Detections
Analytics

Dangerous Kerberos Delegation

critical

Language:

Description

The Kerberos protocol, which is central to Active Directory security, permits select servers to reuse user credentials. If an attacker compromises one of these servers, they could steal these credentials and use them to authenticate to other resources by abusing "unconstrained delegation" or "(resource-based) constrained delegation".

Solution

The only accounts using unconstrained delegation should be the domain controller accounts. Administrators should also be protected against any dangerous delegation type.

See Also

Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain)

Get rid of accounts that use Kerberos Unconstrained Delegation

Abusing Resource-Based Constrained Delegation to Attack Active Directory

SPN-jacking: An Edge Case in WriteSPN Abuse

SPN-jacking

Indicator Details

Name: Dangerous Kerberos Delegation

Codename: C-UNCONST-DELEG

Severity: Critical

MITRE ATT&CK Information:

Attacker Known Tools

HarmJ0y, Elad Shamir: Rubeus