Kerberos Unconstrained Delegation — Spooler Service Attack Remediation

Technical Details

By abusing a legitimate RPC call, an attacker who compromises an unconstrained delegation account can initiate a connection between the spooler service running on a Domain Controller and an unconstrained delegation server. This action will force the Spooler service (running as a system account) to authenticate to a target server configured with unconstrained delegation, capture the Domain Controller Ticket Granting Ticket, and use the Ticket Granting Ticket to sync the domain user password.

MITRE Technique Alignment (1)

Print Spooler Service Attack

Kerberos constrained delegation provides more secure delegation for use by services. When configured, constrained delegation restricts the services for which the specified server can act on behalf of a user. By contrast, unconstrained delegation does not restrict which services for which the specified server can act on behalf of a user, and so is less secure.

By abusing a legitimate RPC call, an attacker who compromises an unconstrained delegation account can initiate the connection between the print spooler service running on the Domain Controller and an unconstrained delegation server. This action will force the Print Spooler service (running as a system account) to authenticate to a target server configured with unconstrained delegation, capture the Domain Controller Ticket Granting Ticket, and use the Ticket Granting Ticket to sync the domain user password.

How to find it?

To confirm/find computers on a domain that have unrestricted Kerberos delegation property set run the following command using Powershell:

Get-ADComputer -Filter {TrustedForDelegation -eq $true -and primarygroupid -eq 515} -Properties trustedfordelegation,serviceprincipalname,descriptionCopied!

we can see the victim’s computer with TrustedForDelegation the field set to $true - This machine is vulnerable to the attack.

Remove unconstrained delegation from accounts and replace it with constrained delegation

By replacing it with constrained delegation, it is possible to prevent attacks like the spooler service attack, and so its removal is highly recommended.

To remove unconstrained delegation, use the following netdom command:

netdom trust <domain that you are administering> /domain:<domain whose trust NETDOM is modifying> /En

or by performing the following:

Select “Do not trust this computer for delegation”

Disable the Print Spooler service on your Domain Controller

Disabling the print spooler service on the Domain Controller prevents this type of attack.

To disable the print spooler service, follow these steps:

1. Connect to the DC via RDP.
2. Run services.msc as administrator.
3. Locate the Print Spooler service.
4. Stop the service.
5. Open the properties, and make the startup type Disabled.