Abusing S4U2Self for Active Directory Pivoting

This blog demonstrates how an attacker who has obtained a machine account NTLM hash can abuse Kerberos S4U2Self to impersonate domain users on that machine, create or re-enable local administrator accounts, and then leverage SEImpersonate to escalate to domain compromise; it provides step-by-step proof-of-concept commands, discusses limitations (rotating machine passwords, Remote UAC, requirement for active domain sessions), and offers mitigation context.