Powerview Add-DomainObjectAcl DCSync AD Extend Right

Severity: high
Author: Samir Bousseaden, Roberto Rodriguez @Cyb3rWard0g, oscd.community, Tim Shelton, Maxence Fossat
Source: upstream

Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1098` Account Manipulation
Privilege Escalation	`T1098` Account Manipulation

Event coverage

Provider	Event ID	Title
Security-Auditing	5136	A directory service object was modified.

Stages and Predicates

Stage 1: `selection`

or:
AttributeValue|contains: '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
AttributeValue|contains: '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
AttributeValue|contains: '89e95b76-444d-4c62-991a-0facbeda640c'
AttributeLDAPDisplayName: ntSecurityDescriptor

Stage 2: `not 1 of filter_main_dns_object_class`

ObjectClass: [dnsNode, dnsZone, dnsZoneScope]

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`AttributeLDAPDisplayName`	eq	`ntSecurityDescriptor`
`AttributeValue`	match	`1131f6aa-9c07-11d1-f79f-00c04fc2dcd2` `1131f6ad-9c07-11d1-f79f-00c04fc2dcd2` `89e95b76-444d-4c62-991a-0facbeda640c`
`ObjectClass`	eq	`dnsNode` corpus 3 (sigma 2, elastic 1) `dnsZone` `dnsZoneScope`