Restricted Resource-Based Delegation is a security feature in Active Directory that allows a service or system to delegate its authentication authority to another service or system, giving it limited access to specific resources on behalf of a user.
This is done by setting a value
msDS-AllowedToActOnBehalfOfOtherIdentity Attribute is a list of services or systems that can act on behalf of the object and access the specified resources.
To understand it better, let’s take this example; Let’s say we have a file share that all users in the domain can access, and we want to configure the file share so that only the file service account can impersonate any user against the file share.
To do this, we’ll add the file service account to a file
msDS-AllowedToActOnBehalfOfOtherIdentity An attribute on the file share object that would allow the file service account to impersonate any user trying to access that file share, and prevent any other user from impersonating any other user.
To abuse this type of authorization, an attacker must compromise an account with write access over a computer object to configure the RBCD attribute that allows that compromised account to impersonate any user when accessing the target computer. This attack is usually performed to gain high privileges on the target computer.
In this blog post, we will delve into the Resource Constrained Delegation (RBCD) attack and discuss the steps involved in exploiting it to gain high privileges on a domain controller. To provide practical insights, I will outline the steps to attack the support device from Hack The Box.