“s a list of the potentially viable uses for s4u2self after obtaining machine hashes : in short, this method is only useful if you have a valid ( non - rotated ) machine account hash, if the local administrator account is disabled, and if a domain administrator is active on the co…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1136.001Local Account
80%
“##b testpc. test. local - u ' testpc $ ' - h ' aad3b435b51404eeaad3b435b51404ee : e4c750ef674036f0b4dbe10d59e3c4e3 ' - - delegate administrator - - self 3. create new local administrator user ( fakeadmin ) nxc smb testpc. test. local - u ' testpc $ ' - h ' aad3b435b51404eeaad3b43…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1550.002Pass the Hash
74%
“pivoting to the domain even after certain local mitigations are enforced. that said, this path is relatively impractical, primarily due to the methods required to obtain machine account hashes. the core prerequisite of this technique is acquiring the ntlm hash of a machine accoun…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1550.003Pass the Ticket
68%
“machine hash, how can they pivot from the local system up to the active directory domain primarily using s4u2self? s4u2self limitations there were many trials and errors during the research period of this project! before discussing the one promising vector i discovered while work…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1550.003Pass the Ticket
67%
“the user or system requesting access to a resource. - server : the destination resource the client wants to access. - key distribution center ( kdc ) : a trusted third party responsible for authenticating users and issuing tickets. the key reason for this approach to authenticati…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1558.003Kerberoasting
53%
“( resource ) determines what services can delegate to it. analyzing s4u2self referring back to constrained delegation, s4u2self and s4u2proxy are meant to prevent tgt forwarding while still allowing for the generation of valid service tickets on behalf of another user. in detail,…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1550.003Pass the Ticket
50%
“granting - ticket response : if the kdc can decrypt the tgt, it proves the client presented a valid tgt, as no other entity has access to the kdc ’ s secret key. the kdc then responds with a service ticket ( st ), encrypted with the destination service ’ s password. - service tic…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1098Account Manipulation
48%
“##c750ef674036f0b4dbe10d59e3c4e3 ' - - delegate administrator - - self - x ' reg add hklm \ software \ microsoft \ windows \ currentversion \ policies \ system / v localaccounttokenfilterpolicy / t reg _ dword / d 0 / f ' 9. remove fakeadmin user nxc smb testpc. test. local - u ‘…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1003.002Security Account Manager
47%
“pivoting to the domain even after certain local mitigations are enforced. that said, this path is relatively impractical, primarily due to the methods required to obtain machine account hashes. the core prerequisite of this technique is acquiring the ntlm hash of a machine accoun…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1558.003Kerberoasting
45%
“abusing s4u2self for active directory pivoting abusing s4u2self for active directory pivoting hunter recently graduated with his master ’ s degree in cyber defense and has over two years of experience in penetration testing. his favorite area of testing is active directory, and i…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1558.004AS-REP Roasting
37%
“abusing s4u2self for active directory pivoting abusing s4u2self for active directory pivoting hunter recently graduated with his master ’ s degree in cyber defense and has over two years of experience in penetration testing. his favorite area of testing is active directory, and i…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1558Steal or Forge Kerberos Tickets
34%
“the user or system requesting access to a resource. - server : the destination resource the client wants to access. - key distribution center ( kdc ) : a trusted third party responsible for authenticating users and issuing tickets. the key reason for this approach to authenticati…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
TL;DR If you only have access to a valid machine hash, you can leverage the Kerberos S4U2Self proxy for local privilege escalation, which allows reopening and expanding potential local-to-domain pivoting paths, such as SEImpersonate!
