What is the main attack scenario described in the Cymulate blog post?

The blog post details a two-stage attack scenario where an attacker compromises a domain by abusing unconstrained delegation, leveraging the printer bug (SpoolSample), and using Mimikatz to escalate privileges from a low-privilege domain user to full forest compromise. The scenario is implemented in Cymulate's Purple Team module for automated testing and validation.

How does unconstrained delegation contribute to domain compromise?

Unconstrained delegation allows a server to reuse a user's ticket-granting ticket (TGT) to access any resource in the domain. If a high-privilege account connects to a compromised machine with unconstrained delegation enabled, attackers can extract the TGT and escalate privileges, potentially gaining domain admin access.

What is the printer bug and how is SpoolSample used in this attack?

The printer bug exploits the Microsoft Print System Remote Protocol (MS-RPRN) to force a domain controller to authenticate to a machine with unconstrained delegation enabled. SpoolSample is a tool that triggers this behavior, allowing attackers to obtain the domain controller's TGT on the compromised machine.

How is Mimikatz used in the domain compromise scenario?

Mimikatz is used to extract Kerberos tickets, including the TGT of the domain controller, from the compromised machine. Attackers can then use these tickets to perform pass-the-ticket attacks and escalate privileges within the domain.

What is a pass-the-ticket attack and how does it work in this context?

A pass-the-ticket attack (MITRE ATT&CK T1550.003) involves using a stolen TGT to request service tickets and access network resources as the original user. In this scenario, attackers use the domain controller's TGT to access resources and escalate privileges.

How is the DCSync attack used to compromise a domain?

The DCSync attack (MITRE T1003.006) allows attackers with sufficient privileges to impersonate a domain controller and request password hashes, including the KRBTGT hash, from other domain controllers. This enables further attacks such as golden ticket creation and full domain compromise.

What is the significance of the KRBTGT hash in Active Directory attacks?

The KRBTGT account is responsible for encrypting and signing all Kerberos tickets in the domain. If attackers obtain the KRBTGT hash, they can create golden tickets, granting persistent access and the ability to impersonate any user in the domain.

How does trust enumeration facilitate forest compromise?

Trust enumeration identifies trust relationships between domains. In the scenario, attackers discover a bi-directional trust with a parent domain, enabling them to attempt attacks like SID History injection to escalate privileges and compromise the entire forest.

What is SID History injection and how is it used in this attack?

SID History injection (MITRE T1134.005) involves adding the SID of a privileged group from a trusted domain to a Kerberos ticket, allowing attackers to gain elevated privileges in the trusted domain. In this scenario, it is used to achieve Enterprise Admin access in the parent domain.

How does the Cymulate Purple Team module help in replicating this attack scenario?

The Cymulate Purple Team module provides an open framework for crafting and automating custom attack scenarios, including chaining multiple attack steps. It allows security teams to replicate the described attack, validate detection and response, and improve their security posture with minimal effort and skill requirements.

What are the recommended mitigation steps for the attack scenario described?

Mitigation steps include disabling unconstrained delegation where possible, patching the printer bug (CVE-2019-0683), fine-tuning logging and monitoring for Kerberos ticket anomalies, regularly changing the KRBTGT password, enabling SID filtering, using application whitelisting, and disabling the Print Spooler service on unnecessary machines.

How can organizations test their defenses against these attack techniques?

Organizations can use Cymulate's platform, specifically the Purple Team module, to automate and replicate advanced attack scenarios, assess their detection and response capabilities, and validate the effectiveness of their security controls.

What tools are used in the attack scenario described in the blog post?

The scenario uses SpoolSample to exploit the printer bug, Mimikatz to extract Kerberos tickets and perform pass-the-ticket and DCSync attacks, and PowerView for trust enumeration and SID extraction.

How does the Cymulate platform support blue and red team activities?

The Cymulate Purple Team module enables both blue and red teams to automate, chain, and execute real-world attack scenarios, providing visibility into detection and response gaps and allowing for continuous improvement of security controls.

What is the difference between chained and atomic executions in the Purple Team module?

Chained executions allow multiple attack steps to be linked together, mimicking real adversary behavior, while atomic executions test individual scenarios independently. Both approaches are supported for flexible security validation.

How does the Cymulate platform help validate remediation and detection measures?

By automating the execution of attack scenarios, Cymulate enables organizations to repeatedly test and validate the effectiveness of their remediation and detection measures after implementing countermeasures.

What is the role of the Cymulate Research Lab?

