TOOLS_SUITE
LATERAL_MOVEMENT
ACTIVE41 modulesPython

STYX

Active Directory attack suite. Forty-one modules.

Built on impacket v0.12.0 with a unified Typer CLI and structured JSON output. Covers LDAP enumeration (users, groups, SPNs, GPOs, trusts, LAPS, password policy), Kerberos attacks (Kerberoast, ASREProast, ticket forgery, S4U), NTLM coercion (PetitPotam, PrinterBug, DFSCoerce, ShadowCoerce), relay orchestration, ADCS via certipy wrappers, DCSync, lateral movement (psexec/wmiexec/smbexec), and BloodHound CE ingest with attack path analysis. BeaconExecutor abstraction runs all commands through a NYX beacon or locally.

scroll to access

Kill_Chain_Position

Reconnaissance
Initial_Access
Execution
Persistence
Privilege_Escalation
Lateral_Movement
Collection
Command_& Control
Exfiltration

Capabilities

What it can do.

Full LDAP enumeration sweep

10 enum modules: users, groups, computers, SPNs, trusts, GPOs, GPP cpassword scan, LAPS readers, password policy, PSOs

Kerberoast + ASREProast

TGS-REQ per SPN → hashcat mode 13100; AS-REQ without pre-auth → mode 18200; randomized request order with delay for OPSEC

Golden / Silver / Diamond ticket

Krbtgt hash → forge TGT; service hash → forge service ticket with custom PAC; Diamond via authentic AS-REQ→TGS modification

NTLM coercion + relay chain

PetitPotam, PrinterBug, DFSCoerce, ShadowCoerce → auto-prioritized relay targets sorted by SMB signing status

ADCS exploitation via certipy

Full ESC1–16 detection and exploitation wrapped through certipy-ad ≥v4.8; structured findings parsed from certipy JSON output

DCSync (secretsdump)

DRSUAPI replication with DA-equivalent check first; parsed output feeds PtH credential store automatically

Shadow credentials

msDS-KeyCredentialLink write on GenericAll/GenericWrite targets → certificate request → TGT without password

BloodHound CE attack paths

Ingest SharpHound v5+ zip; pure Python graph traversal for shortest path from owned principal to Domain Admins

Architecture

How it's built.

Forty-one Python modules across 12 subpackages. The Executor abstraction (ABC) is the key design decision: every module accepts an Executor, not caring whether it's LocalExecutor (runs impacket/certipy on operator machine) or BeaconExecutor (translates commands into NYX Operator API task queue calls). The enum/ package uses ldap3 for read-only enumeration over LDAPS, falling back to impacket LDAP for NTLM/hash-only auth. All credential-generating operations pass through lockout.py which checks password policy first. Dependencies: impacket v0.12.0 (pinned for behavioral stability), ldap3, cryptography (KeyCredentialLink blob construction), dnspython (SRV resolution), httpx (NYX API client). External tools called as subprocesses: certipy-ad, netexec (nxc). Typer CLI with 9 subcommand groups.

Engagement_Types

Where it fits.

Internal network red teamActive Directory security assessmentPost-compromise assessmentDomain escalation simulation

Also_In_The_Suite

Secure_Channel

Authorized engagements only.

All work requires a signed scope document. Initial contact is encrypted. Response within 48h.

INITIALIZE_CONTACT