Winrm

RDP and WinRM both accept a blank Administrator password — attack surface is two services wide when credential assumptions fail at the front door.…

Two-domain AD forest under Assumed Breach. NTLM disabled globally. TCP port 88 asymmetrically filtered — a custom impacket monkey-patch unblocks Kerberos. ESC13 on TemporaryWinRM template grants WinRM shell on DC1. ……