AllExtendedRights

This article applies to BHCE and BHE

Extended rights are special rights granted on objects which allow reading of privileged attributes, as well as performing special actions.

Abuse Info

User

Having this privilege over a user grants the ability to reset the user’s password. For more information about that, see the ForceChangePassword edge section

Computer

You may perform resource-based constrained delegation with this privilege over a computer object. For more information about that, see the GenericAll edge section.

Domain

The AllExtendedRights permission grants both the DS-Replication-Get-Changes and DS-Replication-Get-Changes-All privileges, which combined allow a principal to replicate objects from the domain. This can be abused using the lsadump::dcsync command in mimikatz.

CertTemplate

The AllExtendedRights permission grants enrollment rights on the certificate template. 

The following additional requirements must be met for a principal to be able to enroll a certificate:

  1. The certificate template is published on an enterprise CA
  2. The principal has Enroll permission on the enterprise CA
  3. The principal meets the issuance requirements and the requirements for subject name and subject alternative name defined by the template

Certify can be used to enroll a certificate on Windows:

Certify.exe request /ca:SERVER\\CA-NAME /template:TEMPLATE

Certipy can be used to enroll a certificate on Linux:

certipy req -u USER@CORP.LOCAL -p PWD -ca CA-NAME -target SERVER -template TEMPLATE

 

Opsec Considerations

This will depend on the actual attack performed. See the particular opsec considerations sections for the ForceChangePassword, AddMembers, and GenericAll edges for more info

Updated