- Kerberos enumeration (incomplete; actually just use the tag above instead of this link)
- silver ticket (service hash required)
- golden ticket (domain admin required)
- skeleton key (domain admin required)
- Kerberoasting (a.k.a. TGS-REP roasting): crack TGS-REP to get service password
- AS-REP roasting: crack AS-REP to get user password
- runas.exe: Run a command as another user using password
- pass-the-ticket
- overpass-the-hash
- exploiting unconstrained delegation
- exploiting constrained delegation
- exploiting resource-based constrained delegation
- alternate service name: constrained delegation can authenticate to other service names under the same service account on the allowlist
- S4U2Self abuse: DC machine TGT = lateral movement to DC
- shadow credentials attack