The certificate arrives perfectly, but authentication fails because a SID-bearing ASN.1 extension is missing

ntlmrelayx and ADCS: when the certificate arrives but doesn't work

ADCS relay with ntlmrelayx generates certificates that certipy v5 rejects with ‘Object SID mismatch’. The root cause is KB5014754: modern DCs require the certificate to contain the user’s SID in a Microsoft-proprietary extension. ntlmrelayx doesn’t include it. Here’s why and how to fix it.

June 30, 2026 · 11 min · 2230 words · j0su
Everyone watches the LDAP 389/636 front door; the ADWS 9389 side door is open and unwatched

ADWS: enumerating Active Directory through the back door

Almost all Active Directory enumeration goes through LDAP (389/636), which is precisely the most watched channel in the domain. ADWS is a side door on port 9389 that accepts the same LDAP queries but is barely monitored. How it works under the hood, why its OPSEC is so good, and why it isn’t invisible.

June 18, 2026 · 14 min · 2825 words · j0su
Veeam Backup: from safeguard to the attacker's master key

Veeam Backup: from the organization's safeguard to the attacker's master key

Veeam Backup: what would happen if this protection solution became the entry point for a malicious actor? Two approaches to dump the SAM and extract DPAPI master keys while evading AV/EDR, using Veeam as a pivot toward critical services.

May 5, 2025 · 9 min · 1856 words · j0su