Grant rights
This abuse can be carried out when controlling an object that has WriteDacl over another object.
The attacker can write a new ACE to the target objectโ€™s DACL (Discretionary Access Control List). This can give the attacker full control of the target object.
Instead of giving full control, the same process can be applied to allow an object to DCSync by adding two ACEs with specific Extended Rights (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All). Giving full control leads to the same thingsince GenericAll includes all ExtendedRights, hence the two extended rights needed for DCSync to work.
Story time, Exchange Servers used to have WriteDacl over domain objects, allowing attackers to conduct a PrivExchange attack where control would be gained over an Exchange Server which would then be used to grant an attacker-controlled object DCSync privileges to the domain.
From UNIX-like systems, this can be done with Impacket's (Python).
At the time of writing, May 2nd 2022, the Pull Request (#1291) is still pending.
# Give full control -action 'write' -rights 'FullControl' -principal 'controlled_object' -target 'target_object' 'domain'/'user':'password'
# Give DCSync (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All) -action 'write' -rights 'DCSync' -principal 'controlled_object' -target 'target_object' 'domain'/'user':'password'
For a DCSync granting attack, instead of using dacledit, ntlmrelayx has the ability to operate that abuse with the --escalate-user option (see this).
From a Windows system, this can be achieved with Add-DomainObjectAcl (PowerView module).
# Give full control
Add-DomainObjectAcl -Rights 'All' -TargetIdentity "target_object" -PrincipalIdentity "controlled_object"
# Give DCSync (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All)
Add-DomainObjectAcl -Rights 'All' -TargetIdentity "target_object" -PrincipalIdentity "controlled_object"
A few tests showed the Add-DomainObjectAcl command needed to be run with the -Credential and -Domain options in order to work


Abusing Active Directory Permissions with PowerView - harmj0y
DCSync: Dump Password Hashes from Domain Controller
Red Teaming Experiments
Copy link