Active Directory · Term

What is RBCD?

Resource-based constrained delegation lets a target object decide which accounts may impersonate users to it. If an attacker can write that setting, they can impersonate a Domain Admin to the target. Here is what RBCD is and how to defend.

Active Directory · TermAll services
TL;DR

RBCD (Resource-Based Constrained Delegation) is a Kerberos delegation model where the target resource controls which accounts may act on a user’s behalf to it, via the msDS-AllowedToActOnBehalfOfOtherIdentity attribute. Attackers abuse it: if they can write that attribute on a target (often through GenericWrite or WriteDACL), they point it at a machine account they control, then use S4U to impersonate any user, including a Domain Admin, to that target. It is a common, quiet escalation that BloodHound flags.

By John Dill, Red Team Lead, SecureLayer7Updated

What RBCD is

Kerberos delegation lets a service act for a user. Resource-based constrained delegation flips who configures it: instead of the front-end service being trusted, the target resource lists the accounts allowed to impersonate users to it, in its msDS-AllowedToActOnBehalfOfOtherIdentity attribute.

That sounds safer, and it can be, but it moves the control to an attribute on the target object. Whoever can write that attribute decides who may impersonate users to the target.

The abuse and payload

If an attacker can write the attribute on a target (for example a server they want to control), the chain is:

1. Create or take over a machine account they control (any user can add machine accounts by default, up to a quota). 2. Write RBCD on the target to trust that machine account: rbcd.py -delegate-to TARGET$ -delegate-from ATTACKER$ -action write corp.local/user (Impacket) or PowerView. 3. Use S4U to get a service ticket impersonating a Domain Admin to the target: getST.py -spn cifs/target -impersonate administrator -hashes : corp.local/ATTACKER$ 4. Access the target as that admin.

Documented techniques shown for defenders.

How to defend

  • Audit write access to msDS-AllowedToActOnBehalfOfOtherIdentity and to objects generally; remove needless GenericWrite/WriteDACL.
  • Set the machine-account quota to 0 so ordinary users cannot add the machine accounts these attacks rely on.
  • Mark privileged accounts "sensitive and cannot be delegated" so they cannot be impersonated.
  • Monitor for changes to the RBCD attribute and for S4U ticket requests.
  • Run BloodHound, which surfaces who can write RBCD on which targets.

References

  1. [1]MITRE ATT&CK Enterprise Matrix(MITRE)
  2. [2]Microsoft: Best Practices for Securing Active Directory(Microsoft)
  3. [3]Microsoft: Kerberos Authentication Overview(Microsoft)
Related terms

Common questions

Active Directory, asked often

Need your Active Directory tested?

Scope an engagement

Test your Active Directory before an attacker does.

We run internal and Active Directory penetration tests that follow the real path from one low-privilege user to Domain Admin, then hand your team a report with reproducible evidence and a fix for every step. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.