The Cymulate Research Lab develops and implements advanced attack scenarios for the Cymulate platform, continuously examining the cyber-threat landscape and providing in-depth visibility into emerging threats and techniques.

Where can I find more technical resources and research from Cymulate?

You can find additional technical resources, research, and blog posts on the Cymulate blog and in the Resource Hub .

What features does Cymulate offer for exposure validation and attack simulation?

Cymulate offers continuous threat validation, a unified platform combining Breach and Attack Simulation (BAS), Continuous Automated Red Teaming (CART), and Exposure Analytics, attack path discovery, automated mitigation, AI-powered optimization, and an extensive threat library with over 100,000 attack actions updated daily. Learn more .

Does Cymulate support integration with other security tools?

Yes, Cymulate integrates with a wide range of security technologies, including Akamai Guardicore, AWS GuardDuty, BlackBerry Cylance OPTICS, Carbon Black EDR, Check Point CloudGuard, Cisco Secure Endpoint, CrowdStrike Falcon, Wiz, SentinelOne, and more. For a full list, visit the Partnerships and Integrations page .

How easy is Cymulate to implement and use?

Cymulate is designed for quick, agentless deployment with minimal resources required. Customers can start running simulations almost immediately, and the platform is praised for its intuitive, user-friendly interface. Comprehensive support and educational resources are available to help users get started. Schedule a demo to learn more.

What compliance and security certifications does Cymulate hold?

Cymulate holds SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1 certifications, demonstrating adherence to industry-leading security and privacy standards. Learn more .

What security measures are implemented in the Cymulate platform?

Cymulate employs data encryption in transit (TLS 1.2+) and at rest (AES-256), secure AWS-hosted data centers, a secure development lifecycle, continuous vulnerability scanning, annual third-party penetration tests, mandatory 2FA, RBAC, IP address restrictions, and GDPR compliance. Details here .

How does Cymulate help with exposure prioritization and remediation?

Cymulate validates exploitability and ranks exposures based on prevention and detection capabilities, business context, and threat intelligence, enabling organizations to focus on the most critical vulnerabilities and streamline remediation efforts. Learn more .

What is the Cymulate Resource Hub?

The Cymulate Resource Hub is a central location for insights, thought leadership, and product information, including technical articles, webinars, e-books, and more. Visit the Resource Hub .

Does Cymulate provide educational resources for users?

Yes, Cymulate offers a knowledge base, webinars, e-books, and an AI chatbot to help users optimize their use of the platform and stay informed about best practices in security validation. See webinars .

What common pain points does Cymulate address for security teams?

Cymulate addresses fragmented security tools, resource constraints, unclear risk prioritization, cloud complexity, communication barriers, inadequate threat simulation, operational inefficiencies in vulnerability management, and post-breach recovery challenges. See case studies .

Who can benefit from using Cymulate?

Cymulate is designed for CISOs and security leaders, SecOps teams, red teams, vulnerability management teams, and organizations of all sizes across industries such as finance, healthcare, retail, media, transportation, and manufacturing. Learn more .

How does Cymulate help organizations improve their security posture?

Cymulate enables continuous threat validation, exposure prioritization, improved resilience, operational efficiency, and collaboration across teams, resulting in measurable improvements in threat resilience and alignment of security strategies with business goals.

What business impact can customers expect from using Cymulate?

Customers can expect up to a 52% reduction in critical exposures, a 20-point improvement in threat prevention, a 60% increase in team efficiency, 40X faster threat validation, and an 81% reduction in cyber risk within four months. See more .

Are there real-world case studies demonstrating Cymulate's effectiveness?

Yes, for example, Hertz Israel reduced cyber risk by 81% in four months, and a sustainable energy company scaled penetration testing cost-effectively with Cymulate. More case studies are available on the Cymulate customers page .

How does Cymulate address the needs of different security personas?

Cymulate tailors solutions for CISOs (metrics and risk prioritization), SecOps (automation and efficiency), red teams (automated offensive testing), and vulnerability management teams (in-house validation and prioritization). See more .

What feedback have customers given about Cymulate's ease of use?

Customers consistently praise Cymulate for its intuitive, user-friendly interface and ease of implementation. Testimonials highlight the platform's accessibility for users of all skill levels and the value of actionable insights. Read testimonials .

What is Cymulate's pricing model?

Cymulate uses a subscription-based pricing model tailored to each organization's needs. Pricing depends on the chosen package, number of assets, and scenarios selected. For a custom quote, schedule a demo .

