Skip to main content
Support

Unconstrained Delegation Abuse

Capturing TGTs from Trusted Servers

Compromise a server trusted for delegation, capture Domain Controller TGTs using the Printer Bug, and escalate to full domain compromise.

Advanced~6 minT1558
Prerequisites:Compromised server with unconstrained delegation (TRUSTED_FOR_DELEGATION)Local admin on the delegation serverSpoolSample.exe or PetitPotam for authentication coercionRubeus or Mimikatz for TGT extraction
1

Find Servers with Unconstrained Delegation

Unconstrained Delegation Abuse — Step 1/4
PS C:\Tools>

Click or press Enter to skip

Step 1: Find Delegation Targets

We query AD for all computers with the TRUSTED_FOR_DELEGATION flag. DCs always have unconstrained delegation by default — that is expected and necessary. The danger is when non-DC servers have it.

We are looking for servers that have been given unlimited power of attorney. DCs need this power, but WEB01 having it is like giving the front desk receptionist the authority to sign contracts on behalf of the CEO.

Attack Flow
Find delegation servers
Attacker (WEB01)
WEB01 (Deleg)
DC01
Request
Response
Attack
Data
Back to all scenarios
SourceSudo

Content sourced from Microsoft Documentation, MITRE ATT&CK Framework, NIST SP 800-63/171, adsecurity.org (Sean Metcalf), SpecterOps research, and SANS Reading Room. For educational purposes only.

MITRE ATT&CKADSecurity.org