← LibraryTechnique entry
AD-NETEXECDiscovery
NetExec / CrackMapExec Sweep
Authenticated SMB/LDAP/WinRM/MSSQL sweeps across the estate — module-driven enumeration.
§ Where this technique fits
AD-NETEXEC is catalogued under the Discovery tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 2 on average.
§ Dossiers chaining this technique
- step 2 / 5
Group Policy Preferences cpassword → user takeover
Pre-MS14-025 GPPs left cpassword-encrypted credentials in SYSVOL with a published AES key. Any authenticated user can decrypt them.
- step 2 / 7
SCCM site takeover via NTLM relay (Takeover-1)
Coerce the SCCM site server to authenticate, relay to MSSQL on the site database, and grant yourself Full Administrator inside SCCM.
§ What commonly comes next
- 01GPP cpassword Recovery (MS14-025)seen 1×AD-GPP-CPASSWORD · Credential Access
- 02LLMNR/NBT-NS Poisoning and SMB Relayseen 1×T1557.001 · Credential Access