| description |
|---|
If you have compromised a user account or a computer (machine account) that has kerberos constrained delegation enabled, it's possible to impersonate any domain user (including administrator) |
Prerequisites- Hunting for user accounts that have kerberos constrained delegation enabled:
Get-NetUser -TrustedToAuth
{% embed url="https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-kerberos-constrained-delegation" %}