WriteAccountRestrictions

The ability to modify the msDS-AllowedToActOnBehalfOfOtherIdentity property allows an attacker to abuse resource-based constrained delegation to compromise the remote computer system. This property is a binary DACL that controls what security principals can pretend to be any domain user to the particular computer object. This clip demonstrates how to abuse this edge:

Abuse Info

See the AllowedToAct edge section for abuse info

Opsec Considerations

See the AllowedToAct edge section for opsec considerations

Edge Schema

Source: User, Group, Computer
Destination: User, Computer
Traversable: Yes

References

https://attack.mitre.org/techniques/T1098/
https://dirkjanm.io/abusing-forgotten-permissions-on-precreated-computer-objects-in-active-directory/
https://docs.microsoft.com/en-us/windows/win32/adschema/r-user-account-restrictions
https://specterops.io/blog/2022/08/03/introducing-bloodhound-4-2-the-azure-refactor/

Get Started with BloodHound

Install a Data Collector

Collect Data

OpenGraph

OpenHound

Analyze Attack Path Data

Manage BloodHound

API & Integrations

Resources

WriteAccountRestrictions

Abuse Info

Opsec Considerations

Edge Schema

References

Get Started with BloodHound

Install a Data Collector

Collect Data

OpenGraph

OpenHound

Analyze Attack Path Data

Manage BloodHound

API & Integrations

Resources

Documentation Index

​Abuse Info

​Opsec Considerations

​Edge Schema

​References

Abuse Info

Opsec Considerations

Edge Schema

References