Tuesday 1 March 2022

Additional - sAMAccountName Impersonation

Since my previous post I have subsequently discovered another attack path that may be useful. For these examples I used the internal.user account in the internal.zeroday.lab domain, as shown below:


This is a generic low privileged user.

 
Trusts

I updated my original tweet, but I wanted to explain in greater depth that this works across trusts.

As mentioned in a previous post, creating machine accounts across trusts is not only possible but can be incredibly useful. This is another example of that.

A forest trust is configured between the internal.zeroday.lab and external.zeroday.lab forests:


A new machine account (named NewComputer) is created across this trust on the external.zeroday.lab domain:


The SPNs can be cleared from this newly created account:


It is best to use the distinguished name of the machine account for changing the name:


Lastly, the name can be changed to the same name as the domain controller minus the '$':