ACL abuse (medium)
3. msDS-AllowedToActOnBehalfOfOtherldentity attribute permission
As shown in the figure is Microsoft's description of the msDS-AllowedToActOnBehalfOfOtherldentity attribute
jack is a normal user in the domain. Now that we have obtained the authority of the domain administrator and want to maintain the authority, we can perform the following operations: Use the powerview.ps1 script under Empire to execute the following command to manually add the domain control to user jack and modify msDS-AllowedToActOnBehalfOfOtherldentity (3f78c3e5-f79a -46bd-a0b8-9d18116ddc79) attribute permissions, as shown in the figure:
Import-Module .\powerview.ps1
#添加用户jack 对域控的msDS-AllowedToActOnBehalfOfOtherldentity属性修改权限
Add-DomainObjectAcl -TargetIdentity