Windows on MrAzoth

Enumeration & Discovery — From Windows

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Technique	Tool	Privilege Needed
Domain / forest info	Native AD cmdlets, PowerView	Domain user
User / group / computer enumeration	Get-ADUser, Get-DomainUser	Domain user
SPN discovery (Kerberoast candidates)	Get-ADUser, PowerView	Domain user
AdminSDHolder / privileged objects	Get-ADObject	Domain user
ACL enumeration	PowerView	Domain user
Local admin discovery	Find-LocalAdminAccess	Domain user
Share discovery	Find-DomainShare, Snaffler	Domain user
Full graph collection	SharpHound	Domain user
Host recon	Seatbelt	Local user (some checks need admin)
Session enumeration	SharpHound, NetSessionEnum	Local admin (remote hosts)
GPO enumeration	PowerView	Domain user
Trust mapping	Get-DomainTrust, nltest	Domain user

Native AD Cmdlets

No extra tooling required. Requires the ActiveDirectory PowerShell module, which is present on domain-joined systems with RSAT installed, or can be imported from a DC.

Kerberos Attacks — From Windows

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Attack	Tool	Prerequisite	Output
Kerberoasting	Rubeus, PowerView	Domain user, SPN exists	RC4/AES hash → offline crack
AS-REP Roasting	Rubeus	Domain user, pre-auth disabled on target	AS-REP hash → offline crack
Pass-the-Ticket	Rubeus, Mimikatz	Valid .kirbi or base64 ticket	Ticket injected into session
Overpass-the-Hash	Mimikatz, Rubeus	NTLM or AES hash	TGT obtained, ticket injected
Pass-the-Key	Mimikatz	AES256 hash	TGT obtained via AES pre-auth
Ticket Extraction	Rubeus, Mimikatz	Local admin (for other users’ tickets)	.kirbi files / base64 tickets
TGT Delegation	Rubeus tgtdeleg	Domain user, no local admin needed	Usable TGT
Ticket Harvesting	Rubeus harvest/monitor	Local admin	Ongoing TGT collection
Unconstrained Delegation Abuse	Rubeus monitor + coerce	Local admin on delegation host	Victim TGT captured

Hashcat Cracking Modes Reference

Mode	Hash Type	Attack Context
13100	Kerberoast — RC4 (TGS-REP)	Kerberoasting with /rc4opsec
19600	Kerberoast — AES128 (TGS-REP)	Kerberoasting with /aes
19700	Kerberoast — AES256 (TGS-REP)	Kerberoasting with /aes
18200	AS-REP — RC4 (krb5asrep)	AS-REP Roasting
17200	DPAPI masterkey	Seatbelt / Mimikatz DPAPI
1000	NTLM	Pass-the-Hash, secretsdump output
5600	NTLMv2 (Net-NTLMv2)	Responder / NTLM relay capture
7500	Kerberos 5 AS-REQ (etype 23)	Pre-auth brute force
3000	LM	Legacy — rarely seen

Kerberoasting

Kerberoasting requests Kerberos service tickets (TGS-REP) for accounts with a Service Principal Name (SPN) set. The ticket is encrypted with the service account’s password hash, enabling offline cracking.

Credential Attacks — From Windows

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Attack	Tool	Privilege Required
LSASS dump (live)	Mimikatz	LocalAdmin + SeDebugPrivilege
LSASS dump (ProcDump)	ProcDump / comsvcs.dll	LocalAdmin
DCSync	Mimikatz lsadump::dcsync	Domain Admin (or replication rights)
Local SAM	reg save + secretsdump	LocalAdmin
LSA Secrets	Mimikatz lsadump::lsa	SYSTEM
Cached domain creds	Mimikatz lsadump::cache	SYSTEM
GPP passwords	PowerSploit Get-GPPPassword	Domain User (SYSVOL read)
DPAPI triage	SharpDPAPI	LocalAdmin (backup key needs DA)
WDigest cleartext	Mimikatz sekurlsa::wdigest	LocalAdmin + WDigest enabled
Skeleton key	Mimikatz misc::skeleton	Domain Admin (DC access)
SSP injection	Mimikatz misc::memssp	SYSTEM on DC
Password spray	DomainPasswordSpray / Rubeus	Domain User
PPL bypass	mimidrv.sys kernel driver	SYSTEM + vulnerable driver

Mimikatz — Core Commands

Mimikatz is the primary credential extraction tool for Windows. Most operations require SeDebugPrivilege at minimum, and many require SYSTEM.

Delegation Attacks — From Windows

Mon, 01 Jan 0001 00:00:00 +0000

Abusing Kerberos delegation (Unconstrained, Constrained, RBCD, Shadow Credentials) from a Windows foothold using Rubeus, PowerView, and PowerMad.

