The ability to modify the msDS-AllowedToActOnBehalfOfOtherIdentity property allows an attacker to abuse resource-based constrained delegation to compromise the remote computer system. This property is a binary DACL that controls what security principals can pretend to be any domain user to the particular computer object.
This clip demonstrates how to abuse this edge:
Abuse Info
See the AllowedToAct edge section for abuse infoOpsec Considerations
See the AllowedToAct edge section for opsec considerationsEdge Schema
Source: User, Group, ComputerDestination: User, Computer
Traversable: Yes
References
- https://attack.mitre.org/techniques/T1098/
- https://dirkjanm.io/abusing-forgotten-permissions-on-precreated-computer-objects-in-active-directory/
- https://docs.microsoft.com/en-us/windows/win32/adschema/r-user-account-restrictions
- https://specterops.io/blog/2022/08/03/introducing-bloodhound-4-2-the-azure-refactor/