Unconstrained delegation → Capture DC TGT → DCSync

§ Context

Assumed environment: at least one non-DC server in the domain has unconstrained delegation enabled, and the attacker has local admin on it (or can reach it via lateral movement).

§ Steps

1. 01
   Local admin on delegation hostInitial Access

   T1078— Valid Accounts
2. 02
   Extract DC$ TGTLateral Movement

   AD-UNC-DEL— Unconstrained Delegation Abuse
3. 03
   Run Rubeus monitor / harvesterLateral Movement

   AD-UNC-DEL— Unconstrained Delegation Abuse

   Rubeus.exe monitor /interval:1 — wait for inbound TGTs.

4. 04
   Pass-the-Ticket as DC$Lateral Movement

   T1550.003— Pass the Ticket
5. 05
   Find hosts with TRUSTED_FOR_DELEGATIONDiscovery

   AD-BLOODHOUND— BloodHound / SharpHound Enumeration
6. 06
   Coerce DC to authenticateInitial Access

   AD-COERCE— Authentication Coercion

   PetitPotam / SpoolSample to the delegation host.

7. 07
   DCSyncCredential Access

   T1003.006— DCSync

§ References

• T1078Valid Accounts
• T1550.003Pass the Ticket
• T1003.006DCSync

§ Frequently asked

What is the "Unconstrained delegation → Capture DC TGT → DCSync" attack path?

Compromise a host with TRUSTED_FOR_DELEGATION, coerce a DC to authenticate to it, harvest the DC's TGT from its LSASS, then DCSync. It chains 7 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Local admin on delegation host (T1078) — a initial access primitive. Assumed environment: at least one non-DC server in the domain has unconstrained delegation enabled, and the attacker has local admin on it (or can reach it via lateral movement).

What is the final impact of this kill-chain?

The final step lands on DCSync (T1003.006), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques4

  PetitPotam + ADCS ESC8 → Domain Controller takeover

  Coerce a DC's machine account to authenticate to the attacker, relay that NTLM to the ADCS HTTP web-enrollment endpoint, and obtain a DC certificate for full domain compromise.

• Shared techniques3

  Citrix Bleed → steal authenticated session → MFA bypass

  Send a long Host header to a vulnerable NetScaler — memory disclosure leaks an authenticated session token already past MFA. Replay the token to log into the corporate VPN.

• Shared techniques3

  mitm6 IPv6 SLAAC → NTLM relay → DA

  Even when IPv4 is hardened, Windows clients prefer IPv6 with default DHCPv6. mitm6 makes the attacker the IPv6 DNS server, advertises wpad, and relays the captured NTLM to LDAPS for RBCD.

• Shared techniques3

  GenericWrite on Domain Admins → AddMember → DA

  A misconfigured 'member' attribute write on a privileged group lets the attacker silently add themselves as a Domain Admin.

• Shared techniques3

  ADCS ESC1 → Domain Admin

  A low-priv domain user discovers a certificate template that lets enrollees supply an arbitrary subjectAltName, enrolls a cert as Administrator, and authenticates via PKINIT.

• Shared techniques3

  ADCS ESC11 → certificate via RPC (no web enrollment)

  When the CA's ICertPassage RPC interface allows NTLM without signing, relay any coerced auth directly to RPC and obtain a cert — bypasses HTTP-only mitigations.