Resource-based Constrained Delegation
It's possible to gain code execution with elevated privileges on a remote computer if you have WRITE privilege on that computer's AD object.
Resource-based Constrained Delegation
Microsoft in an attempt to provide more flexibility to domain users enabled owner of resources to configure which accounts are trusted and allowed to delegate to them. This is achieved by modification of the attribute “ms-DS-AllowedToActOnBehalfOfOtherIdentity” which is used to control access of the target resource. Specifically if a resource such as a computer account has this attribute set then an account is allowed to act on behalf of the computer account. In order to be able to modify this attribute an account would need write permissions over that object which by default doesn’t have. However, if the SYSTEM account could be triggered and the authentication is relayed towards the Active Directory then it might be possible an account to obtain delegation rights and therefore to be able to act as an elevated user.
Detection
Required
WRITE privilege on a computer's AD object
Compromised computer and machine account hash OR
Ability to create a "fake" computer on the AD
If you have a previous compromise machine and machine hash/credential you can skip the skeps of creating a new machine.
Checking ms-ds-machineaccountquota
ms-ds-machineaccountquota
Since the attack will entail creating a new computer object on the domain, let's check if users are allowed to do it - by default, a domain member usually can add up to 10 computers to the domain. To check this, we can query the root domain object and look for property ms-ds-machineaccountquota
Using WMI
Detecting WRITE access
Exploiting
Using StandIn.exe to create and add msDS-AllowedToActOnBehalfOfOtherIdentity
to computer object.
Creating fake computer object
Modifying Target Computer's AD Object
With write access to a machine object this function allows the operator to add an msDS-AllowedToActOnBehalfOfOtherIdentity
property to the machine which is required to perform a resource based constrained delegation attack.
Verifying change
Getting the hash value for machine account hash
Impersonation
References
Last updated