Extended rights are special rights granted on objects which allow reading of privileged attributes, as well as performing special actions.
Abuse Info
User
Having this privilege over a user grants the ability to reset the user’s password. For more information about that, see the ForceChangePassword edge section
Computer
You may read the LAPS password of the computer object. For more information about that, see the ReadLAPSPassword edge section.
Domain
The AllExtendedRights permission grants both the DS-Replication-Get-Changes and DS-Replication-Get-Changes-All privileges, which combined allow a principal to replicate objects from the domain. This can be abused using the lsadump::dcsync command in mimikatz.
CertTemplate
The AllExtendedRights permission grants enrollment rights on the certificate template.
The following additional requirements must be met for a principal to be able to enroll a certificate:
- The certificate template is published on an enterprise CA
- The principal has Enroll permission on the enterprise CA
- The principal meets the issuance requirements and the requirements for subject name and subject alternative name defined by the template
Certify can be used to enroll a certificate on Windows:
Certify.exe request /ca:SERVER\\CA-NAME /template:TEMPLATE
Certipy can be used to enroll a certificate on Linux:
certipy req -u USER@CORP.LOCAL -p PWD -ca CA-NAME -target SERVER -template TEMPLATE
Opsec Considerations
This will depend on the actual attack performed. See the particular opsec considerations sections for the ForceChangePassword, AddMembers, and GenericAll edges for more info
References
Updated