This week let’s look at Active Directory domain permissions which are configured on the domain root and apply to the domain. There are many different type of concerning permissions, but let’s look at the most egregious.

• Directory Changes & Directory Changes All – provides the ability to pull password hashes for users and computers (aka DCsync permissions).
• Change Owner – provides the ability to set the owner on the domain root and the owner has the ability to set permissions.
• Change Permission – provides the ability to set permissions on the domain root.
• Full Control – provides the ability to control any type of object in the domain.
• Full Control on Users and/or Computers – provides the ability to control the object type.

I wrote a PowerShell script leveraging the Active Directory PowerShell module that can help identify these permissions on the domain root: https://github.com/PyroTek3/Misc/blob/main/Get-DomainRootPermissions.ps1

For more on Active Directory permissions:
https://hub.trimarcsecurity.com/post/trimarc-whitepaper-owner-or-pwnd
https://specterops.io/wp-content/uploads/sites/3/2022/06/an_ace_up_the_sleeve.pdf

For more on DCSync: https://adsecurity.org/?p=1729

(Visited 17 times, 17 visits today)

Sean Metcalf

I improve security for enterprises around the world working for TrustedSec & I am @PyroTek3 on Twitter.
Read the About page (top left) for information about me. :)
https://adsecurity.org/?page_id=8