How does Cymulate differ from other security validation platforms?

Cymulate stands out with its unified platform combining BAS, CART, and Exposure Analytics, continuous 24/7 threat validation, AI-powered optimization, ease of use, and measurable outcomes such as a 52% reduction in critical exposures and 81% reduction in cyber risk. See comparison .

What support options are available for Cymulate customers?

Cymulate provides email support, real-time chat support, a knowledge base, webinars, e-books, and an AI chatbot for technical assistance and best practices. Contact support .

How long does it take to implement Cymulate?

Cymulate is designed for rapid, agentless deployment. Customers can typically start running simulations almost immediately after deployment, with minimal setup required. Book a demo for details.

What is Cymulate's mission and vision?

Cymulate's mission is to transform cybersecurity by enabling organizations to proactively validate defenses, identify vulnerabilities, and optimize their security posture. The vision is to create a collaborative environment for lasting improvements in cybersecurity strategies. Learn more .

Where can I find Cymulate news, events, and blog posts?

Stay updated with Cymulate's latest news, events, and research on the blog , newsroom , and events page .

Compromising a Domain With the Help of a Spooler

By: Cymulate Research Lab

Last Updated: March 31, 2025

My job in the Cymulate Research Lab is to craft and implement attack scenarios for Cymulate customers to launch in their environment and increase their cyber-resilience. In this tech-blog post I will show how an attacker can gain access to corporate assets from an initial foothold by combining multiple techniques.

The scenario is performed in two stages. In the first stage, we will abuse unconstrained delegation and use techniques to enumerate and escalate domain privileges. In the second stage we will show how it is possible to break the trust between a parent and a child domain to achieve full forest compromise.

The scenario is also implemented in the Cymulate Continuous Security Validation platform, Purple Team module. This allows blue teamers a simple way to launch the scenario in their environments using one tool. Whether using Cymulate or implementing à la carte the goal is to evaluate the enterprise IT system configuration’s resilience to this scenario and take steps to increase it.

Unconstrained Delegation & Printer Bug to Gain Domain Admin

The first stage of the scenario is to abuse the normal use of unconstrained delegation. Kerberos delegation is a delegation setting that allows applications to request end-user access credentials to access resources on behalf of the originating user. Unconstrained Delegation allows a first-hop server (a web server for example) to request access to any service on any computer in the domain.

For example, when a user requests access to a web server and unconstrained delegation is enabled on that server, the Domain Controller (DC) authenticates the user and places the user’s ticket-granting ticket (TGT), inside the ticket-granting service’s (TGS). When presented to the web server the user’s TGT is extracted from the TGS and stored in the Local Security Authority Subsystem Service (LSASS).

This way the server can reuse the user’s TGT to access any other resource mimicking the user. TGT’s expire after 10 hours by default.

Unconstrained Delegation Communication Flow:

A user provides credentials to the Domain Controller.
The DC returns a TGT.
The user requests a TGS for the web service.
The DC provides a TGS.
The user sends the TGT and TGS to the web server.
The web server service account uses the user’s TGT to request a TGS for the database server from the DC.
The web server service account connects to the database server as the user.

Unconstrained Delegation & Printer Bug to Gain Domain Admin

Enumeration

The scenario starts from an initial foothold attained on a compromised windows machine designated CYM-PT-3. Enumeration shows that the account we are running is that of a low privilege domain user. After domain Enumeration we identify the machine has the msDS-AllowedToDelegateTo attribute set, indicating that Unrestricted Kerberos Delegation is enabled.

With CYM-PT-3 compromised and unconstrained delegation enabled we can escalate privileges if a high privilege account has connected to it in the past 10 hours (per the default setting). For this scenario we will assume that a high privilege account has not connected to this machine, the next step will solve that deficiency.

The Printer Bug

Microsoft Print System Remote Protocol (MS-RPRN) allows a domain user to force any machine running the Spooler service to connect to a second machine with unconstrained delegation enabled. The RpcRemoteFindFirstPrinterChangeNotificationEx API allows print clients to subscribe to notifications of changes on the print server. By default, the spool service is enabled on Domain Controllers.

A call to this API will cause the print server on the DC to authenticate to CYM-PT-3 by providing its TGT and storing it in the Local Security Authority Subsystem Service (LSASS).

Forcing Authentication using SpoolSample:

We will use Spoolsample to perform the attack. Spoolsample is a tool that forces Windows hosts to authenticate to other machines via the MS-RPRN RPC interface.

