CSI Cyber Security Awards 2025 — Women in Cyber + Outstanding Training
Macksofy Technologies
BFSI · Internal Network
India · Enterprise · 2025

NoPac chained with Kerberoasting reached Domain Admin in 4 hours inside a BFSI MNC's internal AD

A multinational BFSI's Indian arm asked Macksofy for an assumed-breach internal pentest of its AD + Citrix estate. From a single low-privilege user, the team chained NoPac (CVE-2021-42278) with a Kerberoastable service account to reach Domain Admin in four hours.

BFSIMumbaiBKCActive DirectoryCitrix VDINoPacKerberoastingInternal Pentest
Talk to a senior consultantSee the Internal Network service
Engagement summary
Client
BFSI Multinational (Mumbai BKC)
Sector
BFSI
Region
India
Engagement
Internal Network
Year
2025
Duration
15 working days
4h
Time to Domain Admin
3
Critical findings
all closed in 14d
15d
Engagement length
Q
Cadence after engagement
The challenge

What the client was up against.

Group-wide AD, India-specific risk

The Indian arm shared an AD forest with the parent group, but had local-only privilege tiers and Citrix infrastructure for India operations. The CISO wanted independent assurance that an attacker landing on a single India-region endpoint couldn't elevate to forest-wide admin.

Citrix as both shield and surface

End-user compute ran on Citrix VDI with strict local lockdowns. But VDI lockdowns famously fall to GPO-evasion tradecraft, and Citrix Studio access for engineers was tier-0 by inheritance — exactly the kind of subtle privilege drift we hunt for.

Approach

How we ran the engagement, phase by phase.

Phase 01

01 · Assumed-breach starting point

  • Issued a low-privilege user account on a Citrix VDI session
  • Mapped the lockdown surface — Group Policy, AppLocker, Windows Defender
  • Validated the realistic-attacker constraint set with the client
Phase 02

02 · VDI lockdown evasion

  • Bypassed AppLocker via signed-binary proxy execution (LolBAS)
  • Spawned tooling via WSL + COM hijacking inside the VDI session
  • Confirmed unrestricted egress to internal AD over expected ports
Phase 03

03 · AD enumeration

  • Opsec-aware BloodHound collection (no SharpHound default)
  • Identified Kerberoastable service account in a tier-0 group
  • Found an unconstrained-delegation host reachable from VDI subnet
Phase 04

04 · NoPac + Kerberoasting chain to DA

  • Cracked the Kerberoasted service account offline (3h GPU)
  • Combined with NoPac (CVE-2021-42278 + CVE-2021-42287) for DC compromise
  • Confirmed Domain Admin at T+4h; stopped, took evidence, did not persist
Phase 05

05 · Closure + tier-0 hardening

  • Live-retested KB5008380 patch deployment across all DCs
  • Reviewed every tier-0 service-account password policy carve-out
  • Drafted a Citrix-VDI hardening playbook with the client's EUC team
Findings

What we surfaced — severity, title, real-world impact.

Critical

NoPac (CVE-2021-42278 + CVE-2021-42287) unpatched on 3 DCs

Three domain controllers in the India region had not received the November-2021 hardening rollup — directly exploitable to Domain Admin from any authenticated user.

Critical

Kerberoastable service account in tier-0 group

A backup-software service account with a 12-character password sat inside a Domain-Admin-equivalent group — Kerberoast-and-crack reached DA in 3h offline.

High

Citrix AppLocker policy bypassable via WSL

Windows Subsystem for Linux was not blocked by AppLocker on any VDI image — providing a clean path to run arbitrary tooling outside the lockdown perimeter.

High

Unconstrained delegation on a print server

A legacy print server retained unconstrained delegation — combined with a forced-auth primitive, full TGT delegation to attacker-controlled host was feasible.

Outcome

What changed for the client.

All three DCs patched + tier-0 hygiene fixed in 14 days

KB5008380 rollups deployed within fourteen days; the tier-0 service account moved to a managed-service-account model with a 240-character random password. Kerberoasting risk on tier-0 closed.

Citrix VDI lockdown rebuilt

WSL + COM-hijack escape paths blocked at the GPO layer; AppLocker policy moved from Audit to Enforce on three VDI images; baseline retested in a follow-up engagement four weeks later.

Quarterly internal pentest cadence adopted

The client moved to a quarterly assumed-breach internal pentest cadence — with each engagement starting from a different Citrix VDI persona to surface privilege drift early.

We assumed our parent-group hardening covered us. Macksofy proved otherwise — in four hours, on our own VDI, with our SOC watching. We rebuilt our tier-0 model and our VDI lockdowns the next sprint.
Regional CISO · BFSI Multinational (India)
Related case studies

More work in the same space.

All case studies
BFSIRed Team

Domain Admin in 4h 12m, undetected — a goal-based red team against a tier-1 listed Indian bank

Listed Indian Bank · 2025
Talk to us

Get a fixed-price proposal in 48 hours.

Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.

CERT-In Empanelled
Information Security Auditor · India
  • CERT-In Empanelled
  • EC-Council ATC · CompTIA Authorized
  • 20,000+ professionals trained
  • India + UAE engagements
Human verification· Cloudflare Turnstile

By submitting this form you agree to be contacted by Macksofy. We typically respond within a few business hours and never share your details. Protected by Cloudflare Turnstile and rate limiting.