ACLight.ps1 - False Positive? #4
Comments
|
Hi @ParadoX-SobriuS |
|
Hi,
Thank you for the quick feedback.
The articles state that you need more permissions than only DS-Replication-Get-Changes.
In a Windows environment with i.e. SharePoint, you delegate DS-Replication-Get-Changes permission only and not the ’all’ or ’filtered’.
Therefore it will give the report a false positive when the delegated permission doesn’t meet the requirements for the DCSync to execute.
|
|
Ok might be, but I think it's still important thing to discover all the accounts with "DS-Replication-Get-Changes" permissions over the root object of the domain, also if they don't have the option of "All" and "Filtered" |
|
I agree that we should fetch the "DS-Replication-Get-Changes" and have this highlighted as a wrong move on that could easily become a catastrophy. |
|
Yes, so I reopened this as a small issue and we will take a look at this. The fix is quite easy, and will be considered to a future version. Thanks @ParadoX-SobriuS |
|
Great and Thanks for an awesome Product! |
Thank you for a great tool!
In the ACLight.ps1 file on row 3290 in the filter set we have the following:
($_.ObjectType -eq "DS-Replication-Get-Changes")If I've read the code correctly, this is a part of the result that will be presented in the zBang GUI showing the DCSync Arrow.
From all the documentation that I've read and research done, I don't see that this ACL Permission gives the DCSync ability. Please correct me if I am wrong on this and if possible, something that I can show as proof (if documented).
Currently, it gives a false positive if my assumption is correct and could possibly lead to other users assuming their Environment not secured while in fact it is secured.
Thank you in advance
The text was updated successfully, but these errors were encountered: