Protected Users

Protected Users: you thought you were safe uh?

31 March 2023 ~7 min By Aurelien Chalot

Kerberos Ntlm Windows Delegation Protected Users

On the 31st of October 2022, a PR on CrackMapExec from Thomas Seigneuret (@Zblurx) was merged. This PR fixed Kerberos authentication in the CrackMapExec framework. Seeing that, I instantly wanted to try it out and play a bit with it. While doing so I discovered a weird behaviour with the Protected Users group. In this blogpost I’ll explain what the Protected Users group is, why it is a nice security feature and yet why it is incomplete for the Administrator (RID500) user.

Kerberos
Ntlm
Windows
Delegation
Protected Users

Page 1 of 1