SPN Jacking
Introduction Active Directory environments are full of subtle misconfigurations that can lead to complete domain compromise. One of the less-documented attack paths combines two primitives that alone seem harmless: Constrained Delegation and WriteSPN. Together, they enable an attacker to impersonate any user, including Domain Admins, against a Domain Controller. SPN Jacking is particularly valuable when classic alternatives like RBCD or Shadow Credentials are blocked or monitored. SPN Jacking offers an alternative path to domain compromise using only WriteSPN and an already-configured delegation. ...