“the door open one hop away. the systems that can reach the crown jewels deserve the same scrutiny as the crown jewels themselves. references [ 1 ] redteam pentesting “ the reflective kerberos relay attack ” [ 2 ] synacktiv. “ ntlm reflection is dead, long live ntlm reflection! an…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1558.001Golden Ticket
70%
“##sync the krbtgt hash. the secretsdump. py output confirms full domain compromise : krbtgt ntlm hash, aes - 256, aes - 128, and des keys extracted. from here, crafting golden tickets for any account in the domain is trivial. if a single member server with this configuration prov…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1550.003Pass the Ticket
68%
“system on braavos. now positioned as system on an unconstrained delegation host, we use the printerbug [ 8 ] to force meereen to authenticate to braavos. when the dc authenticates to a system trusted for unconstrained delegation, its tgt is included in the authentication and cach…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1558Steal or Forge Kerberos Tickets
60%
“##sync the krbtgt hash. the secretsdump. py output confirms full domain compromise : krbtgt ntlm hash, aes - 256, aes - 128, and des keys extracted. from here, crafting golden tickets for any account in the domain is trivial. if a single member server with this configuration prov…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1550.003Pass the Ticket
58%
“) from dcerpc, which is accessible with low - privilege domain credentials. this lets you determine whether a host ’ s patch level predates the june 2025 fix without needing admin on the target. once a list of these hosts is compiled, we can use finddelegation to find systems con…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1557.001Name Resolution Poisoning and SMB Relay
56%
“reflecting on your tier model : cve - 2025 - 33073 and the one - hop problem the false sense of security smb signing on domain controllers has become standard practice across most active directory environments. but this hardening may have created a false sense of security. cve - …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1187Forced Authentication
54%
“synacktiv [ 2 ], this vulnerability resurrects ntlm reflection, an attack class that was widely considered mitigated. by abusing how windows handles marshaled target information in dns records, an attacker can trick the smb client into triggering local ntlm authentication. the re…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1078.002Domain Accounts
52%
“protected users group for additional protections. beyond these mitigations, there are other defense - in - depth measures that can disrupt the attack chain at multiple points. enabling lsass to run as a protected process light ( runasppl ) on unconstrained delegation systems adds…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1550.003Pass the Ticket
44%
“regardless of how the organization has classified it. the same logic applies to multiple such classes of systems. these are the one - hop systems : compromise them, and you are one step away from the keys to the kingdom. understanding one - hop systemsamong the most common, and p…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1558.003Kerberoasting
41%
“protected users group for additional protections. beyond these mitigations, there are other defense - in - depth measures that can disrupt the attack chain at multiple points. enabling lsass to run as a protected process light ( runasppl ) on unconstrained delegation systems adds…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1550.003Pass the Ticket
40%
“one wants to touch, attached to the systems no one wants to reboot. the risks of unconstrained delegation have been understood since at least 2015, when sean metcalf presented on the topic at black hat [ 9 ] ]. what cve - 2025 - 33073 changes is the barrier to entry. previously, …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
The False Sense of Security SMB signing on domain controllers has become standard practice across most Active Directory environments. But this hardening may have created a false sense of security. CVE-2025-33073 changes the calculus by removing the prerequisite of admin access, enabling NTLM relay attack Active Directory exploitation through unconstrained delegation. Domain controllers enforce SMB […]