Extended rights are special rights granted on objects which allow reading of privileged attributes, as well as performing special actions.
Abuse Info
User
Having this privilege over a user grants the ability to reset the user’s password. For more information about that, see the ForceChangePassword edge section
Computer
You may perform resource-based constrained delegation with this privilege over a computer object. For more information about that, see the GenericAll edge section.
Domain
The AllExtendedRights permission grants both the DS-Replication-Get-Changes and DS-Replication-Get-Changes-All privileges, which combined allow a principal to replicate objects from the domain. This can be abused using the lsadump::dcsync command in mimikatz.
CertTemplate
The AllExtendedRights permission grants enrollment rights on the certificate template.
The following additional requirements must be met for a principal to be able to enroll a certificate:
- The certificate template is published on an enterprise CA
- The principal has Enroll permission on the enterprise CA
- The principal meets the issuance requirements and the requirements for subject name and subject alternative name defined by the template
Certify can be used to enroll a certificate on Windows:
Certify.exe request /ca:SERVER\\CA-NAME /template:TEMPLATE
Certipy can be used to enroll a certificate on Linux:
certipy req -u USER@CORP.LOCAL -p PWD -ca CA-NAME -target SERVER -template TEMPLATE
Opsec Considerations
This will depend on the actual attack performed. See the particular opsec considerations sections for the ForceChangePassword, AddMembers, and GenericAll edges for more info
References
Updated