Active Directory Assessment
Complete kill chain from domain reconnaissance to domain admin. This is the standard AD assessment template.
Full Config
target:
type: active-directory
host: 192.168.1.10
label: target-env
scope:
networks:
- 192.168.1.0/24
exclude:
- 192.168.1.1
engagement:
purpose: |
Active Directory domain compromise assessment.
Demonstrate full kill chain from initial access to domain admin.
rules:
- No denial of service
- No data destruction
- No attacking out-of-scope hosts
- No modification of Group Policy
operator: your-name
kill_chain:
name: ad-full-chain
stages:
# Stage 1: Map the domain
- name: recon
plugins:
- recon
- ad-enum
gate: any_pass
# Stage 2: Extract credentials
- name: credential-access
plugins:
- id: credential-access
config:
protocols:
- smb
- ldap
- kerberos
- kerberoast
- id: spray
config:
lockout_threshold: 3
delay_seconds: 30
gate: any_pass
depends_on: recon
# Stage 3: Move through the domain
- name: lateral-movement
plugins:
- lateral
- id: ad-exploit
config:
techniques:
- pass-the-hash
- overpass-the-hash
- silver-ticket
gate: any_pass
depends_on: credential-access
# Stage 4: Get domain admin
- name: privilege-escalation
plugins:
- privesc
- id: ad-exploit
config:
techniques:
- dcsync
- golden-ticket
- delegation-abuse
gate: any_pass
depends_on: lateral-movement
model:
provider: ollama
model: blackrainbow
host: http://localhost:11434
temperature: 0.3
output:
report: ./reports/
capture: ./captures/
format: markdown
Stage Breakdown
Stage 1: Recon
Two plugins run in this stage:
recon -- standard network enumeration. Port scans, service detection, version identification. Maps the network attack surface.
ad-enum -- Active Directory-specific enumeration. LDAP queries for users, groups, computers, GPOs, trusts. BloodHound-compatible data collection.
The gate is any_pass: if either plugin finds something, the chain continues.
Stage 2: Credential Access
Three plugins target credentials:
credential-access -- protocol-specific password attacks against discovered services (SMB, LDAP, Kerberos).
kerberoast -- requests service tickets for SPN-enabled accounts and extracts hashes for offline cracking.
spray -- password spraying with lockout-aware delays. The lockout_threshold and delay_seconds config prevents account lockouts.
Stage 3: Lateral Movement
lateral -- uses recovered credentials to pivot to additional hosts. Pass-the-hash, remote execution, session establishment.
ad-exploit -- AD-specific lateral techniques. Pass-the-hash, overpass-the-hash, silver ticket attacks using Kerberos material from the credential stage.
Stage 4: Privilege Escalation
privesc -- standard privilege escalation checks on compromised hosts.
ad-exploit -- domain-level escalation techniques. DCSync to replicate credentials from the domain controller, golden ticket for persistent domain access, delegation abuse for constrained/unconstrained delegation.
Running It
Full chain:
br run --config ad-assessment.yaml
Start from credential access (you already have network recon):
br run --config ad-assessment.yaml --start-stage credential-access
Dry run to preview the attack plan:
br run --config ad-assessment.yaml --dry-run
Expected Findings
A typical AD assessment produces findings in these ATT&CK areas:
| Technique | What It Means |
|---|---|
| T1046 | Network Service Discovery |
| T1087 | Account Discovery |
| T1110 | Brute Force |
| T1558 | Steal or Forge Kerberos Tickets |
| T1550 | Use Alternate Authentication Material |
| T1003 | OS Credential Dumping |
| T1078 | Valid Accounts |
Each finding in the report includes the raw evidence, remediation steps, and detection rules.
Customization
Skip password spraying
Remove the spray plugin if account lockout is a concern:
- name: credential-access
plugins:
- credential-access
- kerberoast
gate: any_pass
depends_on: recon
Add persistence testing
Append a stage after privilege escalation:
- name: persistence
plugins:
- id: ad-exploit
config:
techniques:
- golden-ticket
- skeleton-key
- sid-history
depends_on: privilege-escalation
Tighten the gate
Require all plugins to pass before proceeding:
- name: credential-access
plugins:
- credential-access
- kerberoast
gate: all_pass
depends_on: recon