AbuseTGTDelegation
The trust from the target node domain to the source node domain has TGT delegation enabled.
When a resource in the source node domain is configured with unconstrained delegation, principals from the target node domain will automatically forward their Ticket Granting Ticket (TGT) to that resource upon access.
Abuse Info
TGT delegation allows an attacker to capture TGTs of privileged users or computers in the target domain when they authenticate against a system configured with unconstrained delegation.
A common attack method involves the attacker logging into a DC of the source domain and coercing a DC of the target domain. Since DCs have unconstrained delegation enabled by default, this grants the attacker a TGT for a target domain DC, which can then be used to perform a DCSync attack on the target domain. This guide details that version of the attack.
Alternatively, attackers can target other privileged computers or users besides DCs.
The attack will fail if the target is a member of Protected Users or is marked as not trusted for delegation, as their TGTs will not be sent to hosts with unconstrained delegation. You can identify all protected principals using the following Cypher query in BloodHound:
Attackers can also exploit non-DC hosts or users in the source domain with unconstrained delegation enabled. To find all non-DC principals with unconstrained delegation in BloodHound, run:
Attack
Step 1: Start Monitoring for TGTs
Windows:
Log into a DC of the source domain and open a command prompt as Administrator.
Start monitoring for incoming TGTs using Rubeus:
Linux:
Obtain credentials for a computer or user with unconstrained delegation.
Start monitoring for incoming TGTs using krbrelayx.py with the credentials of the unconstrained delegation account:
Step 2: Coerce the Target DC
The printer bug is abused in this example. If the Print Spooler service is disabled on the target host, alternative coercion techniques must be used. See “Windows Coerced Authentication Methods” under References for details.
To coerce the target DC, Authenticated Users access is required in the target domain. If the trust relationship is bidirectional, all principals in the source domain have this access by default. If not, coercion must be executed as a principal from the target forest. Attackers can obtain such a session using the trust account attack. See “SID Filter as a Security Boundary Between Domains? (Part 7) - Trust Account Attack” under References for details.
Windows:
From any host in the domain, coerce the target DC using SpoolSample:
Rubeus will print the DC TGT as soon as it is received.
Linux:
Coerce the target DC using printerbug.py:
krbrelayx.py will save the received TGT to disk.
Step 3: Pass the Ticket
Windows:
Inject the DC TGT into memory using Rubeus:
Linux:
Set the KRB5CCNAME environment variable to the ticket’s path:
Step 4: DCSync the Target Domain
Windows:
Use Mimikatz to DCSync the target domain from the machine where the DC TGT was injected:
Linux:
Use secretsdump.py to DCSync the target domain:
Opsec Considerations
The attack can be detected by correlating Windows security events from the attacker-controlled host and the target. See the reference “Hunting in Active Directory: Unconstrained Delegation & Forests Trusts” for details.
References
- Not A Security Boundary: Breaking Forest Trusts
- Hunting in Active Directory: Unconstrained Delegation & Forests Trusts
- Abusing Users Configured with Unconstrained Delegation
- SID filter as security boundary between domains? (Part 7) - Trust account attack - from trusting to trusted
- “Relaying” Kerberos - Having fun with unconstrained delegation
- Windows Coerced Authentication Methods
- Rubeus
- SpoolSample
- mimikatz
- krbrelayx.py
- printerbug.py
- secretsdump.py
- Updates to TGT delegation across incoming trusts in Windows Server
- Microsoft AD Trust Technical Documentation