https://hexpysya.github.io/tags/mimikatz/Recent content in Mimikatz on bubka hacks stuffHugo -- gohugo.ioen-usTue, 14 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/splunk-shadowroast/Tue, 14 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/splunk-shadowroast/A masqueraded AdobeUpdater.exe binary established persistence via a registry Run key, injected into cmd.exe, performed AS-REP Roasting with Rubeus against four AD accounts, laterally moved to FileServer using cracked tcooper credentials, enabled RDP, and staged share data for exfiltration.https://hexpysya.github.io/blue_team/splunk-goldenspray/Fri, 10 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/splunk-goldenspray/An attacker from 77.91.78.115 brute-forced mwilliams credentials, connected via RDP, dropped OfficeUpdater.exe with registry persistence, staged Backup_Tools including mimikatz, dumped lsass to obtain jsmith credentials, laterally moved to ST-DC01 and ST-FS01, established scheduled task persistence on the DC, and archived client data for exfiltration.https://hexpysya.github.io/investigations/htb-ghosttrace/Sat, 31 Jan 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-ghosttrace/Analyzed Windows Event Logs revealing a complete AD compromise chain: phishing email with macro-enabled document → credential dumping with Mimikatz → lateral movement via PsExec → DCSync attack → domain admin compromise → persistence via scheduled task, service, and registry run key.