Active Directory · 13 articles

Active Directory

AD pentest, ADCS exploitation, Kerberos abuse, BloodHound, Impacket, NetExec techniques.

Academy

Module 22 · DCShadow — Stealth Domain Replication Abuse

Why this module exists. DCShadow is the textbook example of “stealth persistence”. An attacker with sufficient privileges does not need to keep…

May 13, 2026 · 6 min read
Academy

Module 21 · LAPS Bypass & Local Admin Password Strategy

Why this module exists. Before LAPS, the canonical AD post-exploitation move was: dump the local Administrator hash from any workstation, then Pass-the-Hash…

May 13, 2026 · 6 min read
Academy

Module 20 · AD Trust Relationships Deep Dive — Forest, External, Shortcut

Why this module exists. AD has six distinct trust types. Each has different transitivity, SID Filtering defaults, Kerberos behaviour, and attacker-reachable abuse…

May 13, 2026 · 5 min read
Academy

Module 19 · SID History Abuse & Cross-Forest Trust Attacks

Why this module exists. Forest trusts were Microsoft’s promise that the forest boundary was a hard security boundary. SID Filtering — enabled…

May 13, 2026 · 6 min read
Academy

Module 18 · AdminSDHolder & SDProp Persistence

Why this module exists. AdminSDHolder is one of the cleanest persistence primitives in AD because it abuses a feature, not a bug.…

May 13, 2026 · 5 min read
Active Directory

SeImpersonatePrivilege: From Service Account to SYSTEM in 10 Seconds (Potato Attacks 2026)

Service accounts with SeImpersonatePrivilege are 10 seconds from SYSTEM via Potato attacks — JuicyPotato, RoguePotato, PrintSpoofer, GodPotato. Why the privilege exists, how…

Apr 25, 2026 · 5 min read
Active Directory

ADCS ESC1: How a Misconfigured Template Hands You Domain Admin in 2026

Active Directory Certificate Services ESC1 still gives any Domain User a path to Domain Admin in most Indian enterprise environments. Here's what…

Apr 25, 2026 · 7 min read
Active Directory

Kerberoasting in 2026: Why It Still Works in 80% of Indian AD Environments

Kerberoasting is a 2014 attack still cracking service-account passwords in 80% of Indian enterprise pentests. Why it persists, how to execute it…

Apr 25, 2026 · 8 min read
Active Directory

7 BloodHound Cypher Queries That Find Real AD Privilege Paths (Not the Default Ones)

Default BloodHound queries miss 80% of the real privilege chains in your Active Directory. Seven custom Cypher queries — for sessions, custom-group…

Apr 25, 2026 · 8 min read
Active Directory

Pass-the-Hash in 2026: Why Microsoft’s Mitigations Aren’t Enough

Pass-the-Hash is a 1997 attack that should have died in 2014. It still works in most Indian enterprise environments because the mitigations…

Apr 25, 2026 · 6 min read