In this scenario we will force the DC machine account, cymsrv2016$ to authenticate to our CYM-PT-3 by providing its TGT.

We now have a high privilege account(the Domain Controller Machine account) TGT on the compromised machine that has unconstrained delegation enabled.

Using Mimikatz to Extract the TGT

To extract the TGT of the domain controller on CYM-PT-3 we will use mimikatz. The following command will export all the available kerberos tickets into the folder from which mimikatz was started. From there we will extract the TGT of the Domain Controller machine account.

Pass the Ticket

Pass-the-ticket (MITRE ATT&CK T1550.003) allows us to request a TGS by using a TGT we have and gain access to network resources by impersonating the original owner of the TGT. We will use the TGT obtained from the Domain Controller machine account in the previous step to access the DC resources. Before doing so we will confirm that the low privilege account on CYM-PT-3 does not have access to resources on the DC cymsrv2016.

To pass-the-ticket we will use mimikatz to inject the DC’s TGT into a current session.

As shown below we now have access to resources on cymsrv2016.

DCSync to Domain Compromise (MITRE T1003.006)

In the first stage we escalated privileges from a compromised, low privileged account on a machine with Unconstrained Delegation to domain admin rights. In this second stage we will show how by breaking the trust between a parent and a child domain we will achieve full forest compromise.

First, we will obtain the KRBTGT hash of the domain controller. The KRBTGT account is responsible for encrypting and signing all the Kerberos tickets in the domain, if compromised, it can be used to perform many different types of attacks. For example, to achieve persistence by generating a golden ticket.

We will use DCSync attacks to obtain the KRBTGT hash. This attack allows a threat actor to impersonate a Domain Controller and request password hashes from other Domain Controllers, ATT&CK technique T1003.006.

DCSYNC Flow:

Find the Domain Controller to request replication from
Request replication with GetNCChanges
The Domain Controller return the replication data

To perform this type of attack the following privileged rights are required. Domain Admins, Enterprise Admins have these rights by default.

Replicating Directory Changes
Replicating Directory Changes All
Replicating Directory Changes in Filtered Set

Since we imported the machineaccount ticket of the Domain Controller (cymsrv2016) to our current session, we know that this user has the necessary privileges listed above to allow us to perform this attack. Using Mimikatz to mimic the Domain Controller and request user replication from the Domain Controller we retrieve the KRBTGT hash.

We now have extracted the KRBTGT hash and can use it to create a golden ticket but since we already have Domain Admin Privileges this is not necessary. We will save the KRBTGT hash for later use. The next step is to achieve Enterprise Admin (forest) privileges.

Trust Enumeration

Enumeration shows a bidirectional trust with the cymulate.lab domain. There are a variety of attacks that can be attempted across forest trusts such as Kerberoasting, SID History abuse, and more. To enumerate our available trusts, we’ve used powerview. Powerview is a PowerShell tool used to gain network situational awareness on Windows domains. (MITRE ATT&CK T1482 Domain Trust Discovery)

The enumeration shows that we are a child domain and we have a bi-directional trust with our parent domain cymulate.lab.

Compromising Parent Domain using the SID History method

As a child domain with bi-directional trust with our parent domain cymulate.lab we can try to compromise the parent domain by abusing the SID History method. ATT&CK T1134.005 Access Token Manipulation: SID-History Injection.

Many posts have been done on the topic such as this one so we will skip straight to the requirements and the attack.

In order to perform the SID History method and gain Enterprise Admin level access we need the following:

The KRBTGT hash that we already extracted from our current domain.
The SID (security identifier) of our current domain
The SID of our parent domain

Extracting Domain SID and Parent SID using PowerView

Once we have all of the above, we can use mimikatz to inject a golden ticket with the krbtgt hash from our child domain: child.cymulate.lab and add the “enterprise admin” SID for cymulate.lab then once again pass the ticket and achieve Enterprise Admin level of access.

Replicating the Entire Scenario Using Cymulate’s Purple Team Module

As mentioned in the beginning, both stages of the scenario described in this paper are implemented in the Cymulate Purple Team module. This automated instantiation enables repetitive execution of the scenario. For example, to launch the scenario from different start points in the enterprise infrastructure, or to validate proper remediation or detection after taking countermeasures.

As a Cymulate researcher the transition from concept to implementation is very fluid. The result of a flexible and open framework that is easy to use. We use the same framework as our customers who in preparing custom scenarios from A to Z so that they can be used by red and blue teamers out of the box, repeatedly, managed and integrated with the current security stack. Following is a description of the implementation.

