Skip to content

Windows AD Attack Playbook

This playbook is a work in progress based on my personal experience with HTB machines. I’m sharing it to document my learning journey and hopefully provide a helpful reference for others exploring Windows Active Directory.

I am far from an expert and would love to hear your thoughts. If you notice a mistake, a more efficient way to chain attacks, or a new technique I missed, please open an issue or pull request. Your feedback and recommendations are greatly appreciated!

This reference covering recon through domain dominance with explanations of why each technique works and how prerequisites chain into the next attack.

How to use this playbook

This isn't a checklist; it's a chain. Every attack documents three things:

  • What leads here : the prerequisites that put you in position to use this technique.
  • Why this works / how it chains : the reasoning explaining why those prerequisites enable the attack.
  • Leads to → : what this attack sets up for the next step.

When you find yourself stuck, use the Attack Decision Tree to match your current position to the next viable move.

Phases at a glance

Reference

Conventions

  • <IP> and <DC_IP> mean substitute the actual IP.
  • domain.local is the placeholder domain : replace with the engagement target.
  • Every code block has a copy button (top right of the block).
  • Search is / or click the search bar.
  • Press S to share/copy a link to the current page.

Authorized testing only

This material is for authorized penetration testing, red team engagements, and defensive research. Using these techniques against systems you don't have explicit permission to test is a crime in most jurisdictions.