Abusing Delegation with Impacket (Part 3): Resource-Based Constrained Delegation

This post describes three practical methods to abuse resource-based constrained delegation (RBCD) in Active Directory—(1) leveraging CVE-2019-1040 (Drop the MIC) to relay/authenticate and configure RBCD, (2) using GenericWrite DACL permissions to add machine accounts via Machine Account Quota and configure RBCD, and (3) trusting a user SPN via GenericWrite—providing commands and tool examples (impacket, ntlmrelayx, PetitPotam) that culminate in obtaining service tickets and performing DCSync for domain compromise.