: Monitor Event ID 4471 (A computer account was created) to track who is adding machines to your network. Summary Table: Impact of SeMachineAccountPrivilege Attack Type Role of Privilege RBCD Create a machine account to act as the "delegate." Impersonate admins on target servers. SAMSpoofing Create a machine account to rename and spoof DCs. Instant Domain Admin access (if unpatched). Persistence Create "sleeper" machine accounts for later use. Maintain a foothold in the AD environment.
SeMachineAccountPrivilege allows a user to bypass the standard "Create Computer Objects" permission in specific Organizational Units (OUs), creating them in the "Computers" container instead. Common Attack Vectors semachineaccountprivilege hacktricks
The most common exploitation path involving SeMachineAccountPrivilege is setting up Resource-Based Constrained Delegation. 1. The Setup : Monitor Event ID 4471 (A computer account