Facing scenario againts ADCS and Kerberos on Internal machine gain several vector of extraction method and attack-paths, nowadays Red Team used to Certipy and Rubeus binary. Without being said, this blog will show certificate request with SAN manipulation, with ADCS template abuse.

Red Teaming write-ups, practical PrivEsc method by abusing sufficient rights to RBCD and leveraging S4U2Self/S4U2Proxy Kerberos delegation from BloodHound mapping, closed with impersonate Domain Admin. Getting familiar around why are SPN typically required with attack support:

• bloodyAD
• Impacket

Abusing KUD (Unconstrained Delegation), a legacy Kerberos attack path for privilege escalation in AD by gaining DC Ticket. A non-BloodHound path-ways, and regardless of Windows Anti-viruses and UAC. Talking around the practical AD attack and GRC policies regarding Unconstrained delegations.

Attacking Windows SCM, covering PE subsystem with protection of TotalAV (anti-viruses). Pure DACL misconfiguration abuse and tradecraft with Havoc demon binary for evasion and Pwned!!

Compiler: x86_64-w64-mingw32-gcc Win32 API calls and token abuse from User to Admin, OPSEC binary replacement operations.

Practical technique to abuse Active Directory policy, as swag-*ss AdverXarial we can abuse it to take advantage of a user's edit rights on a Group Policy Object (GPO). This attack path can be seen from:

• BloodHound
• PowerShell

Prototype attack-chain allows remote execution! (RCE) in a popular workflow automation tools like n8n. Allowing adversaries to execute arbitrary code on the underlying server via expression injection in workflow definitions, under CWE/CWSS based A05:2025 Injection and A08:2025.

High-end architecture of C2 infrastructure, covers between container and the servers uses technologies like RabbitMQ for messaging, GraphQL APIs for big-data access, and PostgreSQL for state tracking.

.\mythic-cli apfell

.\mythic-cli http

Cutting through the marketing BS and talk about what actually works when it comes to evading modern EDR. About understanding detection, memory scans, and why most "EDR bypasses" are garbages. Includes working techniques against major vendors and detection analysis.

.\implant-c2.dll

Most exploited React F.K.A React2Shell vulnerability, which absolute. . .blasting-ly viral on Twitter, LinkedIn, BreachFor*ms, etc. Although there is more advanced tool out-there, I believe my Python script are much reliable due to singular file.

Most of the time Pentester are using Kali, or ParrotOS. This blog are tutorial of how to download winrmrelayx from @byt3n33dl3's GitHub page, and make it ready for attack.

At the time I make this ports Kali latest version are 2025.4 the method are the same for 2025.2.

Comparison with others commercial lateral-movement kit, solving-issue between Kerberos and KDC Realm when authenticated, or Taming the Dog. An adversary swiss army kit for bypassing Kerberos requirements:

• Valid KDC realm.
• Forcing Ticket and credential based, and more.

Don't limit "US" adversaries with krb5.conf config files.

Compliance architecture around MECM integrates with compliance frameworks. Modern resourced in SCCM/MECM rules with foundations in: SOX, PCI-DSS, CMMC, HIPAA and query audit in SQL for MSSQL.

A practical scenario when having Pwn3d! indication in NetExec MSSQL protocols, most of us would run mssqlclient.py and run everything internally to get reverse-shell. This posts is an alternative to make your hands not dirty with NetExec.

Talks around Kerberos Attack, the Old-dawgs from Golden Ticket attack and beyond . . . what actually survives credential rotation, domain admin changes, and competent blue teams.

Enhancing DCSync abuse, ADCS exploitation, and other methods that blend into legitimate admin activity.

Enumeration and attack upon Active Directory processes via NetExec framework, covering LDAP query on BloodHound collectors until LAPS module usage. PS: WinRM perform better on --laps command.

Exploiting cloud misconfigurations is different than traditional networks. Tried my best to covers IMDSv2 bypasses, role assumption chains, and privilege escalation (PrivEsc!) through service integrations. AWS Pwnd! blog-post.

curl http://[::1]/

Anti-viruses flagged our Mimikatz binary executable as "danger danger. . .stranger danger", turning off the defender as Administrator have no changes. Beacons for the win!! from C2 Sliver attack-kit execution on the Frameworks it-self.