What This Script Detects
Unconstrained Delegation (MITRE ATT&CK T1484) allows systems to cache TGTs from any user who authenticates. Compromising these systems grants attackers Domain Admin TGTs.
High-Risk Configuration
Unconstrained delegation should only exist on Domain Controllers. Any other system with this setting is a critical vulnerability.
Detection Focus
- Computer/service accounts with TRUSTED_FOR_DELEGATION flag
- Non-DC systems with unconstrained delegation
- High-value targets accessible from delegated systems