delegation

A Case Study in Wagging the Dog: Computer Takeover

Last month, Elad Shamir released a phenomenal, in depth post on abusing resource-based constrained delegation (RBCD) in Active Directory. One of the big points he discusses is that if the TrustedToAuthForDelegation UserAccountControl flag is not set, the S4U2self process will still work but the resulting TGS is not FORWARDABLE. This resulting service ticket will fail …

A Case Study in Wagging the Dog: Computer Takeover Read More »

The Most Dangerous User Right You (Probably) Have Never Heard Of

I find Windows user rights pretty interesting. Separate from machine/domain object DACLs, user rights govern things like “by what method can specific users log into a particular system” and are managed under User Rights Assignment in Group Policy. Sidenote: I recently integrated privilege enumeration into PowerUp in the Get-ProcessTokenPrivilege function, with -Special returning ‘privileged’ privileges. …

The Most Dangerous User Right You (Probably) Have Never Heard Of Read More »

S4U2Pwnage

[Edit 9/29/18] For a better weaponization of constrained delegation abuse, check out the “s4u” section of the From Kekeo to Rubeus¬†post. Several weeks ago my workmate Lee Christensen¬†(who helped develop this post and material) and I spent some time diving into Active Directory’s S4U2Self and S4U2Proxy protocol extensions. Then, just recently, Benjamin Delpy and Ben …

S4U2Pwnage Read More »