Attack path
From weak password policy to full domain compromise, the most common real-world AD attack chain.
Complete all lessons, quizzes, and flashcards in this attack path to earn the Password Spray Campaign badge.
Pass the Hash is a lateral movement technique that uses a stolen NTLM password hash to authenticate as a user without knowing the plaintext password. This lesson explains why the attack works, what material is needed, where it fits in post-compromise movement, and how to explain the significance of NTLM hash reuse clearly in interviews, reports, and stakeholder conversations.
Study this technique →Lateral movement via WinRM uses the Windows Remote Management service to execute commands and access systems remotely with valid credentials. This lesson explains what WinRM provides operationally, what preconditions matter, what the attacker gains, where it fits in post-credential lateral movement, and how to communicate the risk clearly in interviews, reports, and stakeholder conversations.
Study this technique →DCSync uses Active Directory's built-in replication protocol to request password data for any account in the domain, without accessing a domain controller's file system, memory, or running processes. This lesson explains why the technique works, what permissions enable it, what the attacker gains, and how to communicate the risk clearly in interviews, reports, and stakeholder conversations.
Study this technique →0 of 6 decks reviewed
0 of 6 quizzes taken
You completed a full end-to-end compromise walkthrough — from reconnaissance through domain takeover. Upgrade to unlock the remaining premium attack paths and continue building interview-ready attack chains.