Since my previous post I have subsequently discovered another attack path that may be useful. For these examples I used the internal.user account in the internal.zeroday.lab domain, as shown below:
This is a generic low privileged user.
I updated my original tweet, but I wanted to explain in greater depth that this works across trusts.
As mentioned in a previous post, creating machine accounts across trusts is not only possible but can be incredibly useful. This is another example of that.
A forest trust is configured between the internal.zeroday.lab and external.zeroday.lab forests:
A new machine account (named NewComputer) is created across this trust on the external.zeroday.lab domain:
The SPNs can be cleared from this newly created account:
It is best to use the distinguished name of the machine account for changing the name:
Lastly, the name can be changed to the same name as the domain controller minus the '$':