Laps

Quick Reference Technique Tool Requirement Impact KrbRelayUp (RBCD) KrbRelayUp + Rubeus Domain-joined, no LDAP signing Low-priv → SYSTEM gMSA password read GMSAPasswordReader Authorized principal Lateral movement LAPS password read Get-AdmPwdPassword / PowerView Read perm on ms-Mcs-AdmPwd Local admin on target PPL bypass (mimidrv) Mimikatz + mimidrv.sys Local admin LSASS dump despite PPL PPL bypass (PPLdump) PPLdump Local admin LSASS dump despite PPL LSASS dump (comsvcs) LOLBAS / rundll32 Local admin Credential extraction WebDAV coercion trigger PowerShell Shell on target Force HTTP auth for relay Shadow credentials Whisker GenericWrite on account PKINIT auth, NT hash KrbRelayUp — Local Privilege Escalation to SYSTEM What KrbRelayUp Is KrbRelayUp abuses Resource-Based Constrained Delegation (RBCD) to escalate from a low-privilege domain user with a local shell to NT AUTHORITY\SYSTEM on the same machine. The attack creates a new machine account, configures RBCD on the target machine to trust that new account, then uses S4U2Self + S4U2Proxy to get a Kerberos service ticket impersonating Administrator (or any domain user) for the current machine — then uses that ticket to spawn a SYSTEM process. ...