Secrets in Active Directory are not limited to user passwords. We hunt LDAP attributes, SYSVOL files, local machine databases, managed service account material, cached credentials, password metadata, and delegated read paths. The goal is to turn authorized access into reusable authentication material or a better attack path.
We separate secrets into three buckets. Directory secrets live in LDAP and include LAPS, gMSA, descriptions, notes, and replication-accessible domain hashes. Policy secrets live in SYSVOL and include old Group Policy Preference XML, scripts, registry policy, and configuration files. Host secrets live on machines and include SAM, LSA secrets, cached domain logons, DPAPI material, Windows Vault, browser stores, and application configuration.
The workflow is consistent. Enumerate where the secret could live, confirm our read rights, extract the material, convert it if needed, validate it against SMB/LDAP/WinRM/Kerberos, then decide whether it enables lateral movement, privilege escalation, persistence, or another credential-access primitive.
Core tools: