The Get-RBCD-Threaded tool is specifically created for identifying Resource-Based Constrained Delegation (RBCD) attack paths within Active Directory environments. RBCD is an attack technique that exploits Kerberos constrained delegation settings, and this tool aids in recognizing potential targets susceptible to such attacks. It serves as a valuable resource for security professionals and administrators seeking to understand and mitigate the risks associated with RBCD vulnerabilities.
How it Works
· The tool queries Active Directory for all users,groups (excluding privileged groups like "Domain Admins" and"BUILTIN\Administrators"), and computer objects in the currentdomain.
· It compiles a list of their Security Identifiers(SIDs).
· It then queries Active Directory for allDiscretionary Access Control Lists (DACLs) on computer objects in the domain.
· Each Access Control Entry (ACE) in the DACLs ischecked to see if any user/group/computer SIDs have specific privileges like"GenericAll," "GenericWrite," "WriteOwner," or"WriteDacl" on the computer object.
· It also checks if the SIDs have"WriteProp" permissions on the ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identityattribute (GUID: 3f78c3e5-f79a-46bd-a0b8-9d18116ddc79).
· If such privileges are found, it indicates apotential Resource-Based Constrained Delegation attack path.
Usage
Compile in Visual Studio. The tool utilizes Parallel.ForEachfor faster searching through DACL objects, requiring .NET v4 as a minimum.
Options include specifying a username, password, domain,searching forests, filtering based on pwdLastSet, forcing insecure LDAPconnection, specifying an output file, and more.
Example Usage
Detections
- The tool performs LDAP queries, which might not be easily detectable. Detection methods could involve monitoring for large numbers of LDAP queries or unusual traffic to a system.
- Honeypot accounts can be used for detection by monitoring modifications to the honeypot computer object, especially to the msds-allowedtoactonbehalfofotheridentity property. Also, monitor for Kerberos tickets requested for services on the honeypot computer object.
