Back to Blog

Detecting Kerberos Unconstrained Delegation via SPN Monitoring

Identity & Access

Detecting Kerberos Unconstrained Delegation via SPN Monitoring

In the modern landscape of identity-centric security, the perimeter is no longer a firewall; it is the authentication protocol itself. Within an Active Directory (AD) ecosystem, Kerberos remains the undisputed king of authentication. However, the very features designed to facilitate seamless single sign-on (SSO) and service interoperability-specifically Kerberos Delegation-represent some of the most potent vectors for lateral movement and privilege escalation.

Among these, Unconstrained Delegation is arguably the most catastrophic. If an attacker compromises a service configured with unconstrained delegation, they don't just gain the identity of the service; they potentially inherit the Ticket Granting Tickets (TGTs) of every user who has recently authenticated to that service.

While many security professionals focus on detecting the use of these tickets, a highly effective, often overlooked detection strategy involves monitoring the Service Principal Name (SPN) and the underlying account attributes that enable this behavior.

---

The Mechanics of the Vulnerability

To understand the detection, we must first dissect the mechanics of the exploit.

In a standard Kerberos exchange, a client requests a service ticket (TGS) from the Key Distribution Center (KDC). When Unconstrained Delegation is enabled on a service account or computer object, the protocol behavior changes fundamentally. When a user authenticates to a service with this property, the KDC includes a copy of the user's TGT within the TGS response sent to the service.

The service then stores this TGT in its memory (specifically within the LSASS process). If an attacker gains local administrative access to that service host, they can extract these TGTs from memory using tools like Mimikatz. They can then impersonate those users across the entire domain, effectively bypassing the need for passwords or even NTLM hashes, provided the TGT has not yet expired.

The `userAccountControl` attribute in Active Directory contains a specific bitmask, `ADS_UF_TRUSTED_FOR_DELEGATION` (0x80000), which signals to the KDC that this account is permitted to use unconstrained delegation.

The Detection Pivot: SPN and Attribute Monitoring

Detecting the use of a stolen TGT is difficult because, to the KDC, the usage looks like legitimate authentication. Therefore, defensive engineering must shift left toward detecting the preparation and configuration of these high-value targets.

Attackers frequently perform two distinct actions that we can intercept:

  1. Discovery: Scanning the directory for accounts with the `TRUSTED_FOR_DELEGATION` flag.
  2. Preparation: Modifying SPNs or account attributes to facilitate Kerberoasting or to ensure that a hijacked account can be used as a proxy for further movement.

1. Monitoring the `userAccountControl` Attribute

The most direct method is monitoring changes to the `userAccountControl` attribute. Any modification that enables the `0x80000` bit is a high-fidelity indicator of potential risk. This is often captured via Windows Event ID 4738 (A user account was changed).

2. Monitoring SPN Modifications

While Unconstrained Delegation is a property of the account, the Service Principal Name (SPN) is the identifier that attackers target during Kerberoasting. An attacker might find a computer object with unconstrained delegation and then attempt to add an SPN to a user account they have compromised, effectively "upgrading" that user account into a Kerberoastable target that can be leveraged in a delegation chain.

By monitoring for the addition of new SPNs (specifically to accounts that already possess delegation flags), you can identify the "priming" phase of an attack.

---

Practical Implementation: Detection Logic

To implement this effectively, you should ingest Windows Event Logs (specifically from Domain Controllers) into a SIEM or centralized logging platform.

The Detection Rule Logic

A robust detection rule should follow a two-tier approach:

#### Tier 1: The Configuration Alert (High Severity)

Monitor for any event where the `userAccountableControl` attribute is modified and the resulting value includes the `TRUSTED_FOR_DELEGATION` bit.

Pseudo-SQL/SIEM Logic:

```sql

SELECT EventID, TargetAccount, AttributeChanged

FROM Windows_Security_Logs

WHERE EventID = 4738

AND AttributeChanged CONTAINS "userAccountControl"

AND (NewValue & 0x80000) != 0

```

#### Tier 2: The Correlation Alert (Critical Severity)

Monitor for the

Conclusion

As shown across "The Mechanics of the Vulnerability", "The Detection Pivot: SPN and Attribute Monitoring", "Practical Implementation: Detection Logic", a secure implementation for detecting kerberos unconstrained delegation via spn monitoring depends on execution discipline as much as design.

The practical hardening path is to enforce deterministic identity policy evaluation with deny-by-default semantics, host hardening baselines with tamper-resistant telemetry, and behavior-chain detection across process, memory, identity, and network telemetry. This combination reduces both exploitability and attacker dwell time by forcing failures across multiple independent control layers.

Operational confidence should be measured, not assumed: track false-allow rate and time-to-revoke privileged access and time from suspicious execution chain to host containment, then use those results to tune preventive policy, detection fidelity, and response runbooks on a fixed review cadence.

Related Articles

Explore related cybersecurity topics:

Recommended Next Steps

If this topic is relevant to your organisation, use one of these paths:

← Back to All Posts Compare Services Get Quote