Emoji usage in your domain

This morning, recrudesce mentioned that it might be possible to name a file with an emoji character. Since then, we’ve all had a bit of fun and taken off with the idea. Below is some of the use cases for how you could utilize emoji in your environment.

Files

Files can be named using emoji. This was the first discovery, and the quickest.

User Accounts

Recrudesce then tried a local account, and posted their success as well.

https://twitter.com/recrudesce/status/928655243595874306

The lunacy had to be bridged to other people to find out if this worked within a domain. Since I had a test lab domain up and running, I decided to give it a shot.

Domain Admin!

Passwords

The account in question was also configured with complexity requirements for the password, so of course we had to try that out. The account requirements for the BMULLEY\🍌account were the standard Windows policy. Naturally, I had to attempt including some 🍌 in my password.

The interesting piece of all of this was that the 🍌 emoji didn’t appear to count toward any complexity requirements. “🍌banana1” was not a valid password, even though it contained an emoji, lowercase letters, and a number. Similar results for “🍌Banana”. Interestingly, when a 🍌 is pasted into a password field, TWO dots show up. I’m uncertain the implication of that at this time. The banana does appear to count toward length requirements though, as “🍌🍌🍌🍌🍌!Aa” is a perfectly valid password according to my current AD policies.

The largest challenge of utilizing emoji in your password is how to input the character without utilizing copy and paste. If anyone can give me specific instructions on how to input a banana using an alt code or anything (specific to Windows 10) then hit up the comments.

Bloodhound

Since the topic came up in the context of the tool Bloodhound, of course I needed to attempt this. Since I already had a domain administrator, all I needed to do was run the ingestor and see what it threw in the Bloodhound UI.

Success! Now the only challenge, is where do we go from here? Filenames, service names, account names, “uncrackable” passwords, it’s even been suggested to name the entire domain something with an emoji in it.