psloggedon.exenetview.exepvefindaduser.exenetsess.exenmap -sU -sS --scri

1. psloggedon.exe
2. netview.exe
3. pvefindaduser.exe
4. netsess.exe
5. nmap -sU -sS --script smb-enum-sessions.nse --script-args 'smbuser=test, smbpass=test' -p U:137, T:139
6. Invoke-UserHunter / Invoke-StealthUserHunter
7. Invoke-UserEventHunter
8. PowerSploit
9.  
10. https://www.slideshare.net/harmj0y/i-hunt-sys-admins
11. http://www.harmj0y.net/blog/penetesting/i-hunt-sysadmins/
12.  
13. samr
14. https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b
15.  
16. https://www.youtube.com/watch?v=CSdJ_-PhauI
17.  
18.  
19. https://www.blackhat.com/docs/us-16/materials/us-16-Beery-The-Remote-Malicious-Butler-Did-It-wp.pdf
20.  
21.  
22. https://digitalguardian.com/resources/data-security-knowledge-base/endpoint-detection-and-response-edr
23. http://www.cybersecuritydocket.com/2015/10/16/edr-tool-review-carbon-black/
24.  
25.  
26. https://www.tufin.com/
27.  
28.  
29. https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
30. https://pastebin.com/raw/0SNSvyjJ
31. https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
32. https://docs.microsoft.com/ru-ru/enterprise-mobility-security/solutions/ata-attack-simulation-playbook
33. https://blog.netspi.com/5-ways-to-find-systems-running-domain-admin-processes/
34. https://github.com/BloodHoundAD/BloodHound/wiki/Data-Collection-Intro
35. https://wald0.com/?p=112
36. https://blog.stealthbits.com/local-admin-mapping-bloodhound
37. https://blog.stealthbits.com/attacks-that-exploit-active-directory-permissions-and-how-to-protect-against-them/
38. https://blog.stealthbits.com/exploiting-weak-active-directory-permissions-with-powersploit/
39. https://blog.stealthbits.com/attacking-active-directory-permissions-with-bloodhound/
40. https://adsecurity.org/?p=3658