Windows

ATT&CK Navigator View

84 Datasets

Created

Dataset

Description

Tags

Author

2020/10/29

SharpView PCRE.NET

This dataset represents a threat actor leveraging SharpView and specific functions such as Get-ObjectAcl creating files and loading dlls related to PCRE.NET use.

None

Roberto Rodriguez @Cyb3rWard0g

2020/10/29

Python HTTP Server

This dataset represents threat actors adding a FW inbound rule and starting a Python HTTP Server.

None

Roberto Rodriguez @Cyb3rWard0g

2020/10/28

Windows Vault Web Credentials

This dataset represents threat actors accessing the Windows Vault and reading web credentials saved.

None

Roberto Rodriguez @Cyb3rWard0g

2020/10/26

Process Herpaderping Mimikatz

This dataset represents the execution of a Process Herpaderping to obscure the intentions of a process by modifying the content on disk after the image has been mapped.

None

Roberto Rodriguez @Cyb3rWard0g

2020/10/23

Register-CimProvider Execute Dll

This dataset represents threat actors leveraging Register-Cimprovider to execute a malicious Dll.

None

Roberto Rodriguez @Cyb3rWard0g

2020/10/23

PurpleSharp PE Injection CreateRemoteThread

This dataset represents threat actors injecting portable executables (PE) into processes via APIs such asVirtualAllocEx and WriteProcessMemory and running it on the virtual address space of another process via the CreateRemoteThread API.

None

Roberto Rodriguez @Cyb3rWard0g

2020/10/23

Bitsadmin Download Malicious File

This dataset represents threat actors leveraging bitsadmin.exe to download a file.

[‘art.3c73d728-75fb-4180-a12f-6712864d7421’]

Roberto Rodriguez @Cyb3rWard0g

2020/10/22

CMSTP Proxy Execution

This dataset represents threat actors leveraging CMSTP to execute an Inf file to proxy execute other malicious commands (i.e. cmd.exe). (Embedding commands in the RunPreSetupCommandsSection of the INF file).

[‘art.748cb4f6-2fb3-4e97-b7ad-b22635a09ab0’]

Roberto Rodriguez @Cyb3rWard0g

2020/10/22

PurpleSharp Active Directory Playbook I

This dataset represents threat actors performing a few techniques in Active Directory to brute force passwords, request Kerberos ticket-granting service (TGS) service tickets from all SPNs, test access to remote network shares, and move laterally over Windows Remote Management (WinRM).

None

Roberto Rodriguez @Cyb3rWard0g, Mauricio Velazco @mvelazco

2020/10/22

HH Execution of Local Compiled HTML Payload

This dataset represents threat actors executing local compiled HTML Help payloads via hh.exe.

[‘art.5cb87818-0d7c-4469-b7ef-9224107aebe8’]

Roberto Rodriguez @Cyb3rWard0g

2020/10/22

Mshta VBScript Execute PowerShell

This dataset represents threat actors leveraging mshta.exe to proxy execute malicious powershell commands via vbscript.

[‘art.906865c3-e05f-4acc-85c4-fbc185455095’]

Roberto Rodriguez @Cyb3rWard0g

2020/10/22

Mshta HTML Application (HTA) Execution

This dataset represents threat actors leveraging mshta.exe to proxy execute malicious commands via an .hta file.

[‘art.c4b97eeb-5249-4455-a607-59f95485cb45’]

Roberto Rodriguez @Cyb3rWard0g

2020/10/22

Control Panel Execution

This dataset represents threat actors leveraging control.exe to execute a .cpl file to proxy execute another payload (i.e. calc).

[‘art.037e9d8a-9e46-4255-8b33-2ae3b545ca6f’]

Roberto Rodriguez @Cyb3rWard0g

2020/10/22

Mshta Javascript GetObject Sct

This dataset represents threat actors leveraging mshta.exe to proxy execute malicious .sct files via Javascript.

[‘art.1483fab9-4f52-4217-a9ce-daa9d7747cae’]

Roberto Rodriguez @Cyb3rWard0g

2020/10/21

Internet Explorer Version Discovery

This dataset represents threat actors querying HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer to get the version of internet explorer installed on the system.

