Abuse ACL access over groups
Use access rights over a group to add users
Use access rights over a group to add users
Use access rights over a user to take over that user account.
Abuse of ACL access rights to achieve lateral movement
Abuse Active Directory Certificate Service to achieve lateral movement and total domain compromise.
Take advantage of users with no Kerberos pre-authentication requirements and recover their password
Request certificate as another user with enrollee-supplied subject
Request certificate on behalf of another user with a enrollment agent certificate
Leverage vulnerable certificate access control to escalate privileges.
Read the NT password hash of Group Managed Service Accounts (gMSA)
The classic AD privilege escalation technique to crack the passwords of service accounts offline
Abusing the ticket-based authentication and authorization protocol that governs the operation of Active Directory
Move from account to account, service to service, and machine to machine while escalating your privileges until you compromise the domain.
Impersonate any user to a service by crafting service tickets