Here is a script to dump the AD extended rights:

AD is mission critical for most of the enterprises today. Here is an article to explain how to dump the AD extended rights applied to AD objects, in order to audit the results to identity persistent threats or persistent hackers gaining control of AD.

Other resources:

To list all the extended rights available for delegation in Active Directory: https://technet.microsoft.com/en-us/library/ff405676.aspx

BTA opensource tool from “Airbus industry”: https://www.information-security.fr/audit-lactive-directory-bta/

https://www.ssi.gouv.fr/uploads/IMG/pdf/Lucas_Bouillot_et_Emmanuel_Gras_-_Chemins_de_controle_Active_Directory.pdf

 

Script:

Function DumpExtendedRight([Microsoft.ActiveDirectory.Management.ADObject] $adobject){
Foreach($access in $adobject.ntsecurityDescriptor.access){
# Ignore well known and normal permissions
if ($access.AccessControlType -eq [System.Security.AccessControl.AccessControlType]::Deny) { continue }
if ($access.IdentityReference -eq “NT AUTHORITY\SYSTEM”) { continue }
if ($access.IdentityReference -eq “NT AUTHORITY\SELF”) { continue }
if ($access.IsInherited) { continue }

# Check extended right
if ($access.ActiveDirectoryRights -band [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight){
$right = “”;
# This is the list of dangerous extended attributs
# see : https://technet.microsoft.com/en-us/library/ff405676.aspx
switch ($access.ObjectType){
“00299570-246d-11d0-a768-00aa006e0529” {$right = “User-Force-Change-Password”}
“45ec5156-db7e-47bb-b53f-dbeb2d03c40” {$right = “Reanimate-Tombstones”}
“bf9679c0-0de6-11d0-a285-00aa003049e2” {$right = “Self-Membership”}
“ba33815a-4f93-4c76-87f3-57574bff8109” {$right = “Manage-SID-History”}
“1131f6ad-9c07-11d1-f79f-00c04fc2dcd2” {$right = “DS-Replication-Get-Changes-All”}
} # End switch

if ($right -ne “”){
‘$($access.IdentityReference) can act on the permission of $($adobject.name) ($($adobject.DistinguishedName)) with extended right: $right’
} # Endif
} # Endif
} # End Foreach
} # End Function

##MAIN

$Allobjects  = Get-ADObject -Server $dc -Searchbase $rootou -SearchScope subtree -LDAPFilter “(&(objectclass=user)(objectcategory=person))” -Properties ntSecurityDescriptor -ResultSetSize $null
Foreach ($Adobject in $Allobjects){
DumpExtendedRight $Adobject

} # End Foreach

# End of Script