Detecting and Preventing Unconstrained Delegation Exploits in Active Directory
Active Directory environments become ripe targets when computer objects are misconfigured with unconstrained delegation. This configuration allows attackers to impersonate users—any user—by capturing their Ticket Granting Ticket (TGT) from the LSASS process once they’ve authenticated. It’s basically giving away the keys to the kingdom if you don’t lock it down.
When attackers create rogue computer objects using MachineAccountQuota (MAQ) abuse, they can configure those objects with unconstrained delegation. These rogue computers act like identity thieves, storing TGTs in memory for later use.
It gets worse: if a Domain Admin logs in, their TGT sits in memory like a golden ticket. One memory dump later, attackers can impersonate the admin, escalate privileges, and waltz across your network like they own the place.
The Print Spooler Gotcha
Attackers love the Domain Controller Print Spooler service. Why? Because they can coerce it to authenticate with its own computer account to a system they’ve set up with unconstrained delegation. Once it does, boom—they grab the Domain Controller’s TGT and use it to get full access.
This is the kind of trick that makes seasoned sysadmins lose sleep.
How to Mitigate Unconstrained Delegation Risk
To minimize exposure:
- Avoid unconstrained delegation entirely if possible.
- Prefer resource-based constrained delegation.
- Flag sensitive accounts as “Account is sensitive and cannot be delegated”.
- Add privileged users to the Protected Users group.
- Disable Print Spooler on Domain Controllers (it’s more liability than utility).
Event ID Detection Table
Centralized logging is your best friend. Monitor the following Event IDs to detect unusual behavior linked to unconstrained delegation abuse:
| Event ID | Source | Description |
| 4103 | PowerShell | Logs pipeline execution. Look for strange usage patterns (e.g., Rubeus scripts). |
| 4104 | PowerShell | Captures code/script execution. Unusual scripts? Red flag. |
| 4624 | Logon | Watch for odd logons—like users logging into computers they normally don’t. Source IP analysis is key. |
| 4688 | Process Creation | Tracks new processes. Common for LSASS dumps (e.g., procdump.exe, rundll32, mimikatz). |
| 4770 | Kerberos TGT Renewal | A renewed TGT can signal an attacker trying to extend their access. |
Sample LSASS Dump Commands to Watch
These are the greatest hits in an attacker’s playlist:
procdump.exe -accepteula -ma lsass.exe lsass.dmp
.\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump <PID> C:\lsass.dmp full
sekurlsa::minidump C:\lsass.DMPUnconstrained delegation is like leaving your admin keys in a public locker. Attackers are not guessing—they know exactly how to look for this misconfiguration and how to exploit it. Stay vigilant, keep your delegation settings tight, monitor your logs, and disable unnecessary services like Print Spooler on sensitive systems.