Kerberos delegation and machine accounts: where AD hardening breaks

TL;DR: Kerberos delegation is not just a user-account problem in Active Directory: Silverfort’s research on CVE-2025-60704 shows that machine accounts can be delegated too, creating a path from weak user access to domain dominance. The missing mental model is that sensitive non-human identities need the same delegation scrutiny as privileged users.

NHIMG editorial — based on content published by Silverfort: Kerberos delegation vulnerability research showing that machine accounts can be abused for elevation of privilege

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.

Questions worth separating out

Q: How should security teams govern Kerberos delegation for machine accounts?

A: Security teams should govern machine-account delegation the same way they govern privileged user delegation, by treating Tier 0 computers as sensitive identities that must not be representable across tiers unless there is a documented business need.

Q: Why do privileged computer accounts create more risk than ordinary service accounts?

A: Privileged computer accounts create more risk because they often sit inside identity infrastructure, PKI, or hybrid control planes, where delegated access can become domain-wide authority.

Q: What breaks when machine accounts are not marked as not delegable?

A: What breaks is the assumption that only users need delegation protection.

Practitioner guidance

• Inventory delegated machine identities Enumerate every computer account that appears in msDS-AllowedToDelegateTo or related delegation settings, then classify whether it sits in Tier 0, PKI, or hybrid identity infrastructure.
• Set the NOT_DELEGATED bit on sensitive computers Use Set-ADAccountControl with -AccountNotDelegated $true for machine identities that should never be represented across tiers.
• Review certificate services and delegation together Audit AD CS web enrollment, constrained delegation, and privileged template exposure as a single control surface.

What's in the full article

Silverfort's full research covers the operational detail this post intentionally leaves for the source:

• The exact PowerShell control needed to mark sensitive computer accounts as not delegable.
• The CVE-2025-60704 attack sequence that combines certificate enrollment manipulation with Kerberos delegation abuse.
• The directory attributes and delegation settings that should be audited before changing production machines.
• The Tier 0 machine-account categories the vendor identifies as highest risk in real environments.

👉 Read Silverfort's research on Kerberos delegation abuse and machine-account escalation →

Kerberos delegation and machine accounts: where AD hardening breaks?

Explore further

View Full Forum →  |  NHI Foundation Course →