ITSEC Newsletter 2025-11-13

In Active Directory exploitation, Kerberos delegation is easily among my top favorite vectors of abuse, and in the years I’ve been learning Kerberos exploitation, I’ve noticed that Impacket doesn’t get nearly as much coverage as tools like Rubeus or Mimikatz. From a penetration testing perspective, especially when operating from a remote dropbox, being able to interface Kali to the domain controller provides tremendous value, as we don’t need to drop binaries on disk, nor do we need to worry about host-based detections. This is not an exhaustive list of every explicit delegation abuse path possible, otherwise I’d be working on this forever! Instead, I wanted to focus on each type of delegation configured for both users and machines, and the most common attack paths for each.

Welcome to the new part of the IPC series. This is the sixth part, about RPC, where we will talk about external tools you can use to conduct RPC research. To get good research results you need a good toolset, tools that help you reach your goal without spending a lot of time building your own. Implementing your own tools can be time-consuming and may need more resources than the research itself. Unfortunately, there are not many effective tools for RPC because of the complexity and lack of research. Today I will mention the tools I use when I do RPC research. There might be other tools I don’t know about, which doesn’t mean that tools are ineffective.

We analyze real-world examples of threat actors misusing these inherent Windows authentication mechanisms. Our comprehensive breakdown covers the flow of authentication coercion, and includes a case study of a real attack in which threat actors exploited an obscure, rarely monitored remote procedure call (RPC) interface.