• At the Edge of Tier Zero: The Curious Case of the RODC

    The read-only Domain Controller (RODC) is a solution that Microsoft introduced for physical locations that don’t have adequate security to host a Domain Controller but still require directory services for resources in those locations. A branch office is the classic use case.

    While RODCs, by definition, are not part of the set of resources that can control “enterprise identities”, known as Tier Zero, we have seen cases where there is a privilege escalation path from an RODC to domain dominance.

    In this blog post, we’ll answer the question, “If I compromise a Read-Only Domain Controller, can I compromise the domain?” or, from an architectural perspective, “Do RODCs belong in Tier Zero?”

    Continue Reading
  • SPN-jacking: An Edge Case in WriteSPN Abuse

    Some people are a hammer in search of a nail, but I'm a hammer in search of Kerberos delegation. So, when I heard that a WriteSPN edge was introduced to Bloodhound 4.1, I started exploring alternative abuse techniques beyond targeted Kerberoasting, and I found an edge case (pun intended) that can be chained together with Kerberos Constrained Delegation.


    Suppose an attacker compromises an account set for Constrained Delegation but doesn't have the SeEnableDelegation privilege. The attacker won't be able to change the constraints (msDS-AllowedToDelegateTo). However, if the attacker has WriteSPN rights over the account associated with the target SPN, as well as over another computer/service account, the attacker can temporarily hijack the SPN (a technique called SPN-jacking), assign it to the other computer/server, and perform a full S4U attack to compromise it. 

    Also, if the target SPN is not currently associated with any account, the attacker can appropriate it similarly.

    Continue Reading
  • Shadow Credentials: Abusing Key Trust Account Mapping for Account Takeover

    The techniques for DACL-based attacks against User and Computer objects in Active Directory have been established for years. If we compromise an account that has delegated rights over a user account, we can simply reset their password, or, if we want to be less disruptive, we can set an SPN or disable Kerberos pre-authentication and try to roast the account. For computer accounts, it is a bit more complicated, but RBCD can get the job done.

    These techniques have their shortcomings:

    • Resetting a user’s password is disruptive, may be reported, and may not be permitted per the Rules of Engagement (ROE).
    • Roasting is time-consuming and depends on the target having a weak password, which may not be the case.
    • RBCD is hard to follow because someone (me) failed to write a clear and concise post about it.
    • RBCD requires control over an account with an SPN, and creating a new computer account to meet that requirement may lead to detection and cannot be cleaned up until privilege escalation is achieved.

    The recent work that Will Schroeder (@harmj0y) and Lee Christensen (@tifkin_) published about AD CS made me think about other technologies that use Public Key Cryptography for Initial Authentication (PKINIT) in Kerberos, and Windows Hello for Business was the obvious candidate, which led me to (re)discover an alternative technique for user and computer object takeover.

    Continue Reading
  • DNS Peer-to-Peer Command and Control with ADIDNS

    When gaining initial access on a host in a secure zone with restricted outbound traffic, establishing a command and control channel for an implant can be a challenge.

    Using DNS for peer-to-peer command and control can be the solution, making the internal DNS servers your redirectors on the target network.

    Continue Reading
  • Gone to the Dogs

    Just in time for our DEF CON workshop “Constructing Kerberos Attacks with Delegation Primitives”, Microsoft failed to meet the disclosure deadline, and so we publish another primitive that can be abused to achieve Windows Local Privilege Escalation (LPE). It affects all domain-joined Windows 10 hosts by default, as well as Windows Server 2016 and Windows Server 2019 that have the WebDAV Redirector feature installed.

    This attack is very similar to the LPE attack chain that we disclosed in “Wagging the Dog”. Actually, it is identical except for the primitive used to initiate the attack chain.

    Continue Reading
  • Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory

    Back in March 2018, I embarked on an arguably pointless crusade to prove that the TrustedToAuthForDelegation attribute was meaningless, and that “protocol transition” can be achieved without it. I believed that security wise, once constrained delegation was enabled (msDS-AllowedToDelegateTo was not null), it did not matter whether it was configured to use “Kerberos only” or “any authentication protocol”.

    I started the journey with Benjamin Delpy’s (@gentilkiwi) help modifying Kekeo to support a certain attack that involved invoking S4U2Proxy with a silver ticket without a PAC, and we had partial success, but the final TGS turned out to be unusable. Ever since then, I kept coming back to it, trying to solve the problem with different approaches but did not have much success. Until I finally accepted defeat, and ironically then the solution came up, along with several other interesting abuse cases and new attack techniques.

    Continue Reading
  • Shenanigans!

    Some of my colleagues and I decided to join forces and launch a new research team called Shenanigans Labs.

    We will occasionally write about our research projects in our new blog at, when we discover an interesting vulnerability or a new TTP, and if we are at liberty to publish them.

    We hope you find our posts valuable and enjoy reading them.

    I will cross-post my content in this blog and at

  • Abusing Resource-based Constrained Delegation 101

    I recently collaborated with Will Schroeder (@harmj0y) to weaponise resource-based constrained delegation to abuse ACLs to take over computer objects in Active Directory.

    Will wrote an excellent post about it, which I highly recommend reading:

    We later took it up a notch and abused it to the extreme. I will publish the details on 28/01/2019 or as soon as MSRC clears it.

  • Internal Monologue Attack - Retrieving NTLM Hashes without Touching LSASS

    Mimikatz is a well-regarded post-exploitation tool, which allows adversaries to extract plain text passwords, NTLM hashes and Kerberos tickets from memory, as well as perform attacks such as pass-the-hash, pass-the-ticket or build a golden ticket. Arguably, the primary use of Mimikatz is retrieving user credentials from LSASS process memory for use in post exploitation lateral movement.

    Recently, Microsoft has introduced Credential Guard in Windows 10 Enterprise and Windows Server 2016, which uses virtualization-based security to isolate secrets, and it is very effective in preventing Mimikatz from retrieving hashes directly from memory. Also, Mimikatz has become a prime target of most endpoint protection solutions, and they are very aggressive in their efforts to detect and prevent it. Although these efforts are bound to fail, they are increasingly becoming a nuisance.

    Continue Reading