The Admin you forgot about
We all know the classic RID 500 administrator account, the one who’s able to use NTLM authentication even with “Protected user” membership and is your go to during delegation attacks but there’s a kink in this lateral movement free for all; The Domain Controller doesn’t actually work the that way. The Domain Controller functions differently to other computers in that the default local Administrator that exists on other systems by default is not enabled. The default local Administrator on the Domain Controller in fact plays a specific role that it doesn’t on other systems; Its used exclusively for disaster recover. ...