While the core concepts aren’t new, I believe the use of ADCS for domain computer takeover through Virtual Account abuse is previously undocumented/unexplored route to achieving your goals. I would like to start off by giving credit to my coworker, Michael(https://www.linkedin.com/in/michael-mcin/) for exploring today’s abuse paths but also for setting up a home environment to develop PoC for the blog. Michael and I were both on a somewhat big internal penetration test (an assumed breach scenario) together and he had managed to get his hands on the credentials to the SA (System Administrator) account on one of the client’s MSSQL databases. Immediately the first thing checked for was the ability to execute commands and lo and behold, we could : ). ...
The Admin you forgot about
We all know the classic RID 500 administrator account, the one who’s able to use NTLM authentication even with “Protected user” membership and is your go to during delegation attacks but there’s a kink in this lateral movement free for all; The Domain Controller doesn’t actually work the that way. The Domain Controller functions differently to other computers in that the default local Administrator that exists on other systems by default is not enabled. The default local Administrator on the Domain Controller in fact plays a specific role that it doesn’t on other systems; Its used exclusively for disaster recover. ...