Gmsa

Quick Reference Technique Tool Requirement Impact KrbRelayUp (RBCD) KrbRelayUp + Rubeus Domain-joined, no LDAP signing Low-priv → SYSTEM gMSA password read GMSAPasswordReader Authorized principal Lateral movement LAPS password read Get-AdmPwdPassword / PowerView Read perm on ms-Mcs-AdmPwd Local admin on target PPL bypass (mimidrv) Mimikatz + mimidrv.sys Local admin LSASS dump despite PPL PPL bypass (PPLdump) PPLdump Local admin LSASS dump despite PPL LSASS dump (comsvcs) LOLBAS / rundll32 Local admin Credential extraction WebDAV coercion trigger PowerShell Shell on target Force HTTP auth for relay Shadow credentials Whisker GenericWrite on account PKINIT auth, NT hash KrbRelayUp — Local Privilege Escalation to SYSTEM What KrbRelayUp Is KrbRelayUp abuses Resource-Based Constrained Delegation (RBCD) to escalate from a low-privilege domain user with a local shell to NT AUTHORITY\SYSTEM on the same machine. The attack creates a new machine account, configures RBCD on the target machine to trust that new account, then uses S4U2Self + S4U2Proxy to get a Kerberos service ticket impersonating Administrator (or any domain user) for the current machine — then uses that ticket to spawn a SYSTEM process. ...

Quick Reference Technique Tool Requirement Impact WebDAV Coercion → LDAP relay ntlmrelayx + PetitPotam WebClient running on target RBCD, shadow creds, DA gMSA password read gMSADumper / nxc Authorized principal Lateral movement Zerologon cve-2020-1472 Network access to DC (pre-patch) Instant DA noPac (CVE-2021-42278/42287) noPac.py Domain user DA via KDC spoofing LAPS read nxc / ldapsearch Read perm on ms-Mcs-AdmPwd Local admin on target LSASS dump (offline parse) pypykatz LSASS dump file Credential extraction KrbRelayUp pre-check nxc ldap Network access Identify LDAP signing state WebDAV Coercion — Bypass SMB Signing for NTLM Relay Why WebDAV Coercion Works Standard NTLM relay from SMB to LDAP is blocked when SMB signing is required (which is enforced on DCs by default). WebDAV coercion forces the target to authenticate over HTTP instead of SMB. HTTP authentication does not enforce signing, so it can be relayed to LDAP even when the target has SMB signing enabled. ...