| Domain discovery | RootDSE and domain NC | defaultNamingContext, configurationNamingContext, dnsHostName | Establish base DN, naming context, and DC identity | Build variables and start scoped enumeration |
| User enumeration | User objects | sAMAccountName, userPrincipalName, description, info, userAccountControl, adminCount | Build user lists, find privileged users, find metadata secrets | Password spraying, AS-REP roasting, ACL review |
| Group enumeration | Group objects | member, memberOf, adminCount, description | Map privilege and nested group paths | Privilege pathing, ACL abuse, target selection |
| Computer enumeration | Computer objects | dNSHostName, operatingSystem, servicePrincipalName, userAccountControl | Find servers, DCs, workstations, delegation targets, SPN-bearing computers | SMB, Kerberos, delegation, relay target selection |
| SPN enumeration | User and computer SPNs | servicePrincipalName, sAMAccountName, memberOf | Identify service accounts and Kerberoast targets | Kerberoasting, service principal abuse, silver ticket planning |
| Roastable account discovery | UserAccountControl and SPN filters | DONT_REQ_PREAUTH, servicePrincipalName, pwdLastSet | Find AS-REP and Kerberoast candidates | Hash extraction and cracking |
| Delegation discovery | Delegation attributes and UAC flags | TRUSTED_FOR_DELEGATION, TRUSTED_TO_AUTH_FOR_DELEGATION, msDS-AllowedToDelegateTo, msDS-AllowedToActOnBehalfOfOtherIdentity | Find unconstrained, constrained, protocol transition, and RBCD paths | S4U, RBCD, relay to LDAP |
| ACL and security descriptor review | Object DACLs | nTSecurityDescriptor, ACE principals, rights GUIDs | Identify who can modify users, computers, groups, GPOs, domain root, or sensitive attributes | ACL abuse, Shadow Credentials, DCSync rights |
| GPO and WMI filter mapping | GPO containers, OU/domain links, WMI filters | gPCFileSysPath, gPLink, gPOptions, gPCWQLFilter, msWMI-Parm2 | Map policy scope and GPO abuse blast radius | SYSVOL review, GPO ACL abuse, policy modification |
| Trust enumeration | Trusted domain objects | trustPartner, trustDirection, trustAttributes, flatName, securityIdentifier | Understand cross-domain access and trust direction | Trust abuse, SID filtering review, inter-realm ticket work |
| LAPS and gMSA review | Computer and gMSA objects | ms-Mcs-AdmPwd, msLAPS-Password, msDS-ManagedPassword, msDS-GroupMSAMembership | Recover or scope managed secrets where read rights exist | Local admin access, gMSA ticketing, secrets cleanup |
| Deleted object review | Deleted objects container | isDeleted, lastKnownParent, msDS-LastKnownRDN, whenDeleted | Recover historical object names and deleted principals | Forensics, stale path review, object restore decisions |
| SID and GUID parsing | Any AD object | objectSid, objectGUID, binary security descriptor values | Convert raw identifiers into usable principals and object references | ACL analysis, BloodHound validation, manual parsing |
| LDIF modification | Writable LDAP attributes | unicodePwd, servicePrincipalName, msDS-KeyCredentialLink, userAccountControl, member | Perform precise object changes from Linux or Windows tooling | Password reset, SPN write, Shadow Credentials, group membership |
| Shadow Credentials | msDS-KeyCredentialLink | Key credential blobs | Add certificate-based authentication material to a target object | PKINIT, TGT extraction, cleanup |
| Password reset | unicodePwd over LDAPS | Password value, account control flags | Reset a target password when rights allow it | Credential validation, cleanup, forced rotation |