MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectsid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2:Computer {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers RETURN c2.name,c2.operatingsystem ORDER BY c2.name ASC
The following servers have “Unconstrained Delegation”. This means that if an attacker gained access to one of these servers with administrative rights, they can steal Kerberos tickets (specifically ‘Ticket-Granting-Tickets’ TGTs) that can be reused against the Domain Controllers or other systems. It is recommended that this permission be removed if possible, or the systems be protected as high value targets.
Neo4j Query with Blood Hound data:
Source: https://hausec.com/2019/09/09/bloodhound-cypher-cheatsheet/
Write up:
The following servers have “Unconstrained Delegation”. This means that if an attacker gained access to one of these servers with administrative rights, they can steal Kerberos tickets (specifically ‘Ticket-Granting-Tickets’ TGTs) that can be reused against the Domain Controllers or other systems. It is recommended that this permission be removed if possible, or the systems be protected as high value targets.