Full Report
Intro In this blog post I want to show a simulation of a real-world Resource Based Constrained Delegation attack scenario that could be used to escalate privileges on an Active Directory domain. I recently faced a network that had had several assessments done before. Luckily for me, before this engagement I had used some of my research time to understand more advanced Active Directory attack concepts. This blog post isn’t new and I used lots of existing tools to perform the attack. Worse, there are easier ways to do it as well. But, this assessment required different approaches and I wanted to show defenders and attackers that if you understand the concepts you can take more than one path.
Analysis Summary
# Tool/Technique: Resource Based Constrained Delegation (RBCD) Abuse
## Overview
The core of the attack discussed is the abuse of Resource-Based Constrained Delegation (RBCD) in Active Directory (AD) environments to achieve privilege escalation, potentially leading to domain takeover. This technique leverages misconfigurations in delegation settings on computer objects. The simulation also involved chaining this with DACL (Discretionary Access Control List) manipulations to facilitate target acquisition.
## Technical Details
- Type: Technique
- Platform: Active Directory (Windows Domain)
- Capabilities: Allows an attacker who has write permissions over a computer object's properties (specifically related to the `msDS-AllowedToActOnBehalfOfOtherIdentity` attribute, or by manipulating ownership/DACLs) to impersonate users requesting Kerberos service tickets from that constrained resource.
- First Seen: The underlying mechanism is inherent to Windows Server operating systems supporting modern AD features; the widespread offensive application was detailed in research preceding this 2020 article.
## MITRE ATT&CK Mapping
The core RBCD abuse maps to privilege escalation and credential access, often enabled by configuration/permission discovery done via reconnaissance.
- **TA0004 - Privilege Escalation**
- **T1210 - Lateral Movement via Authentication (Indirectly, leading to escalation/takeover)**
* If RBCD is leveraged to obtain a service ticket for a high-privileged account.
- **TA0005 - Defense Evasion** (If stealthy methods are used to manipulate delegation attributes)
- **TA0003 - Identification**
- **T1087.002 - Account Discovery: Domain Account** (Identifying high-value targets like SVCSYNC)
- **TA0009 - Credential Access**
- **T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting** (Used in the associated targeted attack path)
## Functionality
### Core Capabilities
- **Computer Object Takeover Primitive:** Abuse of RBCD, often via DACL misconfigurations, allows an attacker to control delegation settings for a computer object.
- **Privilege Escalation Chain:** The attack relies on chaining discovered misconfigurations (e.g., a user having write privileges on another user object) to gain access to a high-value target (like SVCSYNC, which has DCSync rights).
### Advanced Features
- **Targeted Kerberoasting:** When write privileges exist on a user object, the attacker can add a Service Principal Name (SPN) to that user object, request a Kerberos ticket for that SPN, and attempt to crack the associated password hash offline. This was used in one of the two potential attack paths identified.
- **Abusing DACL Write Privileges:** Utilizing privileges like `WriteOwner` on critical objects (like the Domain Controller computer object) allows for direct modification of access controls, leading to takeover.
- **Remote ADUC Usage (Advanced Logon/Ticket Manipulation):** The author demonstrated complex methods involving Kerberos tickets and command-line tricks to manipulate AD objects (like changing the DC owner) remotely, potentially bypassing cleartext credential requirements.
## Indicators of Compromise
Since the article focuses on techniques and existing tools rather than deploying novel malware, specific IoCs are heavily dependent on the tools used for execution.
- File Hashes: N/A (Based on running established tools like BloodHound, Rubeus, Mimikatz)
- File Names: N/A (Focus is on AD object manipulation)
- Registry Keys: N/A
- Network Indicators: N/A (Attack relies on internal AD queries and Kerberos traffic)
- Behavioral Indicators:
* Unexpected modifications to the `msDS-AllowedToActOnBehalfOfOtherIdentity` attribute on computer objects.
* Abnormal invocation of permissions management functions on high-value user/computer objects by low-privileged accounts (e.g., `RONALD.MGMT` attempting DACL modifications).
* Service Principal Name (SPN) modification on user objects followed by Kerberos Service Ticket requests (for targeted kerberoasting).
## Associated Threat Actors
The techniques discussed (RBCD abuse, targeted Kerberoasting, DACL takeovers) are common post-exploitation methods used by sophisticated threat actors and are frequently employed by penetration testers and red teams operating against Active Directory environments. No specific threat actor group is explicitly credited with *developing* RBCD abuse, but these are standard components of advanced AD compromise toolkits.
## Detection Methods
Detection focuses on monitoring Active Directory configuration changes and reconnaissance activities.
- Signature-based detection: Unlikely for the core RBCD abuse itself, as it uses legitimate AD functionalities.
- Behavioral detection: Monitoring for low-privileged users querying or attempting to modify high-value AD object attributes (especially owner or delegation ACLs). Monitoring for the Kerberoasting chain: creating an SPN, requesting a TGS, and offline cracking attempts.
- YARA rules if available: N/A (Not malware-based)
## Mitigation Strategies
Mitigation focuses on limiting permissions on crucial AD objects and auditing delegation settings.
- **Prevention:** Strictly enforce the principle of least privilege. Ensure members of routine administrative groups (`RMTAdmins`, `MGMTAdmins`) do not possess write/owner privileges on critical computer objects (like Domain Controllers) or high-value user accounts.
- **Hardening Recommendations:** Review and clean up outdated or overly permissive ACLs/DACLs on all computer objects. Limit who can perform DCSync operations on the Domain Object. Be cautious with granting `GenericWrite`, `GenericAll`, `WriteDacl`, or `WriteOwner` rights.
## Related Tools/Techniques
The attack explicitly utilized or referenced several key tools that work in tandem to map and execute the attack:
- **BloodHound:** Used extensively for initial reconnaissance and mapping the DACL attack paths and privilege relationships leading to high-value targets (like `SVCSYNC` and the DC object).
- **Mimikatz:** Likely used for credential extraction (NLTM hash/cleartext) or possibly Kerberos ticket manipulation/forgery post-privilege gain.
- **PowerView:** Mentioned as a single-tool alternative for performing some of the discovered object modifications more easily.
- **Rubeus:** A specialized tool for Kerberos-related attacks, useful for ticket manipulation, abuse, or targeted kerberoasting execution.
- **DACL-based attacks:** General concept referenced, including research presented at Black Hat 2017 concerning ACEs (Access Control Entries) and backdoors implanted via DACLs.