PRIMARY CATEGORY → KERBEROS
Components ⟡
Types of Delegation
Recon
findDelegation.py
Impacket
findDelegation.py -target-domain <DOMAIN> '<DOMAIN>/<USER>:<PASSWORD>'Active Directory Module
Powershell Module
| PROPERTY | DELEGATION TYPE |
|---|---|
TrustedForDelegation | KUD |
TrustedToAuthForDelegation | KCD with Protocol Transition |
msDS-AllowedToDelegateTo | KCD |
PrincipalsAllowedToDelegateToAccount | RBCD |
Get-ADComputer "Account" -Properties TrustedForDelegation, TrustedToAuthForDelegation, msDS-AllowedToDelegateTo, PrincipalsAllowedToDelegateToAccountPowerview
KCD
- User Accounts
Get-DomainUser -TrustedToAuth- Computer Accounts
Get-DomainComputer -TrustedToAuthRBCD
- User Accounts
Get-DomainUser | Where-Object {$_.'msDS-AllowedToActOnBehalfOfOtherIdentity' -ne $null}- Computer Accounts
Get-DomainComputer | Where-Object {$_.'msDS-AllowedToActOnBehalfOfOtherIdentity' -ne $null}Bloodhound
KUD
MATCH (c {unconstraineddelegation:true}) return cKCD with Protocol Transition
MATCH (c) WHERE NOT c.allowedtodelegate IS NULL AND c.trustedtoauth=true return cKCD w/o Protocol Transition (Kerberos Only)
MATCH (c) WHERE NOT c.allowedtodelegate IS NULL AND c.trustedtoauth=false return cRBCD
MATCH p=(u)-[:AllowedToAct]->(c) RETURN pBloodhound Cypher Cheatsheet
Filter by the Delegation term
Type of Services
Interesting when modifying the SNAME field of a Service Ticket
| SERVICE TYPE | ST’s SNAME |
|---|---|
| WMI | HOST RPCSS |
| MS-PSRP | HOST HTTP Depending on the OS: WSMAN RPCSS |
| WinRM | HOST HTTP WINRM |
| Scheduled Tasks | HOST |
| Windows File Share or PSEXEC | CIFS |
| LDAP Operations, included DCSync | LDAP |
| Windows Remote Server Administration Tools | RPCSS LDAP CIFS |
| Golden Tickets | KRBTGT |