Hi, my name is Raymond Roethof, and I am a Microsoft Security enthusiast with over fifteen years of experience within the Microsoft landscape. My focus has been Microsoft Security, and specifically w...
Updated Sep 23, 2021
Version 2.0
Blog Post
Thanks for the post. Some thought about the MDI detection with constrained delegation. Maybe you've got some answers.
The topic is Service for User (S4U) detection. Attackers can use enumeration to identify accounts for which constrained delegation has been enabled. They can then target those accounts and take advantage of features of the S4U constrained delegation extensions to facilitate lateral movement and privilege escalation within a targeted environment.
With access to a constrained delegation account and that account’s plaintext password or NTLM hash, for example, attackers can use tools such as Kekeo to request a Kerberos TGT, execute an S4U TGS request and access the target service.
While it can limit the attack with a sensitive account, it can still not detect attacks that take advantage of constrained delegation.
The "account is sensitive and cannot be delegated can detect" only a few artifacts\half of the attack. Do you know when MDI can detect the constrained delegation complete attack?