[‘art.68981660-6670-47ee-a5fa-7e74806420a4’]

Roberto Rodriguez @Cyb3rWard0g

2020/10/21

Netsh Open FW Proxy Ports

This dataset represents adversaries modifying the local FW by opening port for proxy.

[‘art.15e57006-79dd-46df-9bf9-31bc24fb5a80’]

Roberto Rodriguez @Cyb3rWard0g

2020/10/21

Service Modification Fax

This dataset represents adversaries modifying a local service to execute powershell.

[‘art.ed366cde-7d12-49df-a833-671904770b9f’]

Roberto Rodriguez @Cyb3rWard0g

2020/10/20

UI Prompt For Credentials Function

This dataset represents adversaries leveraging functions such as CredUIPromptForCredentials to create and display a configurable dialog box that accepts credentials information from a user.

[‘art.2b162bfd-0928-4d4c-9ec3-4d9f88374b52’]

Roberto Rodriguez @Cyb3rWard0g

2020/10/19

SAM Copy via Esentutl VSS

This dataset represents adversaries copying the SAM hive using the esentutl.exe utility and volume shadow copy services.

[‘art.a90c2f4d-6726-444e-99d2-a00cd7c20480’]

Roberto Rodriguez @Cyb3rWard0g

2020/10/19

Logon Scripts via UserInitMprLogonScript

This dataset represents adversaries leveraging logon initialization scripts to achieve persistence via the UserInitMprLogonScript user environment.

[‘art.d6042746-07d4-4c92-9ad8-e644c114a231’]

Roberto Rodriguez @Cyb3rWard0g

2020/10/19

Psexec Reg LSA Secrets Dump

This dataset represents adversaries using psexec to run reg.exe as system and dump LSA secrets. Location HKLM\security\policy\secrets.

[‘art.55295ab0-a703-433b-9ca4-ae13807de12f’]

Roberto Rodriguez @Cyb3rWard0g

2020/10/19

Mavinject Process DLL Injection

This dataset represents adversaries leveraging

[‘art.74496461-11a1-4982-b439-4d87a550d254’]

Roberto Rodriguez @Cyb3rWard0g

2020/10/18

Lsass Memory Dump via Syscalls

This dataset represents adversaries using system calls (syscalls) and API unhooking to dump the memoty contents of lsass.

[‘art.7ae7102c-a099-45c8-b985-4c7a2d05790d’]

Roberto Rodriguez @Cyb3rWard0g

2020/10/18

Lsass Memory Dump via Comsvcs.dll

This dataset represents adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.

[‘art.2536dee2-12fb-459a-8c37-971844fa73be’]

Roberto Rodriguez @Cyb3rWard0g

2020/10/17

WMIC Remote XSL Jscript Execution

This dataset represents adversaries proxy executing code and bypassing application controls by leveraging wmic and the /FORMAT argument switch to download and execute an XSL file (jscript).

None

Roberto Rodriguez @Cyb3rWard0g

2020/10/12

Covenant Wuauclt CreateRemoteThread Execution

This dataset represents adversaries proxy executing code via the Windows Update client utility. In order to bypass rules looking for the binary reaching out directly to the Internet, this dataset shows the binary creating and running a thread in the virtual address space of another process via the CreateRemoteThread API.

[‘CreateRemoteThread’]

Roberto Rodriguez @Cyb3rWard0g

2020/10/09

Covenant Remote WMI Wbemcomn DLL Hijacking

This dataset represents adversaries abusing a DLL hijack vulnerability found in the execution of the WMI provider host (wmiprvse.exe) for lateral movement.

[‘SMB CreateRequest’]

Roberto Rodriguez @Cyb3rWard0g

2020/10/09

Covenant Remote DCOM Iertutil DLL Hijacking

This dataset represents adversaries abusing a DLL hijack vulnerability found in the execution of the DCOM InternetExplorer.Application class for lateral movement.

[‘SMB CreateRequest’]

Roberto Rodriguez @Cyb3rWard0g

2020/09/22

Empire Powerdump Extract Hashes

This dataset represents adversaries calculating the SysKey to decrypt Security Account Mannager (SAM) database entries (from registry or hive) and get NTLM, and sometimes LM hashes of local accounts password.

