Sign in

TL;DR if you use ADUC/RSAT to pull LAPS data you run the risk of a MITM.

Microsoft’s Local Admin Password Solution (LAPS) is a method of securely randomizing the local admin password on domain workstations. This solves the issue of a user discovering the local admin password, writing it down, sharing it with their buddies, and the inevitable installation of Trojan horse malware that looked like a useful program. It also mitigates against pass-the-hash. There are plenty of great guides out there on why you should use LAPS and how to set it up, so I won’t re-invent the wheel…

TL;DR This is simply an example scenario to show how serious PrintNightmare is. I cannot take credit for any of this. I simply read what Benjamin Delpy published and then used 2 of his tools in the lab.


Researchers recently realized that a print feature in Microsoft Windows could be abused. The feature allowed any user to add any printer from any print server by typing in the print server name and then double clicking. The printer’s driver would auto-install. Very user friendly and works great. Awesome feature! Right?

Well, like many things in security such as name poisoning…

TL;DR all this is on Google. I just put various ideas together to show how an attacker could get from Domain User to deploying ransomware domain wide by using HiveNightmare, aka SeriousSAM.


In previous articles we went over Mimikatz style attacks, which allow an attacker to dump credentials given local admin access to a domain workstation. HiveNightmare, aka SeriousSAM, is fundamentally different as it does not require local admin credentials. For some reason Microsoft allows Builtin\Users to read the registry’s location, and has been since Windows 10 1809.

TL;DR short writeup of how to perform Kerberoasting on a sample service account, requiring only domain user access and Rubeus.exe on Windows [or Impacket on Kali, shown in a footnote].

Please note, I’m not terribly creative or original. All this info is available elsewhere in bits and pieces. This is simply my notes from putting it together to perform Kerberoasting in the lab.


‘Kerberoasting’ is an oldie but a goodie. Given the existence of a service account, lack of best practices, and the ability to run Rubeus on a domain joined workstation it still works. It is a tactic…

TL;DR how to perform name poisoning in the lab and how to mitigate.

In previous articles I went over some common post exploitation attack methods an intruder will use in a Windows domain once they have gained access as a domain user and/or a local administrator on a workstation and mitigations against them. This is about how an attacker might gain access to an account in the first place. This assumes that they have only gotten access to the LAN that domain workstations are on.

Link Local Multicast Name Resolution (LLMNR) is an older protocol that is included in Windows…

TL;DR Howto auto-configure domain workstations so PDFs open in Adobe Reader instead of Edge. Yes, this is simple. However many orgs still get it wrong. Also howto deploy Adobe Reader in the lab to domain workstations.

The issue:

There are common programs in use in Enterprises such as Adobe Reader DC that are not associated with their file extension. This is a bit of an arcane topic for the average computer user. They just want to double click on the icon and have it open correctly. This is doubly true when the file was sent to them in Outlook. The…

TL;DR how to change the default location for new computer accounts & deal with issues that may result.

The issue:

There a couple defaults in a Windows domain that system administrators should keep in mind, and a couple of things about human nature.

· If a user puts a system on the domain without ‘pre-staging’ the account in AD it will go in the Computers Container.

· Any Domain User is allowed to add 10 computers to the domain.

· You cannot put GPOs on a Container in AD.

· However the workstation will login and function while in this…

BloodHound is a handy tool that is used by both attackers and testers alike. Essentially it maps the objects in Active Directory and finds relationships between them. It can identify privilege creep and find escalation paths. This works rather well since normally domain users in AD have read rights to all domain objects.

I was able to find a couple of guides on Google on BloodHound setup, however due to changes, updates, or my lab environment in particular I still had to use a fair amount of trial and error to get BloodHound functioning. was the most straightforward guide…

I had been meaning to test out and save a script that creates bulk accounts in AD. I finally got around to it after someone asked about such a thing on Facebook.

Creating bulk computer accounts; what did not work and why:

This was one of the rare cases where CW6 Google was wrong, or only half right. I found the following script on a couple different sites (

Import-Module ActiveDirectory



Import-Csv -Path $CSV | ForEach-Object {New-ADComputer -Name $_.ComputerAccount -Path $OU -Enabled $True}

However this script did not work at all in the lab. I checked a script…

TL;DR description of updating Group Policy Administrative Templates in the Central Store, blocking macros via GPOs, and testing it all with a sample macro.


This example covers centrally managing macros in Microsoft Office by adding the template, configuring the GPOs, pushing the update to clients, and testing it with a sample macro. Macros, aren’t those something from the 90s? Attackers have realized that they can do quite a bit of damage using macros and PowerShell, and often evade application whitelisting. The threat of the phishing email with a malicious macro attachment remains alive and well. …


Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store