Back in March 2018, I embarked on an arguably pointless crusade to prove that the TrustedToAuthForDelegation attribute was meaningless, and that “protocol transition” can be achieved without it. I believed that security wise, once constrained delegation was enabled (msDS-AllowedToDelegateTo was not null), it did not matter whether it was configured to use “Kerberos only” or “any authentication protocol”. I started the journey with Benjamin Delpy’s (@gentilkiwi) help modifying Ke...| Shenanigans Labs
The Logon Session on Windows is tied to an single authenticated user with a single Token. However, for service accounts that's not really tr...| www.tiraniddo.dev
In the past few years there's been numerous exploits for service to system privilege escalation. Primarily they revolve around the fact that...| www.tiraniddo.dev