Cymulate Purple Team Module

The Cymulate Purple Team module is an open framework used to craft and automate custom attack scenarios. The creation of scenarios requires minimal adversarial skills, while launching the scenarios and analyzing the results is achievable by security team members of any skill level.

The module makes it possible to perform different penetration testing tasks on a daily basis. The advanced use of the Purple Team module is for red/blue teamers to exercise a full attack on the enterprise environment by combining real world adversary techniques. For blue teamers it gives better visibility of what aspects of your current detection and response need to be improved, and it provides a better understanding about some of the more sophisticated attacks used by red teamers with a few clicks, minimal effort and skill set.

The Module supports the following:

Chained – different executions can be chained together to mimic the path used by a real adversary. An example would be running mimikatz to collect credentials from a machine, using the collected credentials to move laterally and escalate privileges to Domain Admin.

Atomic – testing a specific scenario Atomic Executions are standalone executions.

We can use atomic executions if we want to test different scenarios. For example, Enumerating all members of the domain admins group in a domain environment.

For the scenario described above we will use the Chained approach. We begin by creating a template and adding the executions to the template.

After adding the executions, we can chain other executions together. Below is an example of chaining the Ticket Extraction using Packed Mimikatz execution to Pass the Ticket and DCSync Execution. By chaining the Kerberos_ticket input argument the Purple Module knows it need to get its information regarding the ticket location from its chained execution, which is Ticket Extraction using Packed Mimikatz, as depicted below.

To implement the scenario described in this paper we chained all the relevant executions into a template, from which assessments can be created, launched and validated.

The result of running the assessment is a full replication of the scenario, resulting in full forest compromise.

Mitigation Tips

Following are some mitigation tips to this attack scenario.
Mimikatz was executed on disk. Build a signature based on the command line arguments provided. Keep in mind this is not a golden solution and can be manipulated by an attacker to evade detection. (eg, using software packing to avoid detection as used in our example)
Configuration management, perform an Active Directory security assessment to audit user rights, identify hosts other than Domain Controllers with unconstrained delegation and remediate the “printer bug” CVE-2019-0683.
Fine-tune logging and monitoring to alert on forged Kerberos tickets the other techniques highlighted in this post.
Regularly change the KRBTGT password. This needs to be changed once to allow the AD replicate, and change again 24 hours later to update the KRBTGT password to make sure there are no issues validating existing Kerberos tickets.
Avoid using Unconstrained Delegation when it is not absolutely necessary. Constrained delegation instead of Unconstrained is an option on machines that require it. By using constrained delegation, you can specify the exact servers that the server with delegation can access. Constrained delegation is not a silver bullet and can be as dangerous as unconstrained but it is safer option overall.
Enabling SID Filtering between trusts in an Active Directory forest could potentially solve the issue. This disables SID History but introduces complexities in the production environment.
Enable Application White-Listing Solution to Limit the user ability to execute arbitrary code.
Prevent usage of SpoolSample and similar applications (application hash and/or detection on 5145 event ID+unrecognized client).
Disable the Print Spooler service on machines that do not use a printing server.

Test the effectiveness of your security controls against possible cyber threats by booking a demo of Cymulate's platform.

Our highly experienced and diverse researchers are fluent in security intelligence practices, combining expertise in private security, military, and intelligence experience. Continuously examining the cyber-threat landscape, our experts deliver in-depth visibility into today’s threats and the actors behind them.

More about Author

Table of Contents

Unconstrained Delegation & Printer Bug to Gain Domain Admin Enumeration The Printer Bug Pass the Ticket DCSync to Domain Compromise (MITRE T1003.006) DCSYNC Flow: Trust Enumeration Compromising Parent Domain using the SID History method Replicating the Entire Scenario Using Cymulate’s Purple Team Module Mitigation Tips

Cymulate Exposure Validation makes advanced security testing fast and easy. When it comes to building custom attack chains, it's all right in front of you in one place.

Mike Humbert, Cybersecurity Engineer

DARLING INGREDIENTS INC.

Learn More

Featured Resources

View More Resources

blog

Vulnerability Assessment vs Penetration Testing: Which Do You Need?

A breakdown of the differences between vulnerability assessments and penetration testing in goals and methods.

GET A PERSONALIZED DEMO

Ready to see Cymulate in action?

Book a Demo

Frequently Asked Questions

Attack Scenarios & Technical Details