[‘Calculating SysKey’, ‘SAM Read’]

Roberto Rodriguez @Cyb3rWard0g

2020/09/21

Empire Elevated Scheduled Tasks

This dataset represents adversaries creating and/or executing local scheduled tasks to maintain persistence in an environment.

[‘Local Scheduled Tasks’]

Roberto Rodriguez @Cyb3rWard0g

2020/09/21

Empire Invoke WMI

This dataset represents an adversary remotely executing code via WMI. This dataset focuses on the use of the WMI Win32_Process class and method Create to execute code remotely.

[‘WMI IWbemServices ExecMethod’]

Roberto Rodriguez @Cyb3rWard0g

2020/09/18

DCOM RegisterXLL

This dataset represents adversaries leveraging the COM Method RegisterXLL over DCOM to execute an XLL file remotely. The XLL file can exist on the target or externally in an UNC path such as \SERVER\FILES.

[‘DCOM’]

Roberto Rodriguez @Cyb3rWard0g

2020/09/18

DCOM ExecuteExcel4macro

This dataset represents adversaries leveraging the COM Method ExecuteExcel4Macro over DCOM to execute Excel4 macros remotely

[‘DCOM’]

Roberto Rodriguez @Cyb3rWard0g

2020/09/16

Mimikatz Netlogon Unauthenticated NetrServerAuthenticate2

This dataset represents adversaries leveraging a vulnerability (CVE-2020-1472) in a cryptographic authentication scheme used by the Netlogon Remote Protocol, which among other things can be used to update computer passwords. This vulnerability was discovered by @@SecuraBV.

[‘CVE-2020-1472’, ‘Password Update’, ‘Netlogon Insecure AES-CFB8’]

Roberto Rodriguez @Cyb3rWard0g

2020/09/14

Empire Remote WMIC Add User

This dataset represents an adversary remotely executing code via WMI to ad a backdoor user on the target system. This dataset focuses on the use of the WMI Win32_Process class and method Create to execute code remotely.

[‘WMI IWbemServices ExecMethod’, ‘User Backdoor’]

Roberto Rodriguez @Cyb3rWard0g

2020/09/04

Invoke BypassUAC FodHelper

This dataset represents adversaries elevating privileges (bypassing uac) by performing an registry modification for FodHelper.

[‘BypassUAC’, ‘Registry Modification’, ‘Windows Registry FodHelper’]

Roberto Rodriguez @Cyb3rWard0g

2020/08/06

Covenant GetDomainGroup Domain Admins

This dataset represents a threat actor enumerating the domain groups via LDAP (i.e. SearchRequest Method) in an environment.

[‘Domain Groups Enumeration’, ‘LDAP SearchRequest’]

Roberto Rodriguez @Cyb3rWard0g

2020/08/06

Covenant PowerShell Remoting Command

This dataset represents adversaries executing malicious code on remote hosts using PowerShell Remoting (WinRM).

[‘PowerShell Remoting’]

Roberto Rodriguez @Cyb3rWard0g

2020/08/06

Covenant SharpSC Start

This dataset represents adversaries remotely starting a service via RPC methods such as StartService over SMB named pipes such as svcctl.

[‘RPC StartService’, ‘SMB Svcctl’]

Roberto Rodriguez @Cyb3rWard0g

2020/08/06

Covenant Remote File Copy

This dataset represents a threat actor remotely copying a file over SMB (CreateRequest).

[‘SMB CreateRequest’]

Roberto Rodriguez @Cyb3rWard0g

2020/08/06

Covenant SharpSC Create

This dataset represents adversaries remotely creating a service via RPC methods such as CreateService over SMB named pipes such as svcctl.

[‘RPC CreateService’, ‘SMB Svcctl’]

Roberto Rodriguez @Cyb3rWard0g

2020/08/06

Covenant SharpSC Stop Service

This dataset represents a threat actor using the RPC ControlService method over SMB to stop a service.

