From Evilginx2 to Session Hijacking: Building a Phishing Lab & Detection Rules

Session hijacking has evolved beyond traditional cookie theft. With Adversary-in-the-Middle (AitM) phishing kits like Evilginx2, attackers can intercept credentials and session tokens in real-time, bypassing even strong MFA solutions. In this hands-on guide, we’ll build a controlled lab environment, execute a full phishing campaign, and develop detection rules to identify these attacks. Understanding the Threat Evilginx2 is a man-in-the-middle proxy framework that sits between the victim and the legitimate website. Unlike traditional phishing, it:...

February 18, 2026 · 6 min · Anass

Kerberoasting 101: Hands-On Attack, Detection & Mitigation in Windows Domains

Kerberoasting is one of the most effective post-exploitation techniques used by attackers and red teamers to escalate privileges in Windows domains. In this article, we’ll dive deep into how the attack works, set up a lab environment, execute the attack step-by-step, and most importantly—learn how to detect and mitigate it. Understanding Kerberoasting Kerberoasting exploits the Kerberos authentication protocol used in Active Directory. Here’s the simplified flow: A user requests a Ticket-Granting Ticket (TGT) from the Key Distribution Center (KDC) The user presents their TGT to request a Ticket-Granting Service (TGS) for a specific service The TGS is encrypted with the service account’s password hash The attacker’s goal: Request TGS tickets for service accounts, crack the encrypted portion offline, and recover the plaintext password....

January 15, 2026 · 5 min · Anass