Detections
Analytics

Root Objects Permissions Allowing DCSync-Like Attacks

critical

Language:

Description

Sane permissions assigned to the root partitions (such as domain root, configuration partition, and schema) have an impact on the entire Active Directory domain. If set incorrectly, they can pose a threat to the AD environment and its objects. Furthermore, dangerous permissions could serve as a means for an attacker to maintain persistence after an attack.

Solution

Perform a security assessment on the permissions applied to domain root objects to identify the ones that you can safely remove or adapt. Only authorize a dangerous permission if the Active Directory environment already considers the configured account or group as privileged.

See Also

Privileged Accounts and Groups in Active Directory

Mimikatz DCSync Usage, Exploitation, and Detection

Indicator Details

Name: Root Objects Permissions Allowing DCSync-Like Attacks

Codename: C-ROOTOBJECTS-SD-CONSISTENCY

Severity: Critical

MITRE ATT&CK Information:

Tactics: TA0003, TA0006

Techniques: T1003.006

Attacker Known Tools

gentilkiwi: Mimikatz DCSync