This week let’s look at Active Directory domain permissions which are configured on the domain root and apply to the domain. There are many different type of concerning permissions, but let’s look at the most egregious.
- Directory Changes & Directory Changes All – provides the ability to pull password hashes for users and computers (aka DCsync permissions).
- Change Owner – provides the ability to set the owner on the domain root and the owner has the ability to set permissions.
- Change Permission – provides the ability to set permissions on the domain root.
- Full Control – provides the ability to control any type of object in the domain.
- Full Control on Users and/or Computers – provides the ability to control the object type.
I wrote a PowerShell script leveraging the Active Directory PowerShell module that can help identify these permissions on the domain root: https://github.com/PyroTek3/Misc/blob/main/Get-DomainRootPermissions.ps1
For more on Active Directory permissions:
https://hub.trimarcsecurity.com/post/trimarc-whitepaper-owner-or-pwnd
https://specterops.io/wp-content/uploads/sites/3/2022/06/an_ace_up_the_sleeve.pdf
For more on DCSync: https://adsecurity.org/?p=1729
(Visited 22 times, 22 visits today)
Recent Comments