deleg

net::deleg checks for the following types of Kerberos delegations

Unconstrained Delegation (TRUSTED_FOR_DELEGATION)
Constrained Delegation (TRUSTED_TO_AUTH_FOR_DELEGATION, set with the msDS-Allowed-To-Delegate-Toattribute)
Resource Based Constrained Delegation (set with the msDS-Allowed-To-Act-On-Behalf-Of-Another-Identity attribute)

It has the following command line arguments:

/dns: the active directory domain to query
/server: The domain controller to query. If not specified it will query the DC of the current domain

mimikatz # net::deleg

CN=Win2019,OU=Servers,DC=hacklab,DC=local
  objectGUID: {06a4a894-6e0b-41be-952e-f3c3108a1928}
  userAccountControl: 0x00091000 - WORKSTATION_TRUST_ACCOUNT ; DONT_EXPIRE_PASSWD ; TRUSTED_FOR_DELEGATION ;
  objectSid: S-1-5-21-1874506631-3219952063-538504511-1128
  sAMAccountName: Win2019$
  servicePrincipalName:
    TERMSRV/Win2019
    TERMSRV/Win2019.hacklab.local
    WSMAN/Win2019
    WSMAN/Win2019.hacklab.local
    RestrictedKrbHost/Win2019
    HOST/Win2019
    RestrictedKrbHost/Win2019.hacklab.local
    HOST/Win2019.hacklab.local

Previousalias Nextgroup

Last updated 2 years ago