Skip to content
ADscan Docs
Commands

🧠 Attack Paths & Steps

Find, review, and execute AD attack paths discovered by ADscan.

ADscan models escalation opportunities as:

  • Attack steps: individual relationships and techniques ADscan has detected (e.g., “Kerberoasting”, “WriteDacl”, “ADCS ESC1”).
  • Attack paths: ordered chains of steps that connect an entry point (a user/group you can act as) to a high‑value target (Domain Admin, Domain, Tier‑0 assets, etc.).

This gives you a practical workflow: collect evidence → compute paths → execute the best path(s) with operator control.

Authorization Required

Only enumerate or execute attack paths in environments where you have explicit written authorization and a defined scope.

When to use these commands

Use attack_steps / attack_paths after:

  • start_auth (recommended): ADscan has broad visibility and will typically discover more steps.
  • You add/verify new credentials: newly “owned” users can unlock additional paths.
  • You want to review and execute paths later (without rerunning a full scan).

attack_steps

Show the most relevant steps currently recorded for a domain.

Syntax:

attack_steps <domain> [user] [--max N]

Examples:

# Steps for the whole domain context
attack_steps corp.local

# Steps that are relevant from a specific user (if supported by your build)
attack_steps corp.local jdoe

# Limit the output
attack_steps corp.local --max 50

attack_paths

Find attack paths from an entry point to high‑value targets.

Syntax:

attack_paths <domain> [user|owned] [index] [--max N] [--depth N] [--all]

Entry point selection

  • attack_paths <domain>: show paths from the default entry (domain context).
  • attack_paths <domain> <user>: show paths starting from a specific user.
  • attack_paths <domain> owned: show paths starting from all “owned” users (users with a verified credential saved in the workspace).

Filtering behavior

By default, attack_paths focuses on high‑value targets. If you want to see everything (including lower‑impact paths), add --all.

Examples

# Most common: find paths from owned users
attack_paths corp.local owned

# Find paths from a specific user
attack_paths corp.local jdoe

# Increase depth if you want longer chains
attack_paths corp.local owned --depth 5

# Include non-high-value targets as well
attack_paths corp.local owned --all

# View details directly (index comes from the list output)
attack_paths corp.local owned 1

Execution behavior (important)

When you select a path, ADscan:

  1. Shows the path details (From → Relation → To).
  2. Checks whether each step has a supported implementation.
  3. Prompts before actions that are noisy or high‑impact.

If a step is not implemented (or not supported for the specific target type), ADscan will warn you and let you pick another path.

workspace create client_acme_2026
set iface tun0
set auto False

start_auth

# Review and execute paths from owned users
attack_paths corp.local owned

Tip

If you are in auto=False, treat attack_paths as your decision point: review the chain, validate it makes sense for the rules of engagement, then execute only what you intend.

🔍 Scanning Commands

Unauthenticated and authenticated Active Directory scanning commands

🔐 Credential Management

Manage and utilize discovered Active Directory credentials

On this page

When to use these commandsattack_stepsattack_pathsEntry point selectionFiltering behaviorExamplesExecution behavior (important)Recommended workflow (production)
Find this useful?
Pass it to the next pentester running an AD engagement
Running 2+ AD engagements/year?
Get PRO free — beta access·Free in exchange for feedback
Automated PDF reports. Save ≥1 day per engagement.

ADscan — AD pentest automation for security consultants

🧠 Attack Paths & Steps | ADscan