What starting position does this attack require?

The first step is Authenticate as a revealed user (T1078) — a initial access primitive. Assumed environment: RODC is deployed at a branch site with weaker physical/network controls.

What is the final impact of this kill-chain?

The final step lands on Enumerate revealed accounts (AD-RODC-MEMBERS), which falls under Discovery. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 6 steps · 5 edges

Approved

RODC compromise → cracked NT hashes of revealed accounts

A Read-Only Domain Controller stores password material only for principals on its msDS-RevealedList. Compromising the RODC + cracking those hashes gives you the corresponding users.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Initial Access

Authenticate as a revealed user

T1078 · Valid Accounts

Credential Access

Offline crack of revealed account hashes

T1110 · Brute Force

Discovery

BloodHound for path to DA

AD-BLOODHOUND · BloodHound / SharpHound Enumeration

Credential Access

Extract local NTDS (just-the-revealed scope)

T1003.003 · NTDS

Privilege Escalation

Compromise RODC (local admin / physical)

AD-RODC · RODC Compromise

Discovery

Enumerate revealed accounts

AD-RODC-MEMBERS · RODC Revealed Accounts Enumeration

LDAP query: msDS-RevealedList on the RODC computer object.

§ Context

Assumed environment: RODC is deployed at a branch site with weaker physical/network controls. The msDS-RevealedDSAs and msDS-RevealedList attributes name the cached principals.

§ Steps

01
Authenticate as a revealed userInitial Access
T1078— Valid Accounts
02
Offline crack of revealed account hashesCredential Access
T1110— Brute Force
03
BloodHound for path to DADiscovery
AD-BLOODHOUND— BloodHound / SharpHound Enumeration
04
Extract local NTDS (just-the-revealed scope)Credential Access
T1003.003— NTDS
05
Compromise RODC (local admin / physical)Privilege Escalation
AD-RODC— RODC Compromise
06
Enumerate revealed accountsDiscovery
AD-RODC-MEMBERS— RODC Revealed Accounts Enumeration
LDAP query: msDS-RevealedList on the RODC computer object.

§ References

T1078Valid Accounts
T1110Brute Force
T1003.003NTDS

§ Frequently asked

What is the "RODC compromise → cracked NT hashes of revealed accounts" attack path?: A Read-Only Domain Controller stores password material only for principals on its msDS-RevealedList. Compromising the RODC + cracking those hashes gives you the corresponding users. It chains 6 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Authenticate as a revealed user (T1078) — a initial access primitive. Assumed environment: RODC is deployed at a branch site with weaker physical/network controls.
What is the final impact of this kill-chain?: The final step lands on Enumerate revealed accounts (AD-RODC-MEMBERS), which falls under Discovery. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

RODC compromise → cracked NT hashes of revealed accounts

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

Dev workstation → cloud backup keys → encrypted vault store (LastPass 2022)

Leaked legacy VPN credential → ransomware (Colonial-class)

Citrix Bleed → steal authenticated session → MFA bypass

PMKID attack → offline crack with no client interaction

WPA2-PSK handshake capture + crack → LAN access

Rogue DHCP → DNS poisoning → MITM