https://eoniboogie.github.io/tags/genericall/index.htmlHugoen-usThu, 16 Apr 2026 22:12:34 +0900https://eoniboogie.github.io/posts/ad/rbcd/index.htmlThu, 16 Apr 2026 22:12:34 +0900https://eoniboogie.github.io/posts/ad/rbcd/index.htmlGenericAll permission on a domain computer The user l.livingstone has GenericAll permission on the domain computer RESOURCEDC$. GenericAll grants full control over the object — including the ability to write to msDS-AllowedToActOnBehalfOfOtherIdentity. This makes Resource-Based Constrained Delegation (RBCD) abuse possible: we create a machine account we control, configure the target to trust it for delegation, then impersonate any user (including Administrator) to obtain a service ticket via S4U2Proxy.