- Medium Tutorial by Logan Hugli
- Medium article by Justin Duru
- Vulnerable-AD Script
- BadBlood Script
- DetectionLab
- Game of Active Directory - GOAD
- Ludus
- Orange Cyberdefense AD Mindmap
- AD Pentesting Cheat-Sheets
- This one contains an AMAZING amount of info on AD for Pentesters and Red Teams
- S1ckB0y1337 Active Directory Exploitation Cheat-Sheet
- HackTheBox AD Pentesting Cheat-Sheet
- HackTricks AD Methodology
- The Hacker Recipes
- ired.team AD and Kerberos Cheat Sheets
- Writeup for CVE-2025-21299 and CVE-2025-29280
- Insufficient validation of the Kerberos krbtgt service name within the TGT can lead to a bypass of credential guard, and therefore extraction of a primary TGT from the host that should otherwise be prevented.
- Common Tool Errors - Kerberos
- So you are performing your favourite kerberos attacks, such as pass the ticket, Public Key Cryptography for Initial Authentication (PKINIT), Shadow Credentials or Active Directory Certificate Services (AD CS) vulnerabilities but you run into a kerberos error and despite troubleshooting you're still none-the-wiser on what todo?
- BadSuccessor: Abusing dMSA to Priv Esc in Active Directory
- Akamai researcher Yuval Gordon discovered a privilege escalation vulnerability in Windows Server 2025 that allows attackers to compromise any user in Active Directory (AD). The attack exploits the delegated Managed Service Account (dMSA) feature that was introduced in Windows Server 2025, works with the default configuration, and is trivial to implement.
- BadSuccessor Deep Dive: Full AD Compromise
- Step-by-step walkthroughs of the BadSuccessor attack
- Also some detection guidance
- BloodHound CE
- BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment
- Attackers can use BloodHound to quickly identify highly complex attack paths that would otherwise be impossible to find
- Defenders can use BloodHound to identify and eliminate those same attack paths
- Both red and blue teams can use BloodHound to better understand privileged relationships in an Active Directory or Azure environment
- AD-Miner
- An Active Directory (on-premise and Entra ID) auditing tool that:
- Leverages Cypher queries to analyze data from the BloodHound graph database (Neo4j)
- Provides a comprehensive overview of existing weaknesses through a static, web-based report
- An Active Directory (on-premise and Entra ID) auditing tool that:
- GoodHound
- GoodHound operationalises Bloodhound by determining the busiest paths to high value targets and creating actionable output to prioritise remediation of attack paths
- GPO-Hound
- A tool for dumping and analysing Group Policy Objects (GPOs) extracted from the SYSVOL share
- ADalanche
- Adalanche instantly reveals what permissions users and groups have in an Active Directory
- It is useful for visualizing and exploring
- Who can take over accounts, machines or the entire domain
- Find and show misconfigurations
- Hardening Kitty
- Intended use is for Windows system hardening
- Can be used to test for weak configurations
- Delinea Weak Password Finder
- Free tool to quickly discover weak passwords in AD
- Rubeus
- A C# toolset for raw Kerberos interaction and abuses
- Seatbelt
- A C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives
- Microsoft Security Compliance Toolkit
- This set of tools allows enterprise security administrators to download, analyze, test, edit and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products, while comparing them against other security configurations
- Semperis Forest Druid
- Focuses on attack paths leading into the Tier 0 perimeter in hybrid identity environments—saving time by prioritizing your most critical assets
- Semperis Purple Knight
- A free AD, Entra ID, and Okta security assessment tool—to help you discover indicators of exposure (IoEs) and indicators of compromise (IoCs) in your hybrid AD environment
- Group3r
- A tool for pentesters and red teamers to rapidly enumerate relevant settings in AD Group Policy, and to identify exploitable misconfigurations
- LockSmith
- A tool built to find and fix common misconfigurations in Active Directory Certificate Services
- BlueTuxedo
- A tool built to find and fix common misconfigurations in Active Directory-Integrated DNS
- Also a little bit of DHCP
- A tool built to find and fix common misconfigurations in Active Directory-Integrated DNS
- Empire
- A post-exploitation and adversary emulation C2 framework that is used to aid Red Teams and Penetration Testers
- Starkiller
- Frontend for Empire
- PowerSploit
- A collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment
- SharpSploit
- A .NET post-exploitation library written in C# that aims to highlight the attack surface of .NET and make the use of offensive .NET easier for red teamers
- Ping Castle
- An Active Directory health and security audit tool
- Specifically designed to assess the security posture of an AD environment and provides a report with detailed findings
- ADRecon
- Extracts and combines various artefacts out of an AD environment
- GPOZaurr
- Group Policy Eater is a PowerShell module that aims to gather information about Group Policies
- Also allows fixing issues that you may find in them
- Provides 360 degrees of information about Group Policies and their settings
- SharpSuccessor
- SharpSuccessor is a .NET Proof of Concept(PoC) of BadSuccessor attack from Akamai
- BadSuccessor.ps1
- Checks for prerequisites and attack abuse of BadSuccessor exploit
- PowerPUG
- A tiny tool built to help Active Directory (AD) admins, operators, and defenders smoothly transition their most sensitive users (Domain Admins, etc.) into the AD Protected Users group (PUG) with minimal complications.
- PlumHound
- Released as Proof of Concept for Blue and Purple teams to more effectively use BloodHoundAD in continual security life-cycles by utilizing the BloodHoundAD pathfinding engine to identify Active Directory security vulnerabilities resulting from business operations, procedures, policies and legacy service operations
- The Respotter Honepot
- This application detects active instances of Responder by taking advantage of the fact that Responder will respond to any DNS query
- Atomic Purple Team
- A business/organizational concept designed to assist organizations in building, deploying, maintaining, and justying Attack-Detect-Defend Infosec Exercises
- Active Directory Firewall
- This project aims to provide production-ready and well-tested guidelines on configuring the Windows Firewall for Active Directory-related server roles.