Facing scenario againts ADCS and Kerberos on Internal machine gain several vector of extraction method and attack-paths, nowadays Red Team used to Certipy and Rubeus binary. Without being said, this blog will show certificate request with SAN manipulation, with ADCS template abuse.

Red Teaming write-ups, practical PrivEsc method by abusing sufficient rights to RBCD and leveraging S4U2Self/S4U2Proxy Kerberos delegation from BloodHound mapping, closed with impersonate Domain Admin. Getting familiar around why are SPN typically required with attack support:

• bloodyAD
• Impacket

Abusing KUD (Unconstrained Delegation), a legacy Kerberos attack path for privilege escalation in AD by gaining DC Ticket. A non-BloodHound path-ways, and regardless of Windows Anti-viruses and UAC. Talking around the practical AD attack and GRC policies regarding Unconstrained delegations.

Attacking Windows SCM, covering PE subsystem with protection of TotalAV (anti-viruses). Pure DACL misconfiguration abuse and tradecraft with Havoc demon binary for evasion and Pwned!!

Compiler: x86_64-w64-mingw32-gcc Win32 API calls and token abuse from User to Admin, OPSEC binary replacement operations.

High-end architecture of C2 infrastructure, covers between container and the servers uses technologies like RabbitMQ for messaging, GraphQL APIs for big-data access, and PostgreSQL for state tracking.

.\mythic-cli apfell

.\mythic-cli http

Cutting through the marketing BS and talk about what actually works when it comes to evading modern EDR. About understanding detection, memory scans, and why most "EDR bypasses" are garbages. Includes working techniques against major vendors and detection analysis.

.\implant-c2.dll

Comparison with others commercial lateral-movement kit, solving-issue between Kerberos and KDC Realm when authenticated, or Taming the Dog. An adversary swiss army kit for bypassing Kerberos requirements:

• Valid KDC realm.
• Forcing Ticket and credential based, and more.

Don't limit "US" adversaries with krb5.conf config files.

Talks around Kerberos Attack, the Old-dawgs from Golden Ticket attack and beyond . . . what actually survives credential rotation, domain admin changes, and competent blue teams.

Enhancing DCSync abuse, ADCS exploitation, and other methods that blend into legitimate admin activity.

Enumeration and attack upon Active Directory processes via NetExec framework, covering LDAP query on BloodHound collectors until LAPS module usage. PS: WinRM perform better on --laps command.

Anti-viruses flagged our Mimikatz binary executable as "danger danger. . .stranger danger", turning off the defender as Administrator have no changes. Beacons for the win!! from C2 Sliver attack-kit execution on the Frameworks it-self.