$ whoami red team · research

Red team research, writeups & field notes

Personal site of Mazen AlFaifi - offensive security research, deep Windows & Active Directory writeups, and notes from the field.

Read the writeups → About me

FIG·01 - mark ● live

sig: 0xBUGSBUNNY est. 2010

$ ls ./focus

Research focus

Where my writeups concentrate - offensive work against Windows estates, and the internals behind it.

04 / domains

Red Teaming & Adversary Simulation

Full-scope engagements, evasion, C2 tradecraft and OPSEC under EDR.

1 writeup →

Active Directory

Attack paths, Kerberos abuse, delegation and ACL-based privilege escalation.

4 writeups →

Windows Internals

Processes, tokens, syscalls and the mechanics EDRs hook into.

3 writeups →

Exploit Development

Memory-corruption primitives and notes from Windows exploitation.

1 writeup →

$ cat ./writeups --featured

Featured writeup

paper: Abusing Microsoft SCCM language: Arabic platform: Windows published: Exploit-DB

FEATURED // terminal cover

// active-directory

SCCM → SYSTEM

Active DirectoryAdvanced

Abusing Microsoft System Center Configuration Manager (SCCM)

An Arabic research paper on SCCM architecture and the security impact of abusing its Run Scripts capability on managed Windows clients.

Jul 29, 2022 · 2 min read

Read writeup →

Latest writeups

view all →

$ relay-tool -t https://<site-server>.lab.local/enrollment [*] listening for inbound authentication [*] inbound auth from <HOST$> @ lab.local [+] relayed + enrolled, registering device [+] deployment created :: runs as SYSTEM [+] SYSTEM context on <site-server>.lab.local

Foothold → SCCM → DA

Active Directory

Abusing SCCM for Domain Takeover

From an unprivileged foothold to full domain compromise by relaying machine accounts to a Configuration Manager site server.

#sccm#active-directory

Mar 2026 3 min Advanced

s4u /user:web$ /impersonateuser:admin /msdsspn:cifs/dc01 /ptt [+] ticket applied to current session

S4U abuse

Active Directory

Kerberos Delegation: From User to DA

Walking an unconstrained delegation path into a Domain Admin ticket.

#kerberos#delegation

Mar 2026 1 min Intermediate

OpenProcessToken(h, &tok) DuplicateTokenEx(tok, ...) ImpersonateLoggedOnUser(dup) [+] running as NT AUTHORITY

Token theft

Windows Internals

Hunting Tokens: Impersonation Without a Shell

Stealing and impersonating primary tokens straight from process memory.

#tokens#edr

Feb 2026 3 min Advanced