Unconstrained delegation the key distribution center (KDC) places a copy of the users TGT inside the service ticket (TGS). When the TGS is provided to the server for service access, the server opens the TGS and places the user’s TGT into memory for further use. This means that the server can now impersonate the user without any restrictions.
# Locate Unconstrained Delegation in BloodHound
MATCH (c:Computer {unconstraineddelegation:true}) RETURN cAfter compromising a server with unconstrained delegation enabled, an attacker can extract any and all TGTs from memory to impersonate them against services in the domain. This means that if we identify a Domain Administrators TGT in memory,
- Domain Controllers always have unconstrained delegation enabled by default.
- Using
Rubeusmonitor command is a good way to identify any new TGTs on a compromised server.
{% embed url="https://adsecurity.org/?p=1667" %}
{% embed url="https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation" %}
{% embed url="https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1" %}