Kerberos

exploiting-kerberoasting-with-impacket helps authorized testers plan Kerberoasting with Impacket GetUserSPNs.py, from SPN enumeration to TGS ticket extraction, offline cracking, and detection-aware reporting. Use this exploiting-kerberoasting-with-impacket guide for penetration testing workflows with clear install and usage context.

The extracting-credentials-from-memory-dump skill helps analyze Windows memory dumps for NTLM hashes, LSA secrets, Kerberos material, and tokens using Volatility 3 and pypykatz workflows. It is built for Digital Forensics and incident response when you need defensible evidence, account impact, and remediation guidance from a valid dump.

The exploiting-nopac-cve-2021-42278-42287 skill is a practical guide for assessing the noPac chain (CVE-2021-42278 and CVE-2021-42287) in Active Directory. It helps authorized red teamers and Security Audit users check prerequisites, review workflow files, and document exploitability with less guesswork.

The exploiting-constrained-delegation-abuse skill guides authorized Active Directory testing of Kerberos constrained delegation abuse. It covers enumeration, S4U2self and S4U2proxy ticket requests, and practical paths to lateral movement or privilege escalation. Use it when you need a repeatable guide for penetration testing, not a generic Kerberos overview.

detecting-pass-the-ticket-attacks helps detect Kerberos Pass-the-Ticket activity by correlating Windows Security Event IDs 4768, 4769, and 4771. Use it for threat hunting in Splunk or Elastic to spot ticket reuse, RC4 downgrades, and unusual TGS volume with practical queries and field guidance.

The detecting-kerberoasting-attacks skill helps hunt Kerberoasting by spotting suspicious Kerberos TGS requests, weak ticket encryption, and service-account patterns. Use it for SIEM, EDR, EVTX, and detecting-kerberoasting-attacks for Threat Modeling workflows with practical detection templates and tuning guidance.

detecting-golden-ticket-forgery detects Kerberos Golden Ticket forgery by analyzing Windows Event ID 4769, RC4 downgrade use (0x17), abnormal ticket lifetimes, and krbtgt anomalies in Splunk and Elastic. Built for Security Audit, incident investigation, and threat hunting with practical detection guidance.

deploying-active-directory-honeytokens helps defenders plan and generate Active Directory honeytokens for Security Audit work, including fake privileged accounts, fake SPNs for Kerberoasting detection, decoy GPO traps, and deceptive BloodHound paths. It pairs installation-oriented guidance with scripts and telemetry cues for practical deployment and review.

conducting-pass-the-ticket-attack is a Security Audit and red-team skill for planning and documenting Pass-the-Ticket workflows. It helps you review Kerberos tickets, map detection signals, and produce a structured validation or report flow using the conducting-pass-the-ticket-attack skill.