For the purposes of this blog, we'll assume that I've already compromised the `EZ\matt` account, a basic domain user, and used it to collect BloodHound data. Let's start with how to find scenarios allowing RBCD in BloodHound. This post will focus more on that angle, instead of the relay vector, since I think hunting RBCD paths may fly a tad under the radar for other testers, as it had for me. However, I hadn't consciously been searching BloodHound for permissions over computers that open the door for more opportunistic RBCD usage.
Most of my previous RBCD abuse experience stemmed from ntlmrelayx usage (the `-delegate-access` attack), which can be used very similarly to (), due to the fact that machines accounts can edit their own `msDS-AllowedToActOnBehalfOfOtherIdentity` attribute. Recently, I have encountered a couple of environments susceptible to lateral movement through resource-based constrained delegation (RBCD) attacks, prompting me to take a deeper dive into the topic.
0 kommentar(er)
