Full Report
The abuse of constrained delegation configuration, whereby a compromised domain user or computer account configured with constrained delegation can be leveraged to impersonate domain users to preconfigured trusted services, is a common attack path in Active Directory. For each trusted service, a unique service ticket is used, that explicitly corresponds to the service type for which it was requested. For example, to access Windows file shares, a CIFS ticket is required. Meanwhile, to leverage the WinRM protocol, a HTTP service ticket is required instead. Compromise of such service tickets aids in lateral movement and further compromise.
Analysis Summary
# Tool/Technique: Abuse of Constrained Delegation for Lateral Movement
## Overview
This entry details the attack technique of abusing Active Directory's Constrained Delegation configuration. An adversary leverages a compromised domain user or computer account configured with constrained delegation to impersonate domain users to preconfigured trusted services. The core technique involves manipulating the Service Principal Name (SPN) registration or the service ticket type to enable lateral movement to services beyond the initially configured targets, such as accessing CIFS file shares or utilizing the WinRM protocol, even when the initial configuration might restrict the ticket type (e.g., only allowing `eventlog` tickets). Compromised service tickets obtained through this process are then used for lateral movement.
## Technical Details
- Type: Technique
- Platform: Microsoft Active Directory Environment (Windows Servers and Domain Controllers)
- Capabilities: Impersonation of domain users (including privileged users) to trusted services using forged or manipulated Kerberos Service Tickets. Enables lateral movement via protocols like CIFS, WinRM, and WMI.
- First Seen: Delegation concepts are inherent to Active Directory (Delegation introduced to solve the double hop problem). Abuse of constrained delegation is a long-standing attack vector.
## MITRE ATT&CK Mapping
- TA0008 - Lateral Movement
- T1558 - Steal or Forge Kerberos Tickets
- T1558.003 - Kerberoasting (Related, as understanding tickets is key)
- TA0006 - Credential Access
- T1558 - Steal or Forge Kerberos Tickets (Focus on the outcome of the manipulation)
## Functionality
### Core Capabilities
* **Credential Delegation Abuse:** Exploiting legitimate delegation configurations (specifically Constrained Delegation) to impersonate users to services the originating account is trusted for.
* **Service Ticket Manipulation:** Modifying the service ticket type requested during the Service for User (S4U) process (e.g., using the `/altservice` parameter in tools) to obtain tickets for services other than the one explicitly configured (e.g., requesting `HOST` or `RPCSS` tickets when only `eventlog` was configured).
* **Lateral Movement:** Using the forged tickets (`/ptt`) to authenticate to remote target systems using protocols like WMI.
### Advanced Features
* **Overcoming Default Restrictions:** Bypassing limitations where a delegated account is only allowed to present credentials to a specific service type (e.g., `eventlog`) by forcing the request for tickets relevant to lateral movement (e.g., `host` for SMB/File Shares or `rpcss` for WMI/RPC).
* **Execution via WMI:** Utilizing the obtained tickets to invoke remote methods (`Invoke-WmiMethod`) on target systems, leading to command execution and staging of secondary payloads like Cobalt Strike beacons.
## Indicators of Compromise
* File Hashes: N/A (Relates to tool execution, not malware drop)
* File Names: N/A (Relates to tool execution, not malware drop)
* Registry Keys: N/A
* Network Indicators: Techniques rely on successful Kerberos authentication traffic (AS-REQs, TGS-REQs, TGS-REPs) specifically requesting tickets for unexpected or relevant SPNs on the Domain Controller.
* Behavioral Indicators:
* Use of specific command-line arguments related to S4U and KDC interaction (e.g., requesting tickets using `/altservice:host` or `/altservice:rpcss` from a constrained delegation account).
* Existence of TGS tickets in memory for protocols (like CIFS, HOST, or RPCSS) that do not align with the known delegation configuration of the compromised host account.
* Subsequent execution of remote commands via protocols like WMI (`Invoke-WmiMethod`).
## Associated Threat Actors
This is a generalized attack path, widely documented and used by many threat actors specializing in Active Directory exploitation, including those focused on persistence and lateral movement within enterprise networks. Specific groups are not explicitly named in the provided context, but this technique is common among sophisticated adversaries.
## Detection Methods
* **Signature-based detection:** Monitoring for the network traffic patterns related to S4U extensions being used, or specific sequences of Kerberos requests that indicate ticket manipulation.
* **Behavioral detection:** Monitoring for accounts configured for constrained delegation making TGS requests for unexpected SPNs (e.g., `HOST` or `RPCSS`) when their configuration suggests otherwise. Detection of tool usage like Rubeus attempting S4U operations.
* **YARA rules if available:** Not specified in the text, but rules could target static signatures of tools known to perform this action.
## Mitigation Strategies
* **Configuration Hardening:** Strictly define permitted services for constrained delegation. Ensure that delegated accounts are *only* permitted to delegate credentials to services absolutely necessary for their function. Avoid delegating to services that directly facilitate easy lateral movement (like HOST/CIFS) unless strictly required.
* **Service Ticket Principle:** Review service configurations; if an account is only configured to delegate to `eventlog`, monitor for requests for other service types.
* **Principle of Least Privilege:** Limit the use of delegation, especially unconstrained delegation, which remains highly dangerous.
* **Monitoring:** Monitor Active Directory logs for excessive TGS requests or anomalies related to delegation usage.
## Related Tools/Techniques
* **Rubeus:** Explicitly used in the example to execute the S4U process, request tickets (`/ptt`), and target specific service types (`/altservice`).
* **Unconstrained Delegation:** The predecessor security vulnerability, where the TGT is stored in memory upon first hop authentication.
* **Resource-Based Constrained Delegation:** The third, newer flavor of delegation.
* **WMI (Windows Management Instrumentation):** Used as the execution vector after obtaining the necessary service tickets.