Active Directory
AD pentest, ADCS exploitation, Kerberos abuse, BloodHound, Impacket, NetExec techniques.
Module 22 · DCShadow — Stealth Domain Replication Abuse
Why this module exists. DCShadow is the textbook example of “stealth persistence”. An attacker with sufficient privileges does not need to keep…
AcademyModule 21 · LAPS Bypass & Local Admin Password Strategy
Why this module exists. Before LAPS, the canonical AD post-exploitation move was: dump the local Administrator hash from any workstation, then Pass-the-Hash…
AcademyModule 20 · AD Trust Relationships Deep Dive — Forest, External, Shortcut
Why this module exists. AD has six distinct trust types. Each has different transitivity, SID Filtering defaults, Kerberos behaviour, and attacker-reachable abuse…
AcademyModule 19 · SID History Abuse & Cross-Forest Trust Attacks
Why this module exists. Forest trusts were Microsoft’s promise that the forest boundary was a hard security boundary. SID Filtering — enabled…
AcademyModule 18 · AdminSDHolder & SDProp Persistence
Why this module exists. AdminSDHolder is one of the cleanest persistence primitives in AD because it abuses a feature, not a bug.…
Active DirectorySeImpersonatePrivilege: From Service Account to SYSTEM in 10 Seconds (Potato Attacks 2026)
Service accounts with SeImpersonatePrivilege are 10 seconds from SYSTEM via Potato attacks — JuicyPotato, RoguePotato, PrintSpoofer, GodPotato. Why the privilege exists, how…
Active DirectoryADCS ESC1: How a Misconfigured Template Hands You Domain Admin in 2026
Active Directory Certificate Services ESC1 still gives any Domain User a path to Domain Admin in most Indian enterprise environments. Here's what…
Active DirectoryKerberoasting in 2026: Why It Still Works in 80% of Indian AD Environments
Kerberoasting is a 2014 attack still cracking service-account passwords in 80% of Indian enterprise pentests. Why it persists, how to execute it…
Active Directory7 BloodHound Cypher Queries That Find Real AD Privilege Paths (Not the Default Ones)
Default BloodHound queries miss 80% of the real privilege chains in your Active Directory. Seven custom Cypher queries — for sessions, custom-group…
Active DirectoryPass-the-Hash in 2026: Why Microsoft’s Mitigations Aren’t Enough
Pass-the-Hash is a 1997 attack that should have died in 2014. It still works in most Indian enterprise environments because the mitigations…