What is the final impact of this kill-chain?

The final step lands on PSExec / SMB exec on target as Administrator (T1021.002), which falls under Lateral Movement. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 5 steps · 4 edges

Approved

RBCD abuse → SYSTEM on a domain host

A user with GenericAll/GenericWrite on a computer object writes msDS-AllowedToActOnBehalfOfOtherIdentity, then uses S4U2self/S4U2proxy to impersonate any user (including Administrator) on that host.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Initial Access

Compromised user with WriteDACL on target

T1078 · Valid Accounts

Persistence

Create / use attacker-controlled computer account

T1136 · Create Account

addcomputer.py — requires MachineAccountQuota > 0.

Lateral Movement

S4U2self + S4U2proxy as Administrator

AD-RBCD · Resource-Based Constrained Delegation (RBCD) Abuse

getST.py -spn cifs/<target> -impersonate Administrator <dom>/<attacker>$

Lateral Movement

Write msDS-AllowedToActOnBehalfOfOtherIdentity

AD-RBCD · Resource-Based Constrained Delegation (RBCD) Abuse

rbcd.py -delegate-to <target>$ -delegate-from <attacker>$ -action write

Lateral Movement

PSExec / SMB exec on target as Administrator

T1021.002 · SMB/Windows Admin Shares

§ Context

Assumed environment: attacker controls a principal with write rights to msDS-AllowedToActOnBehalfOfOtherIdentity on at least one computer account, and can create or already owns a computer account with an SPN.

§ Steps

01
Compromised user with WriteDACL on targetInitial Access
T1078— Valid Accounts
02
Create / use attacker-controlled computer accountPersistence
T1136— Create Account
addcomputer.py — requires MachineAccountQuota > 0.
03
S4U2self + S4U2proxy as AdministratorLateral Movement
AD-RBCD— Resource-Based Constrained Delegation (RBCD) Abuse
getST.py -spn cifs/<target> -impersonate Administrator <dom>/<attacker>$
04
Write msDS-AllowedToActOnBehalfOfOtherIdentityLateral Movement
AD-RBCD— Resource-Based Constrained Delegation (RBCD) Abuse
rbcd.py -delegate-to <target>$ -delegate-from <attacker>$ -action write
05
PSExec / SMB exec on target as AdministratorLateral Movement
T1021.002— SMB/Windows Admin Shares

§ References

§ Frequently asked

What is the "RBCD abuse → SYSTEM on a domain host" attack path?: A user with GenericAll/GenericWrite on a computer object writes msDS-AllowedToActOnBehalfOfOtherIdentity, then uses S4U2self/S4U2proxy to impersonate any user (including Administrator) on that host. It chains 5 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Compromised user with WriteDACL on target (T1078) — a initial access primitive. Assumed environment: attacker controls a principal with write rights to msDS-AllowedToActOnBehalfOfOtherIdentity on at least one computer account, and can create or already owns a computer account with an SPN.
What is the final impact of this kill-chain?: The final step lands on PSExec / SMB exec on target as Administrator (T1021.002), which falls under Lateral Movement. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

RBCD abuse → SYSTEM on a domain host

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

MachineAccountQuota abuse → RBCD takeover of a server

mitm6 IPv6 SLAAC → NTLM relay → DA

noPac / sAMAccountName spoofing → Domain Admin