Authentication reflection was long considered a solved problem after MS08-068 closed the classic NTLM loopback path. However, in 2025 multiple independent discoveries, including mines, demonstrated that Windows still contains several reliable ways to coerce a machine into authenticating to its own services.
This talk presents the modern landscape of Windows authentication reflection and shows how recent implementation behaviors, protocol inconsistencies, and overlooked coercion paths have reintroduced privilege-escalation vectors that were believed dead for more than a decade. The research covers Kerberos reflection via SPN manipulation, Ghost SPN exploitation, NTLM local-auth quirks, and also cases where a single reflected authentication was enough to compromise the Active Directory domain.
The goal is to make the topic accessible even for attendees who are not deep experts in Windows internals, while still providing enough technical depth for protocol researchers and red team professionals. The talk explains why reflection keeps surviving across patch cycles, why existing mitigations sometimes fail, and what defenders need to do to harden their environments.
I will also disclose a new reflection attack discovered by me in July 2025, which Microsoft has internally confirmed and marked critical. The fix is currently planned for January 2026.