[‘RPC ControlService’, ‘Stop Service’, ‘SMB Svcctl’]

Roberto Rodriguez @Cyb3rWard0g

2020/08/06

Covenant SharpSC Query

This dataset represents a threat actor leveraging the RPC method EnumServiceStatusW over SMB svcctl to query the status of a service on a remote endpoint..

[‘RPC EnumServiceStatusW’, ‘SMB Svcctl’]

Roberto Rodriguez @Cyb3rWard0g

2020/08/05

Covenant SC.exe Utility Query

This dataset represents an adversary leveraging the sc.exe utility to query (RPC QueryServiceStatus method) for the statu of a service on a remote endpoint.

[‘RPC QueryServiceStatus’, ‘SMB Svcctl’]

Roberto Rodriguez @Cyb3rWard0g

2020/08/05

Covenant DCSync

This dataset represents adversaries abusing Active Directory Replication services to retrieve secret domain data (i.e. NTLM hashes) from domain accounts.

[‘AD Replication Services’, ‘RPC DRSUAPI DsGetNCChanges’]

Roberto Rodriguez @Cyb3rWard0g

2020/07/24

Covenant Remote WMI Eventing ActiveScriptEventConsumers

This dataset represents adversaries using WMI event subscriptions (ActiveScriptEventConsumers) remotely to move laterally.

[‘Remote WMI Eventing’]

Roberto Rodriguez @Cyb3rWard0g

2020/07/22

Empire Invoke DLLInjection

This dataset represents a threat actor injecting a Dll (On Disk) into an arbitrary process via LoadLibrary and executd by CreateRemoteThread APIs

[‘DLL Injection’, ‘LoadLibrary’, ‘CreateRemoteThread Execution’]

Roberto Rodriguez @Cyb3rWard0g

2020/07/22

Empire Elevated Registry Run Keys

This dataset represents adversaries modifying local Run registry keys (i.e. HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Run) for persistence. It also captures the execution of the persistence mechanism.

[‘Local Registry Modification’, ‘Registry Run Keys’]

Roberto Rodriguez @Cyb3rWard0g

2020/07/21

Empire Regsvr32 Execution

This dataset represents threat actors leveraging regsvr32 to proxy the execution of an empire payload (.sct file) to create a reverse connection to the C2.

[‘Regsvr32 Execution’]

Roberto Rodriguez @Cyb3rWard0g

2020/06/09

MSF Record Mic

This dataset represents adversaries accessing the microphone of an endpoint.

[‘Microphone Access’]

Roberto Rodriguez @Cyb3rWard0g

2019/12/25

Empire Invoke InternalMonologue

This dataset represents adversaries downgrading the challenge/response authentication protocol used for network logons, the minimum security negotiated for applications using NTLMSSP, and security settings that restrict outgoing NTLM traffic to remote servers in an environment

[‘Registry Modification’, ‘Windows Registry NetNTLM settings’, ‘Downgrade’]

Roberto Rodriguez @Cyb3rWard0g

2019/10/27

RDP TaskManager LSASS Dump

This dataset represents adversaries using RDP and task manager interactively and dump the memory space of lsass.

[‘RDP Interactive’]

Roberto Rodriguez @Cyb3rWard0g

2019/10/27

Covenant ShellCmd InstallUtil

This dataset represents adversaries proxy executing code through InstallUtil, a trusted Windows utility.

[‘InstallUtil’, ‘LOLBin’]

Roberto Rodriguez @Cyb3rWard0g

2019/06/25

Empire Reg Dump SAM Hive

This dataset represents adversaries with administrator privileges using the windows reg utility to dump the SAM registry hive.

[‘SAM Rquest Handle’]

Roberto Rodriguez @Cyb3rWard0g

2019/06/25

Empire Mimikatz SAM Extract Hashes

This dataset represents adversaries calculating the SysKey to decrypt Security Account Mannager (SAM) database entries (from registry or hive) and get NTLM, and sometimes LM hashes of local accounts password.

