Quick decision table — situation → tool
| Situation | Tool | Why |
|---|---|---|
| No creds, SMB open | enum4linux + GetNPUsers |
Null session enum → AS-REP roast accounts with no preauth |
| First creds obtained | BloodHound + GetUserSPNs |
Map all paths to DA + Kerberoast SPNs immediately |
| Shell on box | WinPEAS → PowerUP |
WinPEAS for broad checks, PowerUP for service abuse paths |
| SeImpersonatePrivilege | PrintSpoofer / JuicyPotato |
Token impersonation → SYSTEM in seconds |
| Local admin on host | secretsdump.py |
Dump SAM + cached creds without touching LSASS interactively |
| WinRM (5985) open | evil-winrm |
Cleanest remote PS — less noise than psexec |
| Lateral movement stealth | wmiexec.py |
No service creation, no disk write |
| Internal subnet found | ligolo-ng |
Full tun interface — tools work natively, no proxychains |
| Have DA / DCSync rights | Invoke-Mimikatz dcsync |
Pull krbtgt without touching DC disk |
| Have krbtgt hash | ticketer.py / Golden Ticket |
Forge TGTs for any user — persists until krbtgt rotated twice |
| Child domain DA |
SID History injection + ticketer -extra-sid
|
Cross forest trust → parent domain EA via SID 519 |