{"id":18896175,"url":"https://github.com/tenable/cnfforthewin","last_synced_at":"2026-02-28T04:30:14.955Z","repository":{"id":251078137,"uuid":"835658379","full_name":"tenable/CnfForTheWin","owner":"tenable","description":"PowerShell tool to create a conflicting object when a new machine account is legitimately created in Active Directory (AD)","archived":false,"fork":false,"pushed_at":"2024-08-01T07:58:58.000Z","size":38,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-12-31T08:13:22.821Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tenable.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-07-30T09:23:10.000Z","updated_at":"2024-08-01T07:59:01.000Z","dependencies_parsed_at":"2024-11-08T08:34:19.798Z","dependency_job_id":"f826bc24-4e68-486e-aa91-3d0a45f78eab","html_url":"https://github.com/tenable/CnfForTheWin","commit_stats":null,"previous_names":["tenable/cnfforthewin"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tenable%2FCnfForTheWin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tenable%2FCnfForTheWin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tenable%2FCnfForTheWin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tenable%2FCnfForTheWin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tenable","download_url":"https://codeload.github.com/tenable/CnfForTheWin/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":239870840,"owners_count":19710795,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-08T08:32:49.498Z","updated_at":"2026-02-28T04:30:14.923Z","avatar_url":"https://github.com/tenable.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# CnfForTheWin\nCnfForTheWin repository contains PowerShell files allowing to create a conflicting object when a new machine account is legitimately created in Active Directory (AD). When this attempt works, and if the SecureChannel is fixed manually by an administrator, then an attacker can edit the RBCD attribute and get administrative access to this new machine.\nIt is associated to the blogpost: [Using conflicting objects in Active Directory to gain privileges](https://medium.com/tenable-techblog/using-conflicting-objects-in-active-directory-to-gain-privileges-243ef6a27928).\n\n## Modules and script\n### Invoke-CnfMachineCreation.ps1\nMain script which requires:\n- [Active Directory PowerShell module](https://learn.microsoft.com/en-us/powershell/module/activedirectory/): used to retrieve data.\n- [✅] [Powermad PowerShell module](https://github.com/Kevin-Robertson/Powermad): required here to abuse the `ms-DS-MachineAccountQuota` and create a fake machine account.\n- [✅] `Invoke-CnfMachineCreation.psm1`: contains several functions inspired by [UncoverDCShadow](https://github.com/tenable/UncoverDCShadow) to listen to LDAP events, in order to react very quickly after the creation of the computer object. Thanks to this speed, the same machine account can be created on another DC, which leads to the conflict.\n\n## How to use\nThe privileges of a standard account are \"high\" enough to subscribe to LDAP notifications.\n\nExamples:\n- `./Invoke-CnfMachineCreation.ps1 -Username 'user1' -Password 'SuperPa$$w0rd'`\n  - Subscribe to the PDC emulator domain controller for LDAP notifications with the provided credentials.\n  - When a new computer account is added, it will try to add its fake duplicate account on another domain controller.\n  - The script will be active for 2 minutes (default value).\n- `./Invoke-CnfMachineCreation.ps1 -Username 'user1' -Password 'SuperPa$$w0rd' -SourceDomainController 192.168.1.1`\n  - Subscribe to the 192.168.1.1 domain controller using the provided credentials.\n  - When a new computer account is added, it will try to add its fake duplicate account on another domain controller.\n  - The script will be active for 2 minutes (default value).\n- `./Invoke-CnfMachineCreation.ps1 -Username 'user1' -Password 'SuperPa$$w0rd' -SourceDomainController 192.168.1.1 -TargetDomainController 192.168.1.2 -DurationMinutes 30`\n  - Subscribe to the 192.168.1.1 domain controller using the provided credentials.\n  - When a new computer account is added, it will try to add its fake duplicate account on the 192.168.1.2 domain controller.\n  - The script will be active for 30 minutes.\n \n  ![image](https://github.com/user-attachments/assets/907a463e-c898-45fd-af05-a74ed1a2df0e)\n\n## Flow\n1. Subscribe to a domain controller for LDAP notifications.\n1. Detect when a new machine account is created in the domain.\n1. Try to create very quickly the same machine account by targeting a different domain controller.\n1. Check if the *distinguishedName* of the fake machine account looks like an authentic one (i.e.; the `\\0ACNF:\u003cobjectGuid attribute value\u003e` suffix was not added).\n1. Wait for the new machine reboot (asked by the system when joining the domain) for 15 minutes, and then check if the *sAMAccountName* looks like an authentic one (i.e.; has not been replaced by `$DUPLICATE-\u003cobject's RID in hexadecimal\u003e`).\n\nIf all these steps were successful, the new machine will have authentication issues (broken secure channel).\nIf an administrator fixes it, then the machine will be vulnerable to the Resource-Based Constrained Delegation (RBCD) attack.\n\n## Author\nAntoine Cauchois for [Tenable Research](https://www.tenable.com/research).\n\n# Disclaimer and license\nThis work is provided as-is. Tenable forbids using it outside of security research.\n\nLicensed under the [GNU GPLv3](/LICENSE).\n\nReuse code from the following repositories (thanks for their previous research and work!):\n - [Powermad](https://github.com/Kevin-Robertson/Powermad), [BSD 3-Clause License](https://github.com/Kevin-Robertson/Powermad/blob/master/LICENSE).\n - [UncoverDCShadow](https://github.com/tenable/UncoverDCShadow), [AGPLv3 license](https://github.com/tenable/UncoverDCShadow/blob/master/LICENSE.md).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftenable%2Fcnfforthewin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftenable%2Fcnfforthewin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftenable%2Fcnfforthewin/lists"}