. The security descriptor for a securable object can contain two types of ACLs: a DACL and a SACL. Windows uses structured and associated data known as Security Descriptor to identify the object's owner and primary group. The security descriptor contains the security information for a securable object. It may also contain a Discretionary Access Control List (DACL) that controls access to a user object, and a System Access Control List (SACL) that controls the logging of attempts to access the object.

An access control list (ACL) is a list of access control entries (ACE). Each ACE in an ACL identifies a trustee and specifies the access rights allowed, denied, or audited for that trustee. The security descriptor for a securable object can contain two types of ACLs: a DACL and a SACL. Windows uses structured and associated data known as Security Descriptor to identify the object's owner and primary group. The security descriptor contains the security information for a securable object. It may also contain a Discretionary Access Control List (DACL) that controls access to a group object, and a System Access Control List (SACL) that controls the logging of attempts to access the object.

BloodHound is a single-page Javascript web application, built on top of Linkurious, compiled with Electron, with a Neo4j database fed by a C# data collector. It is an application used to visualize active directory environments and reveal the hidden and often unintended relationships in an Active Directory environment.

A DC Sync exploit is a post-exploitation attack technique in which adversaries impersonate an Active Directory Domain Controller to obtain authentication credentials from other Domain Controllers. It requires adversaries to have replication privileges to a Domain Controller or domain administrator credentials.

Kerberoasting attack is a technique that allows an adversary to extract password hashes for the target’s active directory user accounts through their Service Principal Name (SPN) ticket. The technique can be carried out by any user on a domain, not just administrators. The Kerberos uses the New Technology LAN Manager (NTLM) hash of the requested service to encrypt the KRB_TGS ticket for a forgiven Service Principal Names (SPNs). When a domain user sent a request for a Ticket Granting Service (TGS) ticket to a Domain Controller Key Distribution Center (KDC) for any service that has registered SPN, the KDC generates the KRB_TGS without validating whether the user has access to the service.

AS-REP is a Kerberos message type that refers to an "Authentication Service" (AS) response message. It is transmitted between a Kerberos server and client as part of the exchange of credentials needed to access a service. To generate an AS-REP message, first, the Kerberos client asks Kerberos Domain Controller (KDC) for a Ticket Granting Ticket (TGT) and a session key that is needed to obtain credentials for other services.

The Golden Ticket is the Kerberos authentication token for the KRBTGT account, a special default account with the job of encrypting all the authentication tokens for the DC. Domain Controllers use the KRBTGT account password to decrypt Kerberos tickets for validation. This account password never changes, and the account name is the same in every domain. Once the adversaries obtained the KRBTGT account password hash, they can use it to forge valid Kerberos Ticket Granting Tickets (TGTs). This gives the adversary access to any resource on an Active Directory Domain, thus called “Golden Ticket”.

A Silver Ticket is a forged authentication ticket that allows you to log into some accounts. Adversaries who have the password hash of a target service account such as CIFS, SMB, MSSQL may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. The reason adversaries can forge silver tickets is that Kerberos allows services (low-level Operating System programs) to log in without double-checking that their token is actually valid.

The Skeleton Key attack allows adversaries with physical access to the target system to gain control over the system by entering the injected password into the LSASS process. Once the password is injected successfully, it allows adversaries to bypass the standard authentication system to use the injected password for all accounts authenticating to that Domain Controller. And this is one of the attacks that is packaged and very easy to perform using Mimikatz.

A DC Shadow exploit is a post-exploitation attack technique in which adversaries register a rogue Active Directory Domain Controller and use that to inject malicious Active Directory objects, such as accounts or access control lists, into other Domain Controllers that are part of the same Active Directory infrastructure. It requires adversaries to obtain initial local administrator access to a Domain Controller, or domain administrator credentials.

ZeroLogon is an authentication bypass vulnerability (CVE-2020-1472) in the Netlogon Remote Protocol (MS-NRPC) that allows an adversary with a foothold on your internal network to essentially become Domain Admin by subverting Netlogon cryptography. Netlogon Remote Protocol is an interface that Windows uses to authenticate users and computers on domain-based networks and update their passwords in the Active Directory.

Group Policy preferences (GPP) allow administrators to create domain policies with embedded credentials and install Windows and application settings that were previously unavailable using Group Policy. These policies allow administrators to enable local accounts to make configuration changes to machines, such as creating local users, changing local administrator passwords, scheduling tasks and creating/updating services, etc.