MachineAccountQuota abuse → RBCD takeover of a server
Default ms-DS-MachineAccountQuota = 10 lets any authenticated user create a computer account, which can then be used as the source principal in an RBCD attack.
§ Context
Assumed environment: ms-DS-MachineAccountQuota > 0 (default), attacker can write msDS-AllowedToActOnBehalfOfOtherIdentity on a target computer (via GenericWrite or GenericAll).
§ Steps
- 01Any authenticated userInitial AccessT1078— Valid Accounts
- 02Write msDS-AllowedToActOnBehalfOfOtherIdentityLateral MovementAD-RBCD— Resource-Based Constrained Delegation (RBCD) Abuse
- 03S4U2self → S4U2proxy as AdministratorLateral MovementT1550.003— Pass the Ticket
- 04SMB exec on the target as AdministratorLateral MovementT1021.002— SMB/Windows Admin Shares
- 05Create attacker-owned computer$Initial AccessAD-MAQ— MachineAccountQuota Abuse
addcomputer.py -computer-name attacker$ -computer-pass <pw> <dom>/<user>:<pw>
§ References
- T1078Valid Accounts
- T1550.003Pass the Ticket
- T1021.002SMB/Windows Admin Shares
§ Frequently asked
- What is the "MachineAccountQuota abuse → RBCD takeover of a server" attack path?
- Default ms-DS-MachineAccountQuota = 10 lets any authenticated user create a computer account, which can then be used as the source principal in an RBCD attack. It chains 5 steps drawn from real-world offensive-security techniques.
- What starting position does this attack require?
- The first step is Any authenticated user (T1078) — a initial access primitive. Assumed environment: ms-DS-MachineAccountQuota > 0 (default), attacker can write msDS-AllowedToActOnBehalfOfOtherIdentity on a target computer (via GenericWrite or GenericAll).
- What is the final impact of this kill-chain?
- The final step lands on Create attacker-owned computer$ (AD-MAQ), which falls under Initial Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
- How can defenders detect or prevent this attack?
- Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.
§ Related dossiers
- Shared techniques3
mitm6 IPv6 SLAAC → NTLM relay → DA
Even when IPv4 is hardened, Windows clients prefer IPv6 with default DHCPv6. mitm6 makes the attacker the IPv6 DNS server, advertises wpad, and relays the captured NTLM to LDAPS for RBCD.
- Shared techniques3
RBCD abuse → SYSTEM on a domain host
A user with GenericAll/GenericWrite on a computer object writes msDS-AllowedToActOnBehalfOfOtherIdentity, then uses S4U2self/S4U2proxy to impersonate any user (including Administrator) on that host.
- Shared techniques2
Citrix Bleed → steal authenticated session → MFA bypass
Send a long Host header to a vulnerable NetScaler — memory disclosure leaks an authenticated session token already past MFA. Replay the token to log into the corporate VPN.
- Shared techniques2
ADCS ESC1 → Domain Admin
A low-priv domain user discovers a certificate template that lets enrollees supply an arbitrary subjectAltName, enrolls a cert as Administrator, and authenticates via PKINIT.
- Shared techniques2
ADCS ESC11 → certificate via RPC (no web enrollment)
When the CA's ICertPassage RPC interface allows NTLM without signing, relay any coerced auth directly to RPC and obtain a cert — bypasses HTTP-only mitigations.
- Shared techniques2
Shadow Credentials → PKINIT → NT hash
Where GenericWrite is held over a target, write a fake KeyCredentialLink (whfb-like) and authenticate via PKINIT to recover the target's NT hash.