Resource-Based Constrained Delegation (RBCD) Abuse
Write msDS-AllowedToActOnBehalfOfOtherIdentity on a target computer to S4U2self/S4U2proxy into it.
§ Where this technique fits
AD-RBCD is catalogued under the Lateral Movement tactic of the offensive-security kill-chain. It appears in 3 approved dossiers in the registry, typically at step 3.7 on average.
§ Dossiers chaining this technique
- step 3 / 5
RBCD abuse → SYSTEM on a domain host
A user with GenericAll/GenericWrite on a computer object writes msDS-AllowedToActOnBehalfOfOtherIdentity, then uses S4U2self/S4U2proxy to impersonate any user (including Administrator) on that host.
- step 3 / 5
MachineAccountQuota abuse → RBCD takeover of a server
Default ms-DS-MachineAccountQuota = 10 lets any authenticated user create a computer account, which can then be used as the source principal in an RBCD attack.
- step 5 / 7
mitm6 IPv6 SLAAC → NTLM relay → DA
Even when IPv4 is hardened, Windows clients prefer IPv6 with default DHCPv6. mitm6 makes the attacker the IPv6 DNS server, advertises wpad, and relays the captured NTLM to LDAPS for RBCD.
§ What commonly comes next
- 01Pass the Ticketseen 2×T1550.003 · Lateral Movement
- 02SMB/Windows Admin Sharesseen 1×T1021.002 · Lateral Movement