Unconstrained Delegation
Host with unconstrained delegation stores TGTs of connecting users. Compromise host → steal TGTs.Find
Exploit
Printer Bug (Coerce DC)
Force DC to auth to unconstrained delegation host:Constrained Delegation
Account can impersonate users to specific services only.Find
Exploit — Rubeus
Exploit — Impacket
With Hash
Resource-Based Constrained Delegation (RBCD)
WritemsDS-AllowedToActOnBehalfOfOtherIdentity on target machine. Need: write access to target computer object + ability to create machine account.
Check MAQ (Machine Account Quota)
Create Machine Account
Set Delegation
Get Ticket
Quick Reference
| Type | Find | Exploit |
|---|---|---|
| Unconstrained | TrustedForDelegation | Steal TGTs from memory |
| Constrained | msDS-AllowedToDelegateTo | S4U2Self + S4U2Proxy |
| RBCD | Write to computer object | Create machine + rbcd + getST |