lubiedo
commented
2 years ago Took a look at the article and code they implemented. If I got the idea right: it is to relay the auth to an ADCS via PyRDP as they are doing here? It will still need more elements for the whole attack to be successful (in the how-to they are using dementor to abuse the printer spool bug)
Read this: https://www.exandroid.dev/2021/06/23/ad-cs-relay-attack-practical-guide/
Can we use ADCS relay attacks to grab certificates that would be valid for RDP? This would enable greater reach in NLA-enabled environments.