You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add in parsing, edges, and edge descriptions for DS-Install-Replica rights. By default Domain Admin, Enterprise Admins, and Administrators have these rights. It would be nice to know if other groups in an AD environment also hold these rights as well to perform the server untrust account attack from stealthbits (https://stealthbits.com/blog/server-untrust-account/).
The DS-Install-Replica right's GUID is: 9923a32a-3607-11d2-b9be-0000f87a36b2
Current Behavior:
BloodHound 4.3.1 and BloodHound CE do not parse this information.
Desired Behavior:
Add in edges for DS-Install-Replica rights, similar to GetReplicationChanges and GetReplicationChangesAll along with the edge info for exploiting the rights. The stealthbits article links in the description provides a walkthrough of exploiting it from Windows and links to PowerShell scripts created to do this: https://github.com/netwrix/server-untrust-account.
Linux equivalent steps will need to be created using the functions from the PowerShell script and tool suites like Impacket or BloodyAD (https://github.com/CravateRouge/bloodyAD).
Also having a built-in query to identify non-standard groups or systems that have these rights would be extremely beneficial.
Use Case:
It can help identify permissions (DS-Install-Replica rights on groups) that can be abused to promote a computer to a DomainController by updating UserAccountControl values with the UF_SERVER_TRUST_ACCOUNT bit, which automatically changes the PrimaryGroupID of the machine to 516 - Domain Controllers. Then the modified machine account can be used to perform DCSync Attacks in the domain.
The text was updated successfully, but these errors were encountered:
Feature Description:
Add in parsing, edges, and edge descriptions for
DS-Install-Replica
rights. By default Domain Admin, Enterprise Admins, and Administrators have these rights. It would be nice to know if other groups in an AD environment also hold these rights as well to perform theserver untrust account
attack from stealthbits (https://stealthbits.com/blog/server-untrust-account/).More information about the DS-Install-Replica right can be found here: https://github.com/MicrosoftDocs/win32/blob/docs/desktop-src/ADSchema/r-ds-install-replica.md
The
DS-Install-Replica
right's GUID is:9923a32a-3607-11d2-b9be-0000f87a36b2
Current Behavior:
BloodHound 4.3.1 and BloodHound CE do not parse this information.
Desired Behavior:
Add in edges for DS-Install-Replica rights, similar to GetReplicationChanges and GetReplicationChangesAll along with the edge info for exploiting the rights. The stealthbits article links in the description provides a walkthrough of exploiting it from Windows and links to PowerShell scripts created to do this: https://github.com/netwrix/server-untrust-account.
Linux equivalent steps will need to be created using the functions from the PowerShell script and tool suites like Impacket or BloodyAD (https://github.com/CravateRouge/bloodyAD).
Also having a built-in query to identify non-standard groups or systems that have these rights would be extremely beneficial.
Use Case:
It can help identify permissions (DS-Install-Replica rights on groups) that can be abused to promote a computer to a DomainController by updating UserAccountControl values with the UF_SERVER_TRUST_ACCOUNT bit, which automatically changes the PrimaryGroupID of the machine to 516 - Domain Controllers. Then the modified machine account can be used to perform DCSync Attacks in the domain.
The text was updated successfully, but these errors were encountered: