Group Managed Service Accounts (gMSAs) were introduced to solve a real problem: service accounts with static passwords. Traditional service accounts require someone to set a password, store it somewhere, and rotate it manually. In practice, rotation rarely happens. gMSAs replace that model entirely. The domain controller generates and rotates the Read more
Local Administrator Password Solution (LAPS) solves a real problem. Before it existed, most Windows environments reused the same local administrator password across every machine in the domain. Compromise one host, and you had credentials that worked everywhere. LAPS fixes this by generating a unique, randomized password for each computer’s local Read more
DCSync does not require Domain Admin membership. The underlying mechanism, the Directory Replication Service Remote Protocol (DRSR), only checks two ACEs on the domain naming context head: DS-Replication-Get-Changes and DS-Replication-Get-Changes-All. Any principal with both ACEs can pull every credential in the domain. No group membership, no elevated token, no lateral Read more
This post covers Kerberos-only constrained delegation, where the delegating principal has msDS-AllowedToDelegateTo set but lacks the TrustedToAuthForDelegation flag. Without that flag, S4U2Self is unavailable, meaning the attacking principal cannot synthesise a forwardable service ticket on its own. The attack reduces to S4U2Proxy only, and that has one hard requirement: you Read more
A Silver Ticket is a forged Kerberos service ticket signed entirely with the target service account’s NT hash. The KDC is never consulted during forging or use. There is no AS-REQ, no TGS-REQ, no DC-side log. The only inputs required are the service account hash, the domain SID, and the Read more
Overpass-the-Hash is commonly described as converting an NTLM hash into a Kerberos TGT. The more precise variant, Pass-the-Key, skips the NT hash entirely and authenticates directly with a Kerberos AES key. The result is a fully native Kerberos flow with no NTLM traffic, no RC4 downgrade, and no NTLM-based detection Read more
GOAD provisions AS-REP roasting through its vulnerabilities.yml ansible play, which calls the asrep_roasting role. That role runs Set-ADAccountControl to set DoesNotRequirePreAuth on specific accounts. In north.sevenkingdoms.local, the designated account is brandon.stark. In essos.local, it is missandei. No accounts in sevenkingdoms.local have the flag set. Nothing needs to be configured manually. Read more
The ESC8 post covered coercion to certificate relay. That attack required an unauthenticated network position and active relay infrastructure. This post covers what happens once you already have a foothold as a domain user. Four misconfigurations. All of them ship enabled in the GOAD lab. All of them produce Domain Admin. The Read more