![Page 1: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/1.jpg)
AbusingDelegation Mechanisms for
Domain Dominance
Egor Podmokov, PT ESC
![Page 2: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/2.jpg)
(&\(memberOf=PT ESC)\(memberOf=DC7831)\(memberOf=sys-adm.in)\
)
whoami
![Page 3: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/3.jpg)
• Perform threat hunting on the Customer's infrastructure
• Investigate incidents
• Write correlation rules
• Develop IDS rules: over 5,000 by now
• Enrich our products with expertise
PT ESC
twitter.com/AttackDetection
![Page 4: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/4.jpg)
History
• Unconstrained DelegationWindows 2000
4
![Page 5: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/5.jpg)
History
• Unconstrained DelegationWindows 2000
• Constrained DelegationWindows Server 2003
5
![Page 6: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/6.jpg)
History
• Unconstrained DelegationWindows 2000
• Constrained DelegationWindows Server 2003
• Resource-Based Constrained DelegationWindows Server 2012
6
![Page 7: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/7.jpg)
Kerberos & Single Sign-On (SSO)
AS-REQ / AS-REP
Logon
User KDC
AS-REQ
AS-REP
TGT
7
![Page 8: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/8.jpg)
Kerberos & Single Sign-On (SSO)
AS-REQ / AS-REP
Logon
User KDC
AS-REQ
AS-REP
AS-REQ / AS-REPTGS-REQ / TGS-REP
Logon on service
Service
KDC
UserTGT
8
![Page 9: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/9.jpg)
Specification
9
![Page 10: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/10.jpg)
Unconstrained Delegation
+ Easy to setup
+ Easy to use
+ Easy to maintain
- Insecure
10
![Page 11: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/11.jpg)
Unconstrained DelegationTrustedForDelegation
TGT forprimary login
TGS for login to service
11
![Page 12: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/12.jpg)
Constrained Delegation
+ Easy to use
- Hard to setup
- Hard to maintain
- Insecure
SPN
12
![Page 13: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/13.jpg)
Constrained Delegation
S4USelfUser authenticates to the service in some way other than by using Kerberos
S4UProxyAllows the caller to contact some other service, acting on behalf of the user.
TrustedToAuthForDelegation
13
![Page 14: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/14.jpg)
Resource-Based Constrained Delegation
+ Easy to use
- Very hard to setup
- Hard to maintain
- Insecure
14
![Page 15: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/15.jpg)
S4USelfUser authenticates to the service in some way other than by using Kerberos
S4UProxyAllows the caller to contact some other service, acting on behalf of the user.
Resource-Based Constrained Delegation
15
![Page 16: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/16.jpg)
AttackUnconstrained Delegation
16
![Page 17: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/17.jpg)
Unconstrained Delegation: attack
… 1-7 stagesthen…
1. Get available tickets
2. Dump ticket
3. Get TGS…
17
![Page 18: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/18.jpg)
Unconstrained Delegation: attack
Domain Controller
(KDC)
Sharepoint
Domain Users
Exchange
MS SQL
domain1.smthng
Domain Admins
Server Users
18
![Page 19: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/19.jpg)
Unconstrained Delegation: attack
Domain Controller
(KDC)
Sharepoint
Domain Users
Exchange
MS SQL
domain1.smthng
Domain Admins
Server Users
d
1.TGT
2. TGS
3. Send ticket
TGS TGT
19
![Page 20: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/20.jpg)
Unconstrained Delegation: attack
Domain Controller
(KDC)
Sharepoint
Domain Users
Exchange
MS SQL
domain1.smthng
Domain Admins
Server Users
1.TGT
2. TGS
3. Send ticket
TGS TGT
d
4. TGS
5.
20
![Page 21: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/21.jpg)
Unconstrained Delegation: attack
Domain Controller
(KDC)
Sharepoint
Domain Users
Exchange
MS SQL
domain1.smthng
Domain Admins
Server Users
1.TGT
2. TGS
3. Send ticket
TGS TGT
d
4. TGS
5.
