An executable that simplifies adding the msds-AllowedToActOnBehalfOfOtherIdentity attribute for RBCD attacks.
This tool was created as an alternative way of writing to the msDS-AllowedToActOnBehalfOfOtherIdentity without using powershell, creating a new computer object, or manual SID lookups. Heavily inspired by the workflow of impacket-RBCD.
After setting the delegation, use Rubeus or impacket-getST to request a silver ticket for the desired resource.
The application uses the current process context for its LDAP authentication. Since the code only does a Negotiate (Kerberos/NTLM) bind with no explicit credential parameters, it leverages whatever account is running the process.
The tool will authenticate to LDAP as whatever security principal is running the process. No credentials are passed in manually. That means if you want to use another domain user’s privileges (because that user has the necessary write access to set RBCD), you can simply run the tool under that user’s session (e.g., token impersonation, pass-the-ticket, or runas). And if you run it under SYSTEM, it will try to bind as the machine account in AD.
Open project in Visual Studio and 'Build the Solution'
# View the current value of the msDS-AllowedToActOnBehalfOfOtherIdentity attribute
SharpRBCD.exe -action read -delegateTo SRV01$
# Setting the delegation
SharpRBCD.exe -action write -delegateFrom WK1$ -delegateTo SRV01$ -dc dc.company.local
# Clear the attribute
SharpRBCD.exe -action clear -delegateTo SRV01$
Fully compatibile with Cobalt Strike's execute-assembly command.
The tool connects to Active Directory over LDAP, typically using Kerberos/Negotiate authentication, which leverages the operator’s current session or provided credentials. It then locates the target computer object (the one on which delegation will be enabled) by searching for its sAMAccountName (e.g., SRV1$).
A separate computer account—often attacker-controlled or otherwise vulnerable—is the “delegate-from” host (e.g., WS01$). The application queries AD to find this machine’s objectSid (a binary representation of the SID).
Once the tool has the SID of the “delegate-from” machine, it builds a Security Descriptor in SDDL form (commonly: O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;<delegateFrom-SID>)).
This SDDL string grants the “delegate-from” SID the right to perform Kerberos delegation (via S4U2Proxy) on behalf of other users to the “delegate-to” resource.
The tool converts the SDDL into a binary security descriptor. Using an LDAP “modify” operation, it replaces the target machine’s msDS-AllowedToActOnBehalfOfOtherIdentity attribute with this new descriptor. This effectively grants the specified SID (the “delegate-from” machine) the right to impersonate arbitrary users to the “delegate-to” service.
With that attribute set, an operator controlling the “delegate-from” computer can use Kerberos protocol transitions (S4U2Self / S4U2Proxy) to request service tickets in the name of any user. In other words, they can impersonate privileged accounts (also not marked as sensitive) to the “delegate-to” service, obtaining “silver tickets” for lateral movement or local privilege escalation.
In reading mode, the application can simply fetch and parse the existing msDS-AllowedToActOnBehalfOfOtherIdentity value, outputting the current security descriptor as SDDL or Base64. In clearing mode, it removes the attribute entirely, reverting the target object to a state with no resource-based delegation rights assigned.
Impacket-RBCD - https://github.com/fortra/impacket/blob/master/examples/rbcd.py
SharpAllowedToAct - https://github.com/pkb1s/SharpAllowedToAct/tree/master
StandIn - https://github.com/FuzzySecurity/StandIn