Powerview Add-DomainObjectAcl DCSync AD Extend Right

backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer

Rule Content

- title: Powerview Add-DomainObjectAcl DCSync AD Extend Right
  id: 2c99737c-585d-4431-b61a-c911d86ff32f
  description: backdooring domain object to grant the rights associated with DCSync
    to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync
    Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
  status: experimental
  date: 2019/04/03
  author: Samir Bousseaden
  references:
  - https://twitter.com/menasec1/status/1111556090137903104
  - https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
  tags:
  - attack.credential_access
  - attack.persistence
  logsource:
    product: windows
    service: security
    category: null
  detection:
    selection:
      EventID: 5136
      LDAPDisplayName: ntSecurityDescriptor
      Value:
      - '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
      - '*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*'
    condition: selection
  falsepositives:
  - New Domain Controller computer account, check user SIDs witin the value attribute
    of event 5136 and verify if it's a regular user or DC computer account.
  level: critical

Querying Elasticsearch

Import Libraries

Initialize Elasticsearch client

Run Elasticsearch Query

Show Results