#UnconstrainedDelegation

Sharphound: "MATCH (c:Computer {unconstraineddelegation:true}) return c". Find all those boxes and use them for Print Spooler fun!

As a reminder, if you have a machine with #UnconstrainedDelegation, you can compromise the whole domain thanks to #PetitPotam just like you did with #PrintSpooler service. (1/6)

🏰 Domain Escalation via Unconstrained Delegation: What You Must Know 🧠⚔️ #ActiveDirectory #UnconstrainedDelegation #DomainEscalation #CyberSecurityTraining #RedTeamLabs #EthicalHacking #Kerberos #InfoSec #EducationOnly #ADSecurity #PostExploitation

Après avoir présenté la #délégation #kerberos, voici un nouvel article expliquant les risques associés à la délégation sans contrainte (#unconstraineddelegation) avec un exemple concret pour bien saisir les conséquences de cette fonctionnalité. 🙃 https://t.co/q4HAYoTb27

(2/2) MATCH (dc:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectsid ENDS WITH "516" WITH COLLECT(dc) as domainControllers MATCH p = (d:Domain)-[:Contains*1..]->(c:Computer {unconstraineddelegation:true}) WHERE NOT c in domainControllers RETURN COUNT(p)

Download a dedicated Rule Pack for #ELKStack to identify red flags of the possible unconstrained delegation attack against your company infrastructure. https://t.co/KrM6rFIOZH #UnconstrainedDelegation #SecOps #cybersecurity #SOC @elastic

MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT( https://t.co/behtbhBfXo) AS domainControllers MATCH (c2:Computer {unconstraineddelegation:true}) WHERE NOT https://t.co/QQMQuBP2vd IN domainControllers RETURN c2 Mark as high value.

// Unconstrained Delegation MATCH (c {unconstraineddelegation:true}) return c // Constrained Delegation (with Protocol Transition) MATCH (c) WHERE NOT c.allowedtodelegate IS NULL AND c.trustedtoauth=true return c

https://t.co/GVOnYS8tuD

#UnconstrainedDelegation Allows a service(helpdesk staff) to impersonate a user and access any resource on behalf of specific service(Account Operator). Now helpdesk can create, modify, and delete accounts since there is no constrain

MATCH (dc:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectsid ENDS WITH "516" WITH COLLECT(dc) as domainControllers MATCH p = (d:Domain)-[:Contains*1..]->(c:Computer {unconstraineddelegation:true}) WHERE NOT c in domainControllers SET c.highvalue = true RETURN c 2/3

Download a dedicated Rule Pack for #ELKStack from Threat Detection Marketplace to identify red flags of the possible unconstrained delegation attack against your company infrastructure. https://t.co/KrM6rFIOZH #UnconstrainedDelegation #SecOps #cybersecurity #SOC @elastic

#evasiontechniquesandbreachingdefenses #UnconstrainedDelegation #ActiveDirectory #Pentesting #RedTeaming #Pass-the-Ticket #Kerberos #TrustRelationship https://t.co/EjOrin9Gm2