End-to-end scenarios
End-to-end compromise walkthroughs built from real techniques. Each path is the kind of narrative an interviewer wants to hear or a pentest report needs to contain: what you did, why it worked, and what should have stopped you.
From weak password policy to full domain compromise, the most common real-world AD attack chain.
A single service account SPN can lead to domain-wide compromise through offline ticket cracking.
Intercepted network authentication cascades into credential harvesting, lateral movement, and full domain control.
Misconfigured permissions create invisible privilege paths, from BloodHound recon to shadow credentials and domain compromise.
Control over a Group Policy Object gives an attacker code execution across every host in the OU, and a direct path to domain compromise.
A single misconfigured delegation setting hands an attacker a domain controller's TGT, bypassing the entire credential-harvesting chain.
A misconfigured certificate template lets a low-privilege user request a certificate as a domain admin, opening the door to full domain compromise and persistent golden-certificate access.
Coerced NTLM authentication relayed through AD CS web enrollment produces a machine certificate, and a direct path to domain compromise.
Write access to a certificate template is all it takes: modify it, abuse it, and compromise the domain in a two-stage AD CS attack.
Forced authentication relayed to a certificate authority turns a network foothold into domain-wide control: no password ever cracked.
Signature-based antivirus trusts what is already on the system: native tooling, neutralized in-memory scanning, and execution that wears a trusted process as a mask slip straight past it.
Owning the domain once is easy to lose: layered persistence keeps access alive through password resets and remediation.