Lateral Movement — From Windows

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Technique	Tool	Requirement
Pass-the-Hash (PtH)	Mimikatz, Invoke-TheHash, PsExec	Local Admin / NTLM hash
Pass-the-Ticket (PtT)	Rubeus, Mimikatz	Valid Kerberos ticket (.kirbi / base64)
Overpass-the-Hash	Mimikatz, Rubeus	NTLM or AES256 hash
WMI Exec	PowerShell WMI, wmic, SharpWMI	Local Admin on target
DCOM Exec	PowerShell COM objects	Local Admin / DCOM permissions
PowerShell Remoting	Enter-PSSession, Invoke-Command	WinRM enabled, appropriate rights
PsExec	Sysinternals PsExec	Local Admin, ADMIN$ writable
Remote Service	sc.exe	Local Admin on target
Scheduled Task	schtasks.exe	Local Admin / valid credentials
Token Impersonation	Incognito, Invoke-TokenManipulation	SeImpersonatePrivilege
RDP	mstsc, tscon	RDP enabled, valid credentials or SYSTEM

Pass-the-Hash (PtH)

Pass-the-Hash abuses the NTLM authentication protocol by presenting a captured password hash directly instead of the cleartext password. The target authenticates the hash without needing the plaintext credential.

Domain & Forest Trusts — From Windows

Mon, 01 Jan 0001 00:00:00 +0000

Enumerating and exploiting Active Directory domain and forest trusts from a Windows foothold: SID history injection, golden ticket cross-domain, inter-realm key abuse.

Persistence — From Windows

Mon, 01 Jan 0001 00:00:00 +0000

Domain persistence techniques after AD compromise: Golden/Silver/Diamond Tickets, DCSync backdoors, AdminSDHolder, ACL abuse, WMI subscriptions, and DPAPI backup keys.

AD CS Attacks — From Windows

Mon, 01 Jan 0001 00:00:00 +0000

Active Directory Certificate Services exploitation from Windows: ESC1-ESC8 with Certify, ForgeCert, Rubeus, and Pass-the-Certificate.

Advanced Techniques — From Windows

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Technique	Tool	Requirement	Impact
KrbRelayUp (RBCD)	KrbRelayUp + Rubeus	Domain-joined, no LDAP signing	Low-priv → SYSTEM
gMSA password read	GMSAPasswordReader	Authorized principal	Lateral movement
LAPS password read	Get-AdmPwdPassword / PowerView	Read perm on ms-Mcs-AdmPwd	Local admin on target
PPL bypass (mimidrv)	Mimikatz + mimidrv.sys	Local admin	LSASS dump despite PPL
PPL bypass (PPLdump)	PPLdump	Local admin	LSASS dump despite PPL
LSASS dump (comsvcs)	LOLBAS / rundll32	Local admin	Credential extraction
WebDAV coercion trigger	PowerShell	Shell on target	Force HTTP auth for relay
Shadow credentials	Whisker	GenericWrite on account	PKINIT auth, NT hash

KrbRelayUp — Local Privilege Escalation to SYSTEM

What KrbRelayUp Is

KrbRelayUp abuses Resource-Based Constrained Delegation (RBCD) to escalate from a low-privilege domain user with a local shell to NT AUTHORITY\SYSTEM on the same machine. The attack creates a new machine account, configures RBCD on the target machine to trust that new account, then uses S4U2Self + S4U2Proxy to get a Kerberos service ticket impersonating Administrator (or any domain user) for the current machine — then uses that ticket to spawn a SYSTEM process.

GPO Abuse — From Windows

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Technique	Tool	Requirement	Effect
Immediate Scheduled Task	SharpGPOAbuse	Write on GPO	Code exec as SYSTEM on all linked machines
Restricted Groups	SharpGPOAbuse	Write on GPO	Add attacker to local Admins
User Rights Assignment	SharpGPOAbuse	Write on GPO	Grant SeDebugPrivilege / SeImpersonatePrivilege
Manual XML task	PowerShell / SYSVOL write	Write on GPO or SYSVOL	Arbitrary command as SYSTEM
New GPO + Link	PowerView / RSAT	CreateGPO right + link permission	Full control over target OU
GPO Delegation read	PowerView / BloodHound	Any domain user	Map attack surface

GPO Fundamentals

Group Policy Objects (GPOs) are containers of policy settings applied to users and computers. They are linked to Organizational Units (OUs), Sites, or the Domain. When a machine or user logs in, the domain controller delivers applicable GPOs via SYSVOL (a shared folder replicated to all DCs). The machine then applies them every 90 minutes by default (± 30-minute random offset), or immediately on gpupdate /force.

PPID Spoofing and Stomping — Process Injection Framework

Sat, 28 Mar 2026 00:00:00 +0000

Combining PPID Spoofing, Module Stomping, RC4 encryption, and native NT API enumeration into a single injection framework — built from scratch to understand how modern evasion techniques work under the hood.

A Kinder Russian Roulette — Encryption Practice

Thu, 12 Mar 2026 00:00:00 +0000

Six chambers, six encryption/obfuscation methods. A CTF-style tool for practicing Ghidra analysis and decryption routine writing — from XOR to AES-256 CBC to UUID obfuscation.

Backdooring PuTTY — PE Injection & C2 Beacon Delivery

Sun, 08 Mar 2026 00:00:00 +0000

Manual PE backdooring from scratch: code cave injection, new section addition, XOR evasion, and Adaptix C2 beacon delivery inside a legitimate PuTTY binary.

Walking the PE — Static Analyzer & PEB Walker

Fri, 06 Mar 2026 00:00:00 +0000

Deep dive into the Windows PE file format and runtime process inspection via PEB walking — parsing headers, import/export tables, and the loader module list.

GHOUL C2

Wed, 25 Feb 2026 00:00:00 +0000

Educational Discord-based Command & Control framework — AES-256-GCM encrypted beaconing, per-agent shell channels, and multiple evasion techniques implemented in C and Python.