Unconstrained Delegation
Last updated
Last updated
Unconstrained delegation the key distribution center (KDC) places a copy of the users TGT inside the service ticket (TGS). When the TGS is provided to the server for service access, the server opens the TGS and places the user’s TGT into memory for further use. This means that the server can now impersonate the user without any restrictions.
After compromising a server with unconstrained delegation enabled, an attacker can extract any and all TGTs from memory to impersonate them against services in the domain. This means that if we identify a Domain Administrators TGT in memory,
Domain Controllers always have unconstrained delegation enabled by default.
Using Rubeus
monitor command is a good way to identify any new TGTs on a compromised server.