Resource-based Constrained Delegation: Computer Object Takeover

0.0(0)
Studied by 0 people
call kaiCall Kai
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
GameKnowt Play
Card Sorting

1/14

flashcard set

Earn XP

Description and Tags

Practice flashcards covering the concepts, requirements, and tools for conducting Resource-based Constrained Delegation (RBCD) attacks in Active Directory.

Last updated 8:43 PM on 5/28/26
Name
Mastery
Learn
Test
Matching
Spaced
Call with Kai

No analytics yet

Send a link to your students to track their progress

15 Terms

1
New cards

Resource-based Constrained Delegation (RBCD)

A computer object takeover attack that utilizes Generic write, Generic All, or Write Property (ACE) to a computer object to perform a delegation attack.

2
New cards

ms-DS-MachineAccountQuota

The attribute that determines the number of machines a domain user can join to the domain; it is set to 10 by default for all domain users.

3
New cards

msDS-AllowedToActOnBehalfOfOtherIdentity

The specific attribute that must be modified on a target service or object to enable an attacker's controlled machine account to act on behalf of others.

4
New cards

Windows 2012

The minimum version required for a Domain Controller (DC) to be vulnerable to Resource-based Constrained Delegation (RBCD) abuse.

5
New cards

Powermad

An offensive PowerShell module used to create new machine accounts using the command New-MachineAccount.

6
New cards

RawSecurityDescriptor

A security object created to define access control, which is converted to bytes and applied to the msds-allowedtoactonbehalfofotheridentity attribute on the target machine.

7
New cards

Rubeus

A Kerberos ticket tool used to request service tickets, generate RC4 hashes, and perform S4U (Service for User) attacks to impersonate users.

8
New cards

S4U (Service for User)

The Kerberos extension used by tools like Rubeus to request a service ticket for a victim machine as any user, such as a Domain Admin.

9
New cards

SafetyKatz

A tool used to extract AES keys by executing Mimikatz-style commands like sekurlsa::ekeys.

10
New cards

SID S-1-5-18

The well-known Security Identifier (SID) for the SYSTEM user.

11
New cards

lsadump::dcsync

A Mimikatz command used to retrieve Domain Controller hashes once a TGS for the LDAP service has been obtained.

12
New cards

rbcd.py

An Impacket script used to configure Resource-based Constrained Delegation by modifying objects over LDAP.

13
New cards

Find-InterestingDomainAcl

A command used to identify specific Access Control Lists in the domain that might be vulnerable to abuse.

14
New cards

sekurlsa::pth

A Mimikatz command used to perform 'Pass-the-Hash' to run processes with Domain Controller privileges.

15
New cards

Generic All

An Access Control Entry (ACE) that, when held over a computer object, provides the necessary permissions to perform a resource-based constrained delegation attack.