Skip to main content
Support
AdvancedT1558

Kerberos Delegation Abuse

Kerberos delegation lets servers impersonate users to access other services — attackers exploit misconfigurations to impersonate anyone, including Domain Admins.

Sometimes a server needs to access another resource on behalf of a user. For example, when you open a web application, the web server might need to query a database using your identity to get your personal data. Kerberos delegation allows this — the web server "delegates" your credentials to the database. There are three types: Unconstrained (the server can go anywhere as you), Constrained (the server can only go to specific services), and Resource-Based Constrained Delegation (the target service decides who can delegate to it). Attackers look for servers with delegation enabled because compromising one of these servers can give them the ability to impersonate any user, including Domain Admins.

Kerberos delegation is like giving a lawyer power of attorney — they can act on your behalf for specific legal matters. Unconstrained delegation is like giving someone UNLIMITED power of attorney: they can do anything in your name, sell your house, empty your bank account, sign contracts. Constrained delegation limits it to specific actions. But if someone steals or forges the power of attorney document, they gain all that authority. In AD, a misconfigured delegation setting gives an attacker the ability to become any user in the domain.

Try It Yourself

Key Takeaways

  1. Unconstrained delegation stores full user TGTs — compromising the server gives you every user who connects.
  2. Constrained delegation with protocol transition lets attackers impersonate ANY user to specific services.
  3. RBCD is the most commonly abused because it only requires write access to a computer object.
  4. Shadow Credentials attack abuses msDS-KeyCredentialLink — write access to this attribute enables PKINIT authentication as the target, an increasingly popular RBCD alternative.
  5. The Printer Bug and PetitPotam can coerce DCs to authenticate to delegation-enabled servers.
  6. Audit delegation settings regularly: Get-ADComputer -Filter {TrustedForDelegation -eq $true}.
Why Should I Care?

Kerberos delegation abuse is a favorite path to Domain Admin. A single misconfigured server with unconstrained delegation can capture a Domain Controller's TGT, leading to full domain compromise.

Defense Recommendations

Eliminate unconstrained delegation, restrict constrained delegation, monitor RBCD changes, and protect high-value accounts.

  1. 1Remove unconstrained delegation from all servers: Set-ADComputer -TrustedForDelegation $false.
  2. 2Add sensitive accounts to "Account is sensitive and cannot be delegated" or the Protected Users group.
  3. 3Use constrained delegation with specific SPNs instead of unconstrained wherever delegation is needed.
  4. 4Monitor changes to msDS-AllowedToActOnBehalfOfOtherIdentity (Event ID 5136).
  5. 5Monitor changes to msDS-KeyCredentialLink (Event ID 5136) to detect Shadow Credentials attacks.
  6. 6Set MachineAccountQuota to 0 to prevent standard users from creating computer accounts.
  7. 7Monitor for the Printer Bug / PetitPotam coercion: unusual SMB/RPC connections from DCs to workstations.

Related Topics

Pass-the-Hash & Pass-the-TicketAuthentication ProtocolsDCSync Attack
Sources
Pass-the-Hash & Pass-the-Ticket
DCSync Attack
SourceSudo

Content sourced from Microsoft Documentation, MITRE ATT&CK Framework, NIST SP 800-63/171, adsecurity.org (Sean Metcalf), SpecterOps research, and SANS Reading Room. For educational purposes only.

MITRE ATT&CKADSecurity.org