ACLight.ps1 - False Positive?

[ParadoX-SobriuS]

Thank you for a great tool!

In the ACLight.ps1 file on row 3290 in the filter set we have the following: ($_.ObjectType -eq "DS-Replication-Get-Changes") If I've read the code correctly, this is a part of the result that will be presented in the zBang GUI showing the DCSync Arrow. From all the documentation that I've read and research done, I don't see that this ACL Permission gives the DCSync ability. Please correct me if I am wrong on this and if possible, something that I can show as proof (if documented). Currently, it gives a false positive if my assumption is correct and could possibly lead to other users assuming their Environment not secured while in fact it is secured.

Thank you in advance

[Hechtov]

Hi @ParadoX-SobriuS For performing DCSync attack you indeed need DS-Replication-Get-Changes permission over the target domin object. Here are lots of references that talk about DCSync and the replication permissions from the DCs: https://adsecurity.org/?p=1729 -> read the "Delegating Rights to Pull Account data" https://adsecurity.org/wp-content/uploads/2016/03/DerbyCon-2015-Metcalf-RedvsBlue-ADAttackAndDefense-Presented-Final.pdf -> slide 60 http://www.harmj0y.net/blog/redteaming/abusing-active-directory-permissions-with-powerview/ https://blog.stealthbits.com/extracting-user-password-data-with-mimikatz-dcsync/ https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/ Etc.

[ParadoX-SobriuS]

Hi,

Thank you for the quick feedback. The articles state that you need more permissions than only DS-Replication-Get-Changes. In a Windows environment with i.e. SharePoint, you delegate DS-Replication-Get-Changes permission only and not the ’all’ or ’filtered’.

Therefore it will give the report a false positive when the delegated permission doesn’t meet the requirements for the DCSync to execute.

[Hechtov]

Ok might be, but I think it's still important thing to discover all the accounts with "DS-Replication-Get-Changes" permissions over the root object of the domain, also if they don't have the option of "All" and "Filtered"

[ParadoX-SobriuS]

I agree that we should fetch the "DS-Replication-Get-Changes" and have this highlighted as a wrong move on that could easily become a catastrophy. But for the zBang tool, it currectly is a false positive and this is why I reported it as an issue. There should be a change in the way that the presentation of 'DCSync' is done so that if only "DS-Replication-Get-Changes" is present, it is not a DCSync issue, but rather something like 'DS Replication' and should be considered a Tier1 Account/group

[Hechtov]

Yes, so I reopened this as a small issue and we will take a look at this. The fix is quite easy, and will be considered to a future version. Thanks @ParadoX-SobriuS

[ParadoX-SobriuS]

Great and Thanks for an awesome Product!