Unconstrained delegation is a specific privilege that can be assigned to a domain computer or a user via a specific Active Directory feature. By enabling unconstrained delegation, a computer (or a user) can impersonate any other account on the network. Such level of privileges is typically required for computers running IIS, MSSQL, or similar services, which need access to a list of back-end databases to obtain the ability to read/modify these databases on behalf of authenticated users. Particularly, when a user initiates a web app hosted on the server, the application can impersonate user credentials to access required resources hosted on a different server, such as the database. When the user authenticates, the TGT ticket gets saved to the memory to be further used to impersonate the authenticated user when access to any other services is required, with no re-authentication requested. As a result, any domain computers with unconstrained delegation privileges can impersonate user credentials to any service in the domain.
Adversaries consider servers trusted for unconstrained delegation as a valuable target because, in this case, compromising a single server enables entire domain compromise. Hackers usually proceed with unconstrained delegation attacks by stealing the cached TGT tickets with the help of Credential Access techniques. Further, they typically leverage PowerShell and Mimikatz to dump and reuse credentials out of LSASS, export all private certificates, and escalate privileges to have the highest rights on the remote instance.
To secure your organizational network, avoid unconstrained delegation within your infrastructure, re-configure it to the constrained delegation, and limit the service delegation trust. To power up your protections, leverage this Unconstrained Delegation Attack Detection Rule Pack for ELK Stack, which identifies red flags of the possible unconstrained delegation abuse within your network.