Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer

Simple wrapper around some of the features of Rubeus and KrbRelay (and a few other honorable mentions in the acknowledgements section) in order to streamline the abuse of the following attack primitive:

  • (Optional) New machine account creation (New-MachineAccount)
  • Local machine account auth coercion (KrbRelay)
  • Kerberos relay to LDAP (KrbRelay)
  • Add RBCD privs and obtain privileged ST to local machine (Rubeus)
  • Using said ST to authenticate to local Service Manager and create a new service as NT/SYSTEM. (SCMUACBypass)

This is essentially a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings). KrbRelayUp - a universal no-fix local privilege escalation