Skill UI

A comprehensive guide detailing advanced techniques for attacking Microsoft Active Directory (AD) environments. It covers the entire red team lifecycle, including reconnaissance (BloodHound, PowerView), credential harvesting (Mimikatz, AS-REP Roasting), and critical attacks such as Kerberos exploitation, Pass-the-Ticket/Hash, and NTLM relay attacks. Essential for penetration testing and defensive validation.

A specialized threat hunting skill designed to detect remnants of the PowerShell Empire post-exploitation framework. It analyzes Windows event logs (specifically Script Block and Module Logging) for key Indicators of Compromise (IOCs), such as default launcher strings, Base64 encoded payloads, known module signatures (e.g., Mimikatz), and staging URL patterns. The output provides a detailed JSON report, comprehensive timeline, and MITRE ATT&CK mapping for incident response and security validation.

This guide is crucial for threat hunters investigating Active Directory compromises. It details how to monitor Windows Security Event ID 4662 to detect unauthorized attempts by non-domain-controller accounts to access critical directory replication GUIDs. These anomalies are strong indicators of DCSync attacks, which are used by attackers (e.g., using Mimikatz) to dump hashes, perform lateral movement, and execute credential theft.

This guide details advanced threat hunting techniques to proactively detect Mimikatz execution. It focuses on identifying command-line patterns, unauthorized access to LSASS memory, binary indicators, and known credential dumping techniques (e.g., DCSync, Golden Tickets). Ideal for security analysts, threat hunters, and incident response teams during proactive assessments or active compromise investigation.

A comprehensive skill for detecting early-stage ransomware indicators before data encryption occurs. It utilizes advanced network detection tools such as Zeek and Suricata, combined with SIEM correlation rules and threat intelligence feeds. This method monitors the entire pre-encryption kill chain, identifying precursor behaviors like initial access broker activity, Cobalt Strike C2 beaconing, credential harvesting (e.g., Mimikatz signatures), and data staging attempts, enabling timely incident response and containment.

Executes authorized, advanced attack simulations against Active Directory environments to identify critical misconfigurations, weak credentials, and exploitable trust relationships. Utilizing industry tools like BloodHound, Mimikatz, and Impacket, this process simulates complex attacks such as Kerberoasting, Golden Ticket forging, and domain compromise path analysis, helping organizations validate their security posture against real-world threats.

This guide details the exploitation of the Active Directory Certificate Services (AD CS) ESC1 vulnerability. By leveraging misconfigurations, an attacker can request certificates impersonating high-privileged users (e.g., Domain Admins). The workflow covers AD enumeration, forging certificates with arbitrary Subject Alternative Names (SANs), authenticating via PKINIT, and ultimately escalating domain privileges using tools like mimikatz. Essential for authorized red team and penetration testing.

This utility performs comprehensive forensic analysis on memory dumps. It leverages industry-standard tools like Volatility and Mimikatz to extract sensitive information, including cached credentials, NTLM/LM hashes, Kerberos tickets, and authentication tokens. It is crucial for incident response, assessing the scope of credential compromise, and investigating lateral movement attacks.