Every Kerberos delegation path to Domain Admin in your environment, exploited and proven.
ADscan finds and exploits every supported delegation misconfiguration — unconstrained, constrained and RBCD — and maps the privilege escalation chain from a foothold to full domain compromise, so you act on what is real rather than what is theoretical.
Privilege delegation exposure is the set of Kerberos delegation misconfigurations and ACL-based privilege relationships that allow a low-privilege account to impersonate a Domain Admin or take control of a Domain Controller. ADscan validates every supported delegation path end to end: it exploits the delegation, proves the privilege escalation, and records the route as a proven fact.
~40%
Unconstrained Kerberos delegation was introduced in Windows 2000 and has never had a broadly applied remediation. Constrained delegation and RBCD are safer alternatives, but misconfigured, they are equally exploitable. An account with unconstrained delegation caches every Kerberos ticket presented to it — including a Domain Controller TGT if an attacker can trigger authentication. RBCD allows any account with write rights over a computer object to configure a service that impersonates any user. Both families lead directly to Domain Admin, and neither is visible in a network vulnerability scan. Validation tells you which paths are real in your environment today.
Share of regulated AD environments with at least one exploitable delegation path · ADscan PoV data
- 01
Enumerate delegation configurations
Collect every computer and service account with any delegation flag set (TRUSTED_FOR_DELEGATION, TRUSTED_TO_AUTH_FOR_DELEGATION, msDS-AllowedToDelegateTo, msDS-AllowedToActOnBehalfOfOtherIdentity) across the domain.
- 02
Map ACL privilege paths
Graph every ACL relationship (GenericAll, GenericWrite, WriteDACL, WriteOwner, AllowedToAct) that allows writing a delegation configuration to a computer or service account, combining delegation and ACL abuse into multi-hop chains.
- 03
Exploit unconstrained delegation
For each unconstrained-delegation host reachable from a foothold account, attempt to obtain a Domain Controller TGT via forced authentication (where coercion is available) or wait-and-capture semantics, then perform a DCSync to complete the chain to Domain Admin.
- 04
Exploit constrained delegation (KCD)
For service accounts with constrained delegation, use S4U2Self and S4U2Proxy to impersonate a Domain Admin against the target service and prove the escalation path.
- 05
Validate RBCD paths
Where an account has write rights over a computer object, configure RBCD on the target, request a service ticket via S4U to impersonate a Domain Admin, and prove the path. Coercion-based RBCD (relay via PetitPotam) is detected and flagged but not auto-exploited.
- 06
Report and remediate
Rank each proven path by blast radius and tie it to its DORA, NIS2 and ENS control. Remediation covers the delegation flag, the msDS attribute, and the ACL entry that enabled the path.
Unconstrained delegation exploitation
ADscan identifies every host and service account with TRUSTED_FOR_DELEGATION set and, where a foothold can trigger or capture authentication from a Domain Controller, proves the path to Domain Admin through TGT abuse and DCSync.
Constrained delegation via S4U2Proxy
Service accounts with constrained delegation (KCD) are exploited using S4U2Self to obtain a forwardable TGS and S4U2Proxy to impersonate a Domain Admin against the target service, completing the privilege escalation chain.
RBCD path validation
Any account with write rights over a computer object is a potential RBCD vector. ADscan identifies the ACL path, configures RBCD on the target object, requests the impersonation ticket via S4U, and records the escalation as proven. Coercion-based relay is detected and flagged.
ACL-to-delegation chain mapping
Delegation misconfigurations are often one ACL hop away from a low-privilege account. ADscan combines ACL paths (WriteDACL, GenericWrite) with delegation exploitation to surface multi-hop privilege escalation chains that no single-technique check would find.
Proven vs detect-only, clearly labelled
Paths that ADscan exploited end to end are marked proven. Paths that are identified as present but not auto-exploited (such as coercion-based RBCD relay) are marked detected with full technical detail. The report never blends the two.
