Diving into Pre-Created Computer Accounts

This post demonstrates a post-exploitation/privilege-escalation technique in Active Directory: enumerating pre-created (PASSWD_NOTREQD) computer accounts (UserAccountControl=4128), leveraging the predictable password behavior of pre-Windows-2000 accounts (computername in lowercase or blank), changing the account password via Kerberos or RPC, and abusing a vulnerable certificate template to gain further access. The author also describes tooling (Impacket scripts, kpasswd), practical detection gaps (BloodHound/SharpHound not graphing certain AllExtendedRights delegations), and cautions about resetting live computer account passwords.