Active Directory

exploiting-kerberoasting-with-impacket helps authorized testers plan Kerberoasting with Impacket GetUserSPNs.py, from SPN enumeration to TGS ticket extraction, offline cracking, and detection-aware reporting. Use this exploiting-kerberoasting-with-impacket guide for penetration testing workflows with clear install and usage context.

The configuring-active-directory-tiered-model skill helps design and audit Microsoft ESAE-style Active Directory tier separation. Use this configuring-active-directory-tiered-model guide to review Tier 0/1/2 access, PAWs, admin boundaries, credential exposure, and security-audit findings with clearer implementation context.

The exploiting-nopac-cve-2021-42278-42287 skill is a practical guide for assessing the noPac chain (CVE-2021-42278 and CVE-2021-42287) in Active Directory. It helps authorized red teamers and Security Audit users check prerequisites, review workflow files, and document exploitability with less guesswork.

The exploiting-constrained-delegation-abuse skill guides authorized Active Directory testing of Kerberos constrained delegation abuse. It covers enumeration, S4U2self and S4U2proxy ticket requests, and practical paths to lateral movement or privilege escalation. Use it when you need a repeatable guide for penetration testing, not a generic Kerberos overview.

detecting-pass-the-ticket-attacks helps detect Kerberos Pass-the-Ticket activity by correlating Windows Security Event IDs 4768, 4769, and 4771. Use it for threat hunting in Splunk or Elastic to spot ticket reuse, RC4 downgrades, and unusual TGS volume with practical queries and field guidance.

The detecting-kerberoasting-attacks skill helps hunt Kerberoasting by spotting suspicious Kerberos TGS requests, weak ticket encryption, and service-account patterns. Use it for SIEM, EDR, EVTX, and detecting-kerberoasting-attacks for Threat Modeling workflows with practical detection templates and tuning guidance.

detecting-golden-ticket-forgery detects Kerberos Golden Ticket forgery by analyzing Windows Event ID 4769, RC4 downgrade use (0x17), abnormal ticket lifetimes, and krbtgt anomalies in Splunk and Elastic. Built for Security Audit, incident investigation, and threat hunting with practical detection guidance.

The detecting-credential-dumping-techniques skill helps you detect LSASS access, SAM export, NTDS.dit theft, and comsvcs.dll MiniDump abuse using Sysmon Event ID 10, Windows Security logs, and SIEM correlation rules. It is built for threat hunting, detection engineering, and Security Audit workflows.

deploying-active-directory-honeytokens helps defenders plan and generate Active Directory honeytokens for Security Audit work, including fake privileged accounts, fake SPNs for Kerberoasting detection, decoy GPO traps, and deceptive BloodHound paths. It pairs installation-oriented guidance with scripts and telemetry cues for practical deployment and review.

containing-active-breach is an incident-response skill for live breach containment. It helps isolate hosts, block suspicious traffic, disable compromised accounts, and slow lateral movement using a structured containing-active-breach guide with practical API and script references.

configuring-ldap-security-hardening helps security engineers and auditors assess LDAP risks, including anonymous bind, weak signing, missing LDAPS, and channel binding gaps. Use this configuring-ldap-security-hardening guide to review the reference docs, run the Python audit helper, and produce practical remediation for a Security Audit.

conducting-domain-persistence-with-dcsync guide for authorized Active Directory security audit work. Learn install, usage, and workflow notes to assess DCSync rights, KRBTGT exposure, Golden Ticket risk, and remediation steps using the included scripts, references, and report template.

building-identity-governance-lifecycle-process helps design identity governance and lifecycle management for joiner-mover-leaver automation, access reviews, role-based provisioning, and orphaned account cleanup. It fits cross-system Access Control programs that need practical workflow guidance, not a generic policy draft.

The auditing-azure-active-directory-configuration skill helps review Microsoft Entra ID tenant security for risky authentication settings, admin role sprawl, stale accounts, Conditional Access gaps, guest exposure, and MFA coverage. It is designed for Security Audit workflows with Graph-based evidence and practical guidance.

The analyzing-windows-event-logs-in-splunk skill helps SOC analysts investigate Windows Security, System, and Sysmon logs in Splunk for authentication attacks, privilege escalation, persistence, and lateral movement. Use it for incident triage, detection engineering, and timeline analysis with mapped SPL patterns and event ID guidance.

analyzing-active-directory-acl-abuse helps security auditors and incident responders inspect Active Directory nTSecurityDescriptor data with ldap3 to spot abuse paths like GenericAll, WriteDACL, and WriteOwner on users, groups, computers, and OUs.