No computer object acls

[JoernHe]

Hi, first of all thank you for this amazing project.
One point: If a user has e.g. ResetPassword rights on an domain controller object, wouldn't this be a privilege escalation vulnerability because of the dc sync privilege of a domain controller object?
The same with an exchange server object, because this object can manipulate ACEs of the domain root.
At the moment you just care about computer object acls if they have LAPS installed.
Or am i wrong? Thank you!

[rvazarkar]

As far as I'm aware, if you reset the password of a computer account, it becomes de-synced from active directory, and can cause several issues. I'll have to test again, but that's my understanding of the issue

[JoernHe]

You are right. But you can authenticate as a domain controller to another domain controller after the reset and perform a dc sync (and get the history of the DC object password). After that you could reset it to the old password. The same with an exchange computer object.

[JoernHe]

I just saw that issue #230 in bloodhound is almost the same.

[rvazarkar]

Can you design a Proof of Concept of this attack? What risks are involved?

[HarmJ0y]

"you could reset it to the old password" - as you only have the hash, does that mean you would need to use the mimikatz lsadump::setntlm or dcshadow approach to plant the previous hash into the AD database? My gut feeling is that this approach would be fairly disruptive to a normal environment with a lot of things that could go wrong operationally.