[‘Calculating SysKey’, ‘SAM Read’, ‘SAM Handle Request’]

Roberto Rodriguez @Cyb3rWard0g

2019/05/19

Empire Remote Get Session

This dataset represents adversaries leveraging RPC SRVSVC and the method NetSessEnum over SMB to query remote hosts for active sessions

[‘RPC NetSessEnum’, ‘SMB Srvsvc’]

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

Empire Invoke SMBExec

This dataset represents adversaries remotely creating and starting a service via RPC methods over SMB named pipes such as svcctl.

[‘RPC CreateService’, ‘RPC StartService’, ‘SMB Svcctl’]

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

Covenant SharpWMI Exec

This dataset represents an adversary remotely executing code via WMI. This dataset focuses on the use of the WMI Win32_Process class and method Create to execute code remotely.

[‘WMI IWbemServices ExecMethod’]

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

Empire WDigest Downgrade

This dataset represents adversaries setting the UseLogonCredential property value from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest key to 1 to enable plain text passwords.

[‘Registry Modification’, ‘Windows Registry WDigest’]

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

Empire Shell Net Domain Admins

This dataset represents adversaries enumerating members of domain groups (i.e. Domain Admins) via RPC SAMR interface over SMB. Some of the main RPC methods captured over the network are SamrLookupNamesInDomain (Opnum 17) and SamrQueryInformationGroup (Opnum 20) where there are indicators about the specific group name enumerated.

[‘Domain Groups Enumeration’, ‘RPC SAMR SamrQueryInformationGroup’]

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

Empire Enable RDP

This dataset represents adversaries enabling RDP and adding a firewall exception to a compromised system

[‘Registry Modification’, ‘Windows Registry RDP Settings’]

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

Empire Invoke PSRemoting

This dataset represents adversaries executing malicious code on remote hosts using PowerShell Remoting (WinRM).

[‘PowerShell Remoting’]

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

Empire Elevated WMI Eventing

This dataset represents adversaries leveraging WMI subscriptions locally for persistence.

[‘Local WMI Eventing’, ‘WMI Event Subscriptions’]

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

Empire Mimikatz Backup Keys

This dataset represents adversaries retrieving the DPAPI Domain Backup Key from the DC via RPC LSARPC methods over SMB.

[‘DPAPI’, ‘DPAPI Domain Backup key’, ‘RPC LSARPC’]

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

Empire Mimikatz LogonPasswords

This dataset represents adversaries reading credentials from the memory contents of lsass.exe. One popular tool performing this behavior is Mimikatz.

[‘LSASS Memory Credentials Read’]

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

Empire Find Local Admin Access

This dataset represents adversaries using the OpenSCManagerW Win32API call to establish a handle to the remote host and verify if the current user context has local administrator acess to the target.

[‘RPC OpenSCManager’, ‘SMB Svcctl’]

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

Empire Invoke DCOM ShellWindows

This dataset represents adversaries executing commands remotely via DCOM ShellWindows COM Method.

[‘DCOM ShellWindows’]

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

Empire PSInject

This dataset represents adversaries reflectively loading/intecting a portable executable (PE) (not on disk) into a process via WriteprocessMemory and executed via CreateRemoteThread APIs

[‘PE Injection’, ‘WriteProcessMemory’, ‘CreateRemoteThread Execution’]

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

Empire Invoke PsExec

This dataset represents adversaries remotely creating and starting a service via RPC methods over TCP.

[‘RPC CreateService’, ‘RPC StartService’, ‘TCP Svcctl’]

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

Empire Mimikatz Lsadump LSA Patch

This dataset represents adversaries reading credentials from the memory contents of lsass.exe. One popular tool performing this behavior is Mimikatz.

[‘LSASS Memory Credentials Read’]

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

Empire Invoke Execute MSBuild

This dataset represents an adversary remotely creating a file (.xml) via SMB and executing it remotetly via WMI and msbuild. This dataset focuses on the use of the WMI Win32_Process class and method Create to execute code remotely.

[‘WMI IWbemServices ExecMethod’, ‘SMB CreateRequest’]

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

Empire VBS Execution

This dataset represents adversaries executing a VBS script as a launcher for initial access.

[‘VBS Script Execution’]

Roberto Rodriguez @Cyb3rWard0g

2019/05/18

Empire Mimikatz Extract Kerberos Keys

This dataset represents adversaries extracting kