ποΈ Author: Nairuz Abulhul
π Blog: R3dbuck3t
Table of Contents
Constrained Delegation Overview
<aside>
π Constrained delegation allows an application to impersonate a user or computer account to access specific allowed service on behalf of the authenticated user.
</aside>
Steps to abuse constrained delegation assigned to a user /computer account
- Compromise the password or password hash of the delegated account. (Trust This user/computer for delegation to specified services only)
- Request Service Ticket for any user like Administrator
- Access resource \ app with that userβs Service Ticket
π οΈ Tools
- PowerView Dev Script [link]
- AD Module
- Rubeus
- Kekeo
- Invoke-Mimikatz
Finding Delegation Accounts