I am a newbie in terms of OS security and I started learning from Windows; in particular I downloaded Win10 virtual machine and I am simulating various attack / defense scenarios on it.
I would like to understand if, knowing the windows credentials of a non-RID 500 local administrator (the RID is disabled by default in Windows 10), it is possible for an attacker to access the machine remotely (let's assume on the same network).
For what I understand so far, this is relatively easy in a Domain environment, while in a network with connected workstation with default settings the security policies adopted by Windows 10 (build 1809) seem to make remote access impossible.
This article brilliantly explains why: https://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/.
Also all the options listed here does not work after the 1809 version: https://dolosgroup.io/blog/remote-access-cheat-sheet.
Am I missing one or more protocols that would allow remote access with credentials after Win 1809?
Thanks!
