This note documents detection patterns related to Constrained Delegation Abuse within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4769 | Kerberos service ticket request (TGS) | Critical | Key signal for S4U abuse. Review ServiceName, TargetUserName, TicketOptions, and ClientAddress. Look for unusual services requesting tickets on behalf of users. |
| Security | 4768 | Kerberos TGT request | High | Initial authentication event before service ticket requests. Useful for identifying the original source system. |
| Security | 4624 | Successful logon | High | LogonType 3 or 9 may appear when service tickets are used for lateral movement. Check for Transited Service. |
| Security | 4672 | Special privileges assigned | Medium | Privileged account usage following delegation abuse. |
| Security | 4688 | Process creation | High | Execution of tools capable of abusing constrained delegation such as Rubeus or Kekeo. |
| Sysmon | 1 | Process creation | Critical | Look for command lines containing s4u, rubeus, or ticket manipulation utilities. |
| Sysmon | 3 | Network connection | Medium | Kerberos traffic between attacker host and domain controller during ticket requests. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| S4U2Self usage | Service requesting a ticket for a user without that user authenticating | Critical | Common step in constrained delegation abuse. |
| S4U2Proxy ticket requests | Service requesting service tickets to other services on behalf of a user | Critical | Indicates potential delegation abuse. |
| Service account impersonation | Service account requesting tickets for privileged users | High | Suspicious if the service normally handles only specific accounts. |
| Unusual service-to-service authentication | Service requesting tickets to systems it rarely interacts with | High | Indicates lateral movement attempt. |
| Ticket reuse | Kerberos tickets reused across multiple hosts shortly after issuance | High | May indicate attacker using delegated tickets for pivoting. |
Common Tools
| Tool | Usage |
|---|---|
| Rubeus | Performs S4U2Self and S4U2Proxy requests to impersonate users via constrained delegation. |
| Kekeo | Kerberos toolkit capable of manipulating tickets and abusing delegation. |
| Mimikatz | Used for ticket extraction and manipulation after delegation abuse. |
| Impacket | Includes scripts capable of leveraging delegated credentials. |
| Cobalt Strike | Often used to execute Kerberos ticket abuse modules. |
Relevant Artifacts
- Domain controller Security logs (4768, 4769, 4624)
- Sysmon logs (1, 3)
- Kerberos operational logs
- Service account configuration within AD
- Delegation configuration attributes (msDS-AllowedToDelegateTo)
- EDR telemetry showing suspicious Kerberos tooling
- Prefetch artifacts showing execution of ticket manipulation tools
- MFT artifacts indicating tool deployment
MITRE ATT&CK References
- T1558 Steal or Forge Kerberos Tickets
- T1550 Use Alternate Authentication Material
- T1078 Valid Accounts
Decision Tree
- Is the suspicious event present?
- Identify unusual 4769 service ticket requests involving service accounts.
- What host generated the event?
- Determine whether the request originated from a system configured for constrained delegation.
- Is the account expected to perform this action?
- Verify whether the service account normally impersonates users.
- Pivot:
- Source host → inspect process execution and command lines.
- Account → review delegation configuration (msDS-AllowedToDelegateTo).
- Network → identify lateral movement using delegated tickets.
- Confirm exploitation
- Determine whether attacker used delegated tickets to authenticate to other systems.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4769
| summarize count() by ServiceName, TargetUserName, ClientAddress, bin(TimeGenerated, 5m)
| order by count_ desc
SecurityEvent
| where EventID == 4769
| where ServiceName contains "HOST" or ServiceName contains "CIFS"
| project TimeGenerated, TargetUserName, ServiceName, ClientAddress
EQL
process where process.command_line like "*s4u*" or process.name in ("rubeus.exe","kekeo.exe")
Sigma
title: Suspicious Kerberos S4U Delegation Activity
id: constrained-delegation-abuse
status: experimental
description: Detects potential abuse of constrained delegation via Kerberos S4U requests
logsource:
product: windows
service: security
detection:
selection:
EventID: 4769
condition: selection
fields:
- ServiceName
- TargetUserName
- ClientAddress
falsepositives:
- Legitimate delegation by application servers
level: medium
tags:
- attack.credential_access
- attack.t1558
Splunk
index=main earliest=1690544553 latest=1690562556 source="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode=4104 Message="*msDS-AllowedToDelegateTo*"
| table _time, ComputerName, EventCode, Message
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Delegation configuration | Restrict services allowed in msDS-AllowedToDelegateTo | High | Reduces potential abuse paths. |
| Privileged account protection | Prevent privileged accounts from being impersonated by services | High | Reduces privilege escalation risk. |
| Service account monitoring | Alert on unusual ticket requests made by service accounts | High | Detects potential impersonation attempts. |
| Credential protection | Enable Credential Guard and LSASS protection | High | Reduces ticket extraction opportunities. |
| AD auditing | Regularly audit constrained delegation settings | High | Helps identify misconfigurations. |