Background#
Read-only Domain Controllers are sometimes configured to allow password caching.
They are sometimes also managed by non-admin users, that might be easy to compromise.
If you manage to compromise the RODC administrator you can dump the cached credentials from the RODC.
How to check for#
How to exploit#
Recommendation#
References#
https://adsecurity.org/?p=3592