Root Objects Permissions Allowing DCSync-Like Attacks

critical

Language:

Description

Sane permissions assigned to the root partitions (such as domain root, configuration partition, and schema) have an impact on the entire Active Directory domain. If set incorrectly, they can pose a threat to the AD environment and its objects by allowing DCSync (and related) attacks. Furthermore, dangerous permissions could serve as a means for an attacker to maintain persistence after an attack.

Solution

Perform a security assessment on the permissions applied to domain root objects to identify the ones that you can safely remove or adapt. Only authorize a dangerous permission if the Active Directory environment already considers the configured account or group as privileged.

Indicator Details

Name: Root Objects Permissions Allowing DCSync-Like Attacks

Codename: C-ROOTOBJECTS-SD-CONSISTENCY

Severity: Critical

MITRE ATT&CK Information:

Tactic: TA0003 - Persistence
Tactic: TA0006 - Credential Access
- Techniques: T1003.006 - OS Credential Dumping

Attacker Known Tools

gentilkiwi: Mimikatz DCSync

Detections

Analytics