This project is a fork of [SharpAllowedToAct]. Sometimes, an attacker may obtain credentials for a privileged user but lack access to the user's machine. To exploit this scenario—where the attacker aims to perform resource-based constrained delegation attacks using the acquired privileged account (e.g., a domain-joined account)—SharpAllowedToAct only leverages the current user's privileges for attacks. Therefore, I made the following modifications:

1. The operation for adding machine accounts has been removed. You can use the original SharpAllowedToAct to add accounts, or use addcomputer.py to add machine accounts.

2. Added custom LDAP account and password parameters.

3. Added the specified machine account parameter

The default msds-allowedtoactonbehalfofotheridentity is not specified, so the ticket request failed:

Use the tools provided by this project to modify the victim's msds-allowedtoactonbehalfofotheridentity attribute:

The -m parameter specifies the machine account you added, -u is the LDAP username, -p is the LDAP password, -t is the target machine name, -a is the domain controller address, and -d is the domain name. For example:

SharpAllowedToAct.exe -m machine -u ldapuser -p ldappass -t victim -a dcserver.domian.com -d domain.com

The bill application was successful at this time:

RBCD successfully connected to the victim machine: