msDS-AllowedToActOnBehalfOfOtherIdentity
attribute of another object (e.g. the GenericWrite
ACE, see Abusing ACLs), is compromised, an attacker can use it populate that attribute, hence configuring that object for RBCD.msDS-AllowedToActOnBehalfOfOtherIdentity
attribute, hence allowing RBCD attacks on relayed machine accounts authentications.ServicePrincipalName
set (needed for Kerberos delegation operations). The usual way to conduct these attacks is to create a computer account, which comes with an SPN set. This is usually possible thanks to a domain-level attribute called MachineAccountQuota
that allows regular users to create up to 10 computer accounts. While this "computer account creation + RBCD attack" is the most common exploitation path, doing so with a user account (having at least one SPN) is perfectly feasible.S4U2Self
and S4U2Proxy
requests, just like constrained delegation with protocol transition.cifs/target.domain.local
SPN, the service class is cifs
).msDS-AllowedToActOnBehalfOfOtherIdentity
was introduced with Windows Server 2012 implying that RBCD only works when the Domain Controller Functionality Level (DCFL) is Windows Server 2012 or higher.--delegate-access
option when conducting this attack from a relayed authentication.-force-forwardable
option to try to bypass restrictions.cifs/target.domain
or host/target.domain
will allow most remote dumping operations (more info on adsecurity.org). There however scenarios where the SPN can be changed (AnySPN) to access more service. This technique is automatically tried by Impacket scripts when doing pass-the-ticket./bronzebit
flag to try to bypass restrictions.cifs/target.domain
or host/target.domain
will allow most remote dumping operations (more info on adsecurity.org). There however scenarios where the SPN can be changed (AnySPN) to access more services. This technique can be exploited with the /altservice
flag with Rubeus.