21
![Page 22: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/22.jpg)
Unconstrained Delegation: attack
What does an attacker get?
> .\Rubeus triage
to show cached tickets
LsaRegisterLogonProcess() to connect to LSA
LsaCallAuthenticationPackage()to get cached tickets
github.com/GhostPack/Rubeus
Use
22
![Page 23: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/23.jpg)
Unconstrained Delegation: attack
Dump krbtgt tickets
> .\Rubeus dump /luid: <…>
23
![Page 24: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/24.jpg)
AttackConstrained Delegation
24
![Page 25: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/25.jpg)
Сonstrained Delegation: attack
Get hash, password or TGT
and then
Send S4U request to KDC
25
![Page 26: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/26.jpg)
Сonstrained Delegation: attack
Domain Controller
(KDC)
Sharepoint
Domain Users
Exchange
MS SQL
domain1.smthng
Domain Admins
Server Users
TGS
1. Auth2. S4USelf3. S4UProxy
26
![Page 27: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/27.jpg)
Сonstrained Delegation: attack
1. Get TGT of Sharepoint’sservice account
2. Get TGS of Sharepointservice for domain user
3. Send TGS(2) and get MSSQL ticket for domain user
What does the attacker have?Hacked domain server
What does the attacker need?Impersonate domain user to another domain server
There is no need to dump ticket
27
![Page 28: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/28.jpg)
Сonstrained Delegation: attack
1. Get TGT of Sharepoint service accountAS-REQ / AS-REP
28
![Page 29: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/29.jpg)
Сonstrained Delegation: attack
2. Get TGS of Sharepoint service for domain userTGS-REQ / TGS-REP
29
![Page 30: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/30.jpg)
Сonstrained Delegation: attack
2. Get TGS of Sharepoint to domain userTGS-REQ / TGS-REP TGS-REQ
30
![Page 31: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/31.jpg)
Сonstrained Delegation: attack
3. Get MSSQL ticket for domain userTGS-REQ / TGS-REP
31
![Page 32: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/32.jpg)
AttackResource-Based Constrained Delegation
32
![Page 33: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/33.jpg)
Resource-Based Сonstrained Delegation: research
@harmj0y, @decoder_it
Attacker needs to enable Resource-Based Delegation on hacked machine and …
“must be able to get the password hash of the computer object he wants to add into the attribute”
msds-AllowedToActOnBehalfOfOtherIdentity
33
![Page 34: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/34.jpg)
Resource-Based Сonstrained Delegation: research
@harmj0y, @decoder_it
Attacker needs to enable Resource-Based Delegation on hacked machine and …
“must be able to get the password hash of the computer object he wants to add into the attribute”
msds-AllowedToActOnBehalfOfOtherIdentity
1. Get SYSTEM privileges on victim PC
2. Create new domain machine account
Attacker needs WRITE ACCESS
to set attributes
34
![Page 35: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/35.jpg)
Resource-Based Сonstrained Delegation: research
(Get-ACL “AD:$((Get-ADComputer<name>).distinguishedname)”.access
| Where-Object –PropertyActiveDirectoryRights –MatchWriteProperty
privileged accounts
35
![Page 36: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/36.jpg)
Resource-Based Сonstrained Delegation: attack
DA is not needed
WRITE ACCESS to set attributes only
36
![Page 37: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/37.jpg)
AttackDelegation across domain trusts
37
![Page 38: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/38.jpg)
Delegation across trusts
DC.domain1.smth
Servers Users
DC.domain2.smth
ServersUsers
trust trust
domain2.smthdomain1.smth
ConstrainedUnconstrained
38
![Page 39: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/39.jpg)
Delegation across trusts: attack
DC.domain1.smth
HackedServer
Users
DC.domain2.smth
ServersUsers
trust trust
Servers
domain2.smthdomain1.smth
ConstrainedUnconstrained
39
![Page 40: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/40.jpg)
Delegation across trusts: attack
DC.domain1.smth
Users
DC.domain2.smth
ServersUsers
trust trust
Servers
domain2.smthdomain1.smth
Constrained
HackedServer
Unconstrained
40
![Page 41: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/41.jpg)
Servers
Delegation across trusts: attack
DC.domain1.smth
HackedServer
DC.domain2.smth
UsersServers
domain2.smthdomain1.smth
ConstrainedUnconstrained Users
trust trust
41
![Page 42: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/42.jpg)
Delegation across trusts: «PrinterBug»
MS-RPRN (Printer System Remote Protocol)
DCERPC, SPOOLSS RpcRemoteFindFirstPrinterChangeNotificationEX (opcode: 65)
1. OpenPrinter
2. RFFPCNEX
Send TGS with TGT
Attacker Victim
42
![Page 43: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/43.jpg)
Delegation across trusts: «PrinterBug»
43
![Page 44: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/44.jpg)
Delegation across trusts: attack
User sends request for TGT to trusted domain and getting krbtgt then does...something
Trusted domain
Home domain
45
![Page 45: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/45.jpg)
Delegation across trusts: attack
1. Getting available tickets and find krbtgt from trusted domain
> .\Rubeus triage
blogs.technet.microsoft.com/askpfeplat/2019/04/11/changes-to-ticket-granting-ticket-tgt-delegation-across-trusts-in-windows-server-askpfeplat-edition
support.microsoft.com/en-us/help/4490425/updates-to-tgt-delegation-across-incoming-trusts-in-windows-server
EnableTGTDelegation
46
![Page 46: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/46.jpg)
Delegation across trusts: attack
2. Dump needed ticket
> .\Rubeus dump
/luid: <…>
47
![Page 47: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/47.jpg)
Lateral Movement
48
![Page 48: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/48.jpg)
Lateral Movement
• Possible DC Sync
• Pass-The-Ticket
> .\Rubeus ptt /ticket:<…>
• Roasting
> .\Rubeus kerberoast
> .\Rubeus asreproast
49
![Page 49: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/49.jpg)
Lateral Movement: Delegation across trusts
• Possible DC Sync
• Pass-The-Ticket
> .\Rubeus ptt /ticket:<…>
• Roasting
> .\Rubeus kerberoast
> .\Rubeus asreproast
+
In Trusted Domain
• Possible recon
• Possible exploitation
• Pass-The-Ticket
50
![Page 50: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/50.jpg)
How to find?
51
![Page 51: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/51.jpg)
How to find
Object Attributes:
• msds-AllowedToDelegateTo (Constrained)
• msds-AllowedToActOnBehalfOfOtherIdentity (Resource-Based)
UAC Object Flags:
• TrustedForDelegation (Unconstrained)
• TrustedToAuthForDelegation (Constrained)
52
![Page 52: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/52.jpg)
Get-ADObject –LDAPFilter “(UserAccountControl:1.2.840.113556.1.4.803:=<VALUE>)”
<VALUE>TRUSTED_FOR_DELEGATIONTRUSTED_TO_AUTH_FOR_DELEGATION
52428816843264
How to find: LDAP & UAC
to DEC
=
53
![Page 53: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/53.jpg)
How to find: Unconstrained Delegation
Get-ADComputer -Filter {(TrustedForDelegation -eq $True) –AND (PrimaryGroupID –eq 515)}
-Properties `TrustedForDelegation,TrustedToAuthForDelegation,servicePrincipalName,Description
54
![Page 54: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/54.jpg)
How to find: Constrained Delegation
Get-ADUser -Filter {TrustedToAuthForDelegation -eq $True} -Properties
`TrustedForDelegation,TrustedToAuthForDelegation,servicePrincipalName,Description
55
![Page 55: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/55.jpg)
How to find: Resource-Based Constrained Delegation
Get-ADUser -Filter {TrustedToAuthForDelegation -eq $True} -Properties
`msds-allowedtoactonbehalfofotheridentity,servicePrincipalName,Description
56
![Page 56: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/56.jpg)
How to find: Delegation across trusts
Get-RiskyServiceAccountByTrust.ps1 -Collect -ScanAll
support.microsoft.com/en-us/help/4490425/updates-to-tgt-delegation-across-incoming-trusts-in-windows-server
57
![Page 57: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/57.jpg)
Features
• Delegation accounts can be either user or machine
• Attacker can impersonate all service users (including domain admins)
• Many IT accounts have WriteProperty which is used to set attributes
• Different protocols and services may use the same SPN which means that the same service ticket is being used for authorization
58
![Page 58: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/58.jpg)
Mitigation: Unconstrained Delegation
1. Don’t use Unconstrained Delegation
2. Set elevated admin accounts to be «sensitive»
3. Use membership of «Protected users» group
4. Create SPN with port, like MSSQL/db.contoso.local:1443
cannot be delegated
59
![Page 59: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/59.jpg)
Detection: host-based by events
4688 Create ProcessNewProcessName
Rubeus.exe
ComandLineRubeus.exe <command> /<option>:
4769 KRB service ticket requestCheck ServiceNameCheck TargetDomainCheck TargetUserNameCheck TicketOptionsCheck TicketEcnryptionType
4672 Special privileges assigned to new logon4673 Privilege service called
ServiceLSARegisterLogonProcess()
ProcessNamelsass.exe
KeywordsAudit Failure AND Audit Success
60
![Page 60: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/60.jpg)
Detection: host-based by events
4611 Trusted Logon processCheck SubjectDomainName
Check SubjectUserName
LogonProcessNameUser32LogonProcesss
4624 Logon (Server 2012+)ImpersonationLevel
5140 Share object accessCheck SubjectDomainNameCheck SubjectUserName
5145 Detailed share object accessCheck SubjectDomainNameCheck SubjectUserNameShareName like
IPC$
RelativeTargetName likespoolss
«PrinterBug» exploitation
61
![Page 61: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/61.jpg)
Detection
KDC does not count issued tickets
KDC does not keep analytics of issued tickets
So, we can establish links between: hosts, users, services and time to live of tickets.
62
![Page 62: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/62.jpg)
Detection: network-based (unconstrained)
Rubeus + Pass-The-Ticket anddir \\\dc01\C$
63
![Page 63: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/63.jpg)
Detection: network-based (unconstrained)
TGS-REQGet TGS to target service
Metrics:Timestamp
Source IPAccount cname
Target snameEtypes
1. Get existing tickets2. Analyze timestamps3. Analyze Cname4. Analyze Sname
64
![Page 64: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/64.jpg)
Detection: network-based (constrained)
AS-REQGet TGT service-sharepoint
1. Get existing tickets2. Analyze timestamps3. Analyze Cname
Metrics:Timestamp
Source IPCnameEtypes
65
![Page 65: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/65.jpg)
Detection: network-based (constrained)
Metrics:Username
TimestampSource IP
CnameSname
1. Get existing tickets2. Analyze timestamps3. Analyze target account name4. Analyze source account name
TGS-REQ (S4USelf)Get user TGS
66
![Page 66: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/66.jpg)
Detection: network-based (constrained)
Metrics:Timestamp
Source IPTarget sname
Source snameEtypes
1. Get existing tickets2. Analyze timestamps3. Analyze source account name4. Analyze target account name
TGS-REQ (S4UProxy)Get user TGS to target service
67
![Page 67: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/67.jpg)
Summary
All forms of delegation are potentially dangerous if notconfigured correctly.
@harmj0y
68
![Page 68: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/68.jpg)
Links
posts.specterops.io
shenaniganslabs.io
adsecurity.org
harmj0y.net
dirkjanm.io
69
![Page 69: Abusing Delegation Mechanisms for Domain Dominance · AS-REQ Get TGT service-sharepoint 1. Get existing tickets 2. Analyze timestamps 3. Analyze Cname Metrics: Timestamp Source IP](https://reader031.vdocument.in/reader031/viewer/2022011910/5f847f29ababf2788c192020/html5/thumbnails/69.jpg)
Questions?
70