EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Powerview Add-DomainObjectAcl DCSync AD Extend Right

Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer

MITRE ATT&CK

T1098
privilege-escalationpersistence

Detection Query

selection:
  EventID: 5136
  AttributeLDAPDisplayName: ntSecurityDescriptor
  AttributeValue|contains:
    - 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
    - 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
    - 89e95b76-444d-4c62-991a-0facbeda640c
filter_main_dns_object_class:
  ObjectClass:
    - dnsNode
    - dnsZoneScope
    - dnsZone
condition: selection and not 1 of filter_main_*

Author

Samir Bousseaden, Roberto Rodriguez @Cyb3rWard0g, oscd.community, Tim Shelton, Maxence Fossat

Created

2019-04-03

Data Sources

windowssecurity

Platforms

windows

References

Tags

attack.privilege-escalationattack.persistenceattack.t1098
Raw Content
title: Powerview Add-DomainObjectAcl DCSync AD Extend Right
id: 2c99737c-585d-4431-b61a-c911d86ff32f
status: test
description: Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
references:
    - https://twitter.com/menasec1/status/1111556090137903104
    - https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
author: Samir Bousseaden, Roberto Rodriguez @Cyb3rWard0g, oscd.community, Tim Shelton, Maxence Fossat
date: 2019-04-03
modified: 2022-08-16
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1098
logsource:
    product: windows
    service: security
    definition: 'Requirements: The "Audit Directory Service Changes" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule)'
detection:
    selection:
        EventID: 5136
        AttributeLDAPDisplayName: 'ntSecurityDescriptor'
        AttributeValue|contains:
            - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
            - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
            - '89e95b76-444d-4c62-991a-0facbeda640c'
    filter_main_dns_object_class:
        ObjectClass:
            - 'dnsNode'
            - 'dnsZoneScope'
            - 'dnsZone'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account.
level: high