Server with Unconstrained Delegation #28
Description
Neo4j Query with Blood Hound data:
MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectsid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2:Computer {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers RETURN c2.name,c2.operatingsystem ORDER BY c2.name ASC
Source: https://hausec.com/2019/09/09/bloodhound-cypher-cheatsheet/
Write up:
The following servers have “Unconstrained Delegation”. This means that if an attacker gained access to one of these servers with administrative rights, they can steal Kerberos tickets (specifically ‘Ticket-Granting-Tickets’ TGTs) that can be reused against the Domain Controllers or other systems. It is recommended that this permission be removed if possible, or the systems be protected as high value targets.