This note documents detection patterns related to Unconstrained Delegation Abuse within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4769 | Kerberos service ticket request (TGS) | Critical | Used to identify service ticket requests involving hosts configured for unconstrained delegation. Review ServiceName, TicketOptions, ClientAddress, and AccountName. |
| Security | 4768 | Kerberos TGT request | High | When a user authenticates to a system configured with unconstrained delegation, the user's TGT is forwarded to that system. |
| Security | 4624 | Successful logon | Critical | LogonType 3 or 10 to a host configured with unconstrained delegation may result in TGT caching on that host. |
| Security | 4672 | Special privileges assigned | Medium | Privileged sessions authenticating to delegation-enabled hosts are high risk. |
| Security | 4688 | Process creation | High | Look for execution of tools extracting Kerberos tickets from memory such as mimikatz or Rubeus. |
| Sysmon | 1 | Process creation | Critical | Execution of credential dumping or ticket extraction utilities on delegation-enabled systems. |
| Sysmon | 10 | Process access | High | Processes accessing LSASS memory to extract delegated TGTs. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Authentication to delegation-enabled host | Users authenticating to systems where TrustedForDelegation is enabled | Critical | These systems store forwarded TGTs that attackers can steal. |
| Privileged account logon | Domain admin or high privilege account logging into unconstrained delegation host | Critical | Attackers target these hosts to capture privileged TGTs. |
| Ticket extraction activity | Execution of tools capable of reading Kerberos tickets from LSASS | High | Indicates attacker harvesting delegated credentials. |
| Kerberos ticket reuse | TGT reuse from another system shortly after authentication | High | Evidence attacker extracted ticket and reused it for lateral movement. |
| Unusual service activity | Services authenticating on behalf of users unexpectedly | Medium | May indicate abuse of delegated credentials. |
Common Tools
| Tool | Usage |
|---|---|
| Mimikatz | Extracts Kerberos tickets from LSASS memory on delegation-enabled systems. |
| Rubeus | Used to dump, monitor, and reuse Kerberos tickets captured from delegated sessions. |
| Kekeo | Kerberos ticket manipulation and extraction tool. |
| Cobalt Strike | Often used to execute ticket harvesting modules on compromised hosts. |
Relevant Artifacts
- Domain controller Security logs (4768, 4769, 4624)
- Sysmon logs (1, 10)
- LSASS memory artifacts containing Kerberos tickets
- Kerberos operational logs
- EDR telemetry identifying ticket extraction tools
- Prefetch artifacts showing execution of credential extraction utilities
- MFT artifacts indicating tool deployment on delegation-enabled systems
MITRE ATT&CK References
- T1558 Steal or Forge Kerberos Tickets
- T1550 Use Alternate Authentication Material
- T1078 Valid Accounts
Decision Tree
- Is the suspicious event present?
- Identify authentication events to hosts configured with unconstrained delegation.
- What host generated the event?
- Determine if the host has the TrustedForDelegation flag enabled.
- Is the account expected to perform this action?
- Privileged accounts logging into delegation-enabled hosts represent high risk.
- Pivot:
- Source host → inspect LSASS access and process execution.
- Account → determine whether Kerberos tickets were reused elsewhere.
- Network → check for lateral movement using stolen tickets.
- Confirm exploitation
- Investigate whether Kerberos tickets extracted from the host were used to authenticate to other systems.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4624
| where LogonType in (3,10)
| summarize count() by TargetUserName, WorkstationName, bin(TimeGenerated, 10m)
SecurityEvent
| where EventID == 4769
| summarize TGSRequests=count() by Account, ServiceName, ClientAddress, bin(TimeGenerated, 10m)
| order by TGSRequests desc
EQL
sequence by user.name with maxspan=10m
[ authentication where event.code == "4624" ]
[ process where process.name in ("mimikatz.exe","rubeus.exe") ]
Sigma
title: Kerberos Ticket Extraction on Delegation Host
id: unconstrained-delegation-abuse
status: experimental
description: Detects potential abuse of unconstrained delegation through credential dumping tools
logsource:
product: windows
category: process_creation
detection:
selection:
Image|contains:
- "mimikatz"
- "rubeus"
condition: selection
fields:
- Image
- CommandLine
falsepositives:
- Security testing tools
level: high
tags:
- attack.credential_access
- attack.t1558
Splunk
index=main earliest=1690544538 latest=1690544540 source="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode=4104 Message="*TrustedForDelegation*" OR Message="*userAccountControl:1.2.840.113556.1.4.803:=524288*" | table _time, ComputerName, EventCode, Message
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Delegation configuration | Remove unconstrained delegation from systems where not required | Critical | Primary defense against this attack. |
| Privileged account restrictions | Prevent admin accounts from logging into delegation-enabled hosts | High | Reduces risk of privileged ticket theft. |
| Monitoring | Alert when privileged accounts authenticate to delegation-enabled systems | High | Early detection of high-risk authentication. |
| Credential protection | Enable Credential Guard and LSASS protections | High | Reduces ability to extract Kerberos tickets. |
| Active Directory auditing | Audit accounts and systems with TrustedForDelegation enabled | High | Identify and reduce attack surface. |