Attack Paths
End-to-end compromise walkthroughs built from real techniques. Each path is the kind of narrative an interviewer wants to hear or a pentest report needs to contain: what you did, why it worked, and what should have stopped you.
Password Spray Campaign
PremiumFrom weak password policy to full domain compromise — the most common real-world AD attack chain.
ReconnaissanceInitial AccessCredential AccessLateral MovementLateral MovementDomain Compromise0 / 6 steps~78 minActiveDirectoryView path →Kerberoasting Service Accounts
PremiumA single service account SPN can lead to domain-wide compromise through offline ticket cracking.
ReconnaissanceCredential AccessLateral MovementCredential AccessDomain Compromise0 / 5 steps~66 minActiveDirectoryView path →NTLM Relay to Domain Compromise
PremiumIntercepted network authentication cascades into credential harvesting, lateral movement, and full domain control.
Initial AccessCredential AccessLateral MovementLateral MovementDomain Compromise0 / 5 steps~68 minActiveDirectoryView path →ACL Abuse Chain
PremiumMisconfigured permissions create invisible privilege paths — from BloodHound recon to shadow credentials and domain compromise.
ReconnaissanceReconnaissancePrivilege EscalationPersistenceDomain Compromise0 / 5 steps~68 minActiveDirectoryView path →GPO Takeover
PremiumControl over a Group Policy Object gives an attacker code execution across every host in the OU — and a direct path to domain compromise.
ReconnaissancePrivilege EscalationCredential AccessLateral MovementDomain Compromise0 / 5 steps~68 minActiveDirectoryView path →Unconstrained Delegation Abuse
PremiumA single misconfigured delegation setting hands an attacker a domain controller's TGT — bypassing the entire credential-harvesting chain.
ReconnaissancePrivilege EscalationLateral MovementDomain Compromise0 / 4 steps~56 minActiveDirectoryView path →Certificate Template Abuse
PremiumA misconfigured certificate template lets a low-privilege user request a certificate as a domain admin — opening the door to full domain compromise and persistent golden-certificate access.
ReconnaissancePrivilege EscalationLateral MovementDomain CompromisePersistence0 / 5 steps~70 minActiveDirectoryView path →NTLM Relay to AD CS
PremiumCoerced NTLM authentication relayed through AD CS web enrollment produces a machine certificate — and a direct path to domain compromise.
Initial AccessCredential AccessLateral MovementDomain Compromise0 / 4 steps~60 minActiveDirectoryView path →Certificate Template Permission Takeover
PremiumWrite access to a certificate template is all it takes — modify it, abuse it, and compromise the domain in a two-stage AD CS attack.
ReconnaissancePrivilege EscalationPrivilege EscalationCredential AccessDomain Compromise0 / 5 steps~70 minActiveDirectoryView path →