RBCD takeover: how a default quota becomes a Domain Admin
A standard user mints a computer, writes a delegation attribute on a target, and impersonates Domain Admin via S4U. Password resets do nothing, so you clear the trust and zero the quota.
Active Directory lets a host trust another account to act on behalf of users through resource-based constrained delegation. The trap is that a standard user can often create the very computer account needed to abuse it.
How the attack works
By default any standard user can create up to ten computer accounts, because the machine-account quota allows it. The attacker creates a computer account, then, holding write access over a target host object, writes the resource-based delegation attribute on that host to trust their new computer. Using the controlled computer, they run the service-for-user extensions, first to themselves then through the proxy, to obtain a service ticket impersonating a Domain Administrator to that host. That ticket is used to access the target as a domain admin. In ATT&CK terms this is T1098, Account Manipulation, with T1134, Access Token Manipulation. The tell is a user-created computer, a delegation write on a target, and service-for-user tickets impersonating a privileged user.
Why it works
Two enablers combine: the default quota lets standard users mint attacker-controlled computers, and an over-broad access control entry let the delegation attribute be written. The service-for-user flow never uses the impersonated admin’s password.
How to fix it
Clear the rogue delegation attribute on the target, disable and remove the attacker’s computer account, and set the machine-account quota to zero so standard users cannot mint new ones. Resetting the impersonated admin password is useless against a service-for-user impersonation, and a reboot does not remove the delegation. Then fix the object access control that allowed the write, delegate computer creation to a controlled process, and sweep all delegation attribute values for other rogue trusts. Because Tier-0 was reached, treat the impersonated admin as compromised and reset KRBTGT twice.
Practice it
We built this as a GraphLattice Range scenario so administrators can rehearse the delegation-write detection and the clear-the-trust-and-zero-the-quota containment.