Attribute-level remediation
Each finding maps to the exact attribute or ACL entry that closes the exposure: clearing TRUSTED_FOR_DELEGATION, removing AllowedToAct, and which specific ACE on which object to revoke — not generic hardening advice.
Mapped to the control your supervisor asks about.
Kerberos delegation misconfigurations are privileged access control failures. Each proven delegation path is tied to DORA Article 9.4 (protection and prevention, including access control of ICT infrastructure) and Article 24 (testing), NIS2 Article 21 (access control and authentication measures), ENS Alto controls OP.ACC.4 and OP.ACC.6 (privileged access management), and ISO 27001:2022 Annex A.8.2 (privileged access rights). The report includes the legal citation for each finding so your compliance evidence is ready without a separate mapping step.
The open-source ADscan engine on the command line finds and exploits every supported delegation path — unconstrained, constrained and RBCD — and reports each proven or detected escalation chain with remediation guidance. Free on GitHub, no license required.
Adds the board-ready PDF report with the full delegation attack narrative, per-finding DORA, NIS2 and ENS compliance mapping, MITRE ATT&CK references, and Windows event IDs for detection. Free in beta for consultancies and MSSPs in exchange for feedback. The Enterprise platform adds scheduled re-validation so delegation regressions are caught as they are introduced.
Explore the rest of the platform.
Unconstrained delegation on at least one non-DC host was present in the majority of regulated environments where ADscan has run a full delegation assessment. In every case, the host had been present with that flag for years without a remediation ticket.
Questions, answered.
What is unconstrained Kerberos delegation?
Unconstrained delegation is a Kerberos configuration (the TRUSTED_FOR_DELEGATION flag on a computer or service account) that causes any Domain Controller to include a copy of the authenticating user TGT in the Kerberos service ticket issued to that account. Any process running on the host can extract and reuse those TGTs. If an attacker controls the host and can trigger a Domain Controller to authenticate to it, the DC TGT is captured and domain compromise follows.
What is RBCD (Resource-Based Constrained Delegation)?
RBCD is a delegation variant introduced in Windows Server 2012 R2 where the delegation permission is stored on the target resource (the msDS-AllowedToActOnBehalfOfOtherIdentity attribute) rather than on the caller. Any principal with write rights over a computer object can configure RBCD on it and then use S4U2Self and S4U2Proxy to impersonate any user against that computer, including a Domain Admin.
What is the difference between unconstrained, constrained and RBCD delegation?
Unconstrained delegation (TRUSTED_FOR_DELEGATION) allows the service to impersonate any user to any other service — the broadest and most dangerous form. Constrained delegation (TRUSTED_TO_AUTH_FOR_DELEGATION with msDS-AllowedToDelegateTo) limits impersonation to specific target services but is still exploitable via S4U2Proxy. RBCD moves the control to the target resource and is exploitable by anyone who can write to the target computer object. All three families are validated by ADscan.
How does ADscan validate delegation paths?
ADscan enumerates all delegation flags and ACL paths, builds the multi-hop attack graph, and then executes each supported path. For unconstrained delegation, it attempts TGT capture and DCSync where reachable. For constrained delegation, it uses S4U2Self and S4U2Proxy. For RBCD, it writes the delegation attribute and obtains the impersonation ticket. Coercion-based relay (PetitPotam to RBCD) is detected and flagged but not auto-exploited. Each exploited path is marked proven in the report.
Can delegation misconfigurations lead to full domain compromise?
Yes. Unconstrained delegation with a captured Domain Controller TGT leads directly to DCSync and full domain compromise. Constrained delegation exploited via S4U2Proxy against a high-privilege service leads to privilege escalation to Domain Admin. RBCD against a writable computer object leads to impersonation of a Domain Admin on that host. All three paths end at Tier 0 in ADscan assessments where the conditions are present.
Find out which path to Domain Admin you have today.
Request a proof of value and we will run ADscan against your Active Directory, then deliver the compliance-mapped report.