BloodHound from First Run to Domain Admin: A Practical Red Team Guide
A hands-on red team guide to BloodHound CE — from SharpHound data collection to reading attack paths and finding the fastest route to Domain Admin in Active Directory.
Active Directory
6 articles
Shadow Credentials: Account Takeover Without a Password
Shadow Credentials abuse msDS-KeyCredentialLink via DACL misconfiguration to add a rogue certificate, authenticate via PKINIT, and extract NT hashes — no password required.
ADCS Abuse with Certipy: From Low-Priv User to Domain Admin via Certificate Services
Active Directory Certificate Services is installed in most enterprise networks — and almost always misconfigured. Here's how attackers exploit ESC1 through ESC8 with Certipy, and how to detect and stop them.
Entra ID Attacks in Practice: Device Code Phishing, PRT Theft, and Conditional Access Bypass
MFA is no longer enough to protect Microsoft Entra ID accounts. Attackers steal tokens, register their own devices, and bypass Conditional Access — without ever touching a password. Here's the full attack chain and how to detect it.
Kerberoasting: A Deep Dive into Service Account Attacks
A comprehensive analysis of Kerberoasting — how it works at the protocol level, detection opportunities, and hardening strategies for Active Directory environments.
AD Attack Chains: From Initial Access to Domain Admin — And How to Detect Every Step
A complete purple team walkthrough of Active Directory attack chains — from initial foothold through Kerberoasting, DCSync, and Golden Tickets to full domain compromise, with detection rules for every technique.