$ ls -la ./writeups

Research & Writeups

Offensive security notes, field reports, and technical research - Windows, Active Directory, internals, and exploit development. Hands-on, sanitized for lab reproduction, and written with the OPSEC tradeoffs included.

9 Writeups / Researches
topic
level
paper: Abusing Microsoft SCCM language: Arabic platform: Windows published: Exploit-DB
FEATURED // terminal cover
// active-directory
SCCM → SYSTEM
Active DirectoryAdvanced

Abusing Microsoft System Center Configuration Manager (SCCM)

An Arabic research paper on SCCM architecture and the security impact of abusing its Run Scripts capability on managed Windows clients.

Jul 29, 2022 · 2 min read
Read writeup
all writeups sort: newest ▾
$ relay-tool -t https://<site-server>.lab.local/enrollment [*] listening for inbound authentication [*] inbound auth from <HOST$> @ lab.local [+] relayed + enrolled, registering device [+] deployment created :: runs as SYSTEM [+] SYSTEM context on <site-server>.lab.local
Foothold → SCCM → DA
Active Directory

Abusing SCCM for Domain Takeover

From an unprivileged foothold to full domain compromise by relaying machine accounts to a Configuration Manager site server.

#sccm#active-directory
Mar 2026 3 min Advanced
s4u /user:web$ /impersonateuser:admin /msdsspn:cifs/dc01 /ptt [+] ticket applied to current session
S4U abuse
Active Directory

Kerberos Delegation: From User to DA

Walking an unconstrained delegation path into a Domain Admin ticket.

#kerberos#delegation
Mar 2026 1 min Intermediate
OpenProcessToken(h, &tok) DuplicateTokenEx(tok, ...) ImpersonateLoggedOnUser(dup) [+] running as NT AUTHORITY
Token theft
Windows Internals

Hunting Tokens: Impersonation Without a Shell

Stealing and impersonating primary tokens straight from process memory.

#tokens#edr
Feb 2026 3 min Advanced
mov r10, rcx mov eax, 0x26 ; NtAllocateVirtualMemory syscall [+] hooked NTDLL bypassed
Syscall stubs
Windows Internals

Direct Syscalls: Bypassing API Hooking

Calling the NT kernel directly to sidestep userland EDR hooks on Win32 APIs.

#syscalls#edr
Jan 2026 3 min Advanced
GenericWrite → WriteDACL → DCSync [*] querying shortest path to DA [+] 3 hops · 0 exploits needed
ACL chain
Active Directory

ACL Abuse with BloodHound: Finding the Shortest Path

Using BloodHound to discover and exploit ACL-based escalation paths through Active Directory.

#active-directory#acl
Jan 2026 3 min Intermediate
set uri "/api/v1/health"; header "User-Agent" "Mozilla/5.0"; [+] beacon traffic: looks like health check
C2 profile
Red Teaming

Writing a Minimal C2 Malleable Profile

Shaping C2 traffic to blend into expected network baselines and avoid signature detection.

#c2#network
Dec 2025 3 min Intermediate
spray(0x200, PIPE_ATTRIBUTE) free_alternating() allocate(target_object) [+] adjacent overwrite · reliable
Pool layout
Exploit Development

Pool Grooming for Kernel Exploitation

Shaping the Windows kernel pool allocator to set up reliable adjacent-object overwrites.

#kernel#pool
Nov 2025 3 min Advanced
paper: Abusing Microsoft SCCM language: Arabic platform: Windows published: Exploit-DB
SCCM → SYSTEM
Active Directory

Abusing Microsoft System Center Configuration Manager (SCCM)

An Arabic research paper on SCCM architecture and the security impact of abusing its Run Scripts capability on managed Windows clients.

#sccm#mecm
Jul 2022 2 min Advanced
Windows Internals

WDEG - Bypassing Attack Surface Reduction (ASR)

A 2022 research note on Windows Defender Exploit Guard, ASR rules, and a lab-observed bypass of the script-launch rule.

#wdeg#asr
Feb 2022 4 min Intermediate
$ grep -r "$query" ./writeups → 0
No writeups match those filters

Try a broader topic or clear the difficulty filter. New research lands here regularly.