rbcd_manager

rbcd_manager is a .NET tool designed to enumerate and configure Resource-Based Constrained Delegation (RBCD) in Active Directory domains.

• The tool includes:

1. ✔️ Configuration mode — Modifies the msDS-AllowedToActOnBehalfOfOtherIdentity security descriptor to add a computer account.
2. ✔️ Verification mode — Scans all domain computers and detects RBCD permissions granted to principals other than SELF.
3. ✔️ Works using the current security context (Kerberos / Negotiate).

It is useful for System Administrators, Blue Teams, Auditors, and Red Team labs.

---

🔧 Usage

1) Configuration Mode

Adds an attacker/authorized computer to the RBCD ACL of a target computer.

rbcd_manager.exe <target_computer> <attacker_computer> <domain>

Example:

rbcd_manager.exe FS-X1 ATTACK REDTOPS.COM

2) Verification Mode

Scans all domain computers and displays which ones have non-default RBCD entries.

rbcd_manager.exe -verify <domain>

Example:

rbcd_manager.exe -verify REDTOPS.COM

3) List RBCD Configurations

rbcd_manager.exe -list <domain>

Example:

rbcd_manager.exe -list REDTOPS.COM

4) Create/Delete Computer Account

rbcd_manager.exe -create <computer_name> <domain> [password]

Example:

rbcd_manager.exe -create FAKE01 REDTOPS.COM dEKSIO#@MISPAss

• When a password is not specified, a random one will be generated and the user will be informed aboud it

rbcd_manager.exe -create <computer_name> <domain>

Example:

rbcd_manager.exe -create FAKE02 REDTOPS.COM

• Delete Computer

rbcd_manager.exe -delete FAKE02 REDTOPS.COM

requires privileges

5) Remove RBCD Configuration

• Remove a specific machine from the configuration list in <target_computer>

rbcd_manager.exe -remove <target_computer> <domain> [attacker_computer]

Example: In this case, we have three machines configured (ATTACK, FAKE01, and FAKE02) in the list of the FS-X1 machine.

The goal is to remove only the configuration of the FAKE01 machine while leaving the other configurations unchanged.

rbcd_manager.exe -remove FS-X1 REDTOPS.COM FAKE01

rbcd_manager.exe -list REDTOPS.COM

• Remove all machines from the configuration list in <target_computer>

rbcd_manager.exe -remove <target_computer> <domain>

Example: Just like before, we have the three machines FS-X1, FAKE01, and FAKE02 configured, but this time we are going to remove all configurations

rbcd_manager.exe -remove FS-X1 REDTOPS.COM

rbcd_manager.exe -list REDTOPS.COM

🛰️ Reflexive Execution in C2 Frameworks

The compiled binary of rbcd_manager can also be executed reflexively through C2 frameworks such as Cobalt Strike, Sliver, Mythic, or Brute Ratel using .NET in-memory execution techniques.

Examples:

Cobalt Strike

execute-assembly rbcd_manager.exe <args>

Sliver

execute-assembly rbcd_manager.exe <args>

• This allows red team operators to run the tool fully in-memory, without touching disk, ideal for secure or stealthy assessments (always with proper authorization).

📌 Features

• Reads and updates the RBCD security descriptor (msDS-AllowedToActOnBehalfOfOtherIdentity)
• Adds ACEs without overwriting existing ones
• SID-to-name resolution
• Paging support for large domains
• Detailed error messages

📂 Build Instructions

1. Clone repository:

git clone https://github.com/DarksBlackSk/rbcd_manager.git

2. Open rbcd_manager.sln or rbcd_manager.csproj in Visual Studio
3. Build in Release mode

⚠️ Disclaimer

This tool is intended for:

• System administrators
• Blue teams
• Security auditors
• Authorized penetration testing

Unauthorized use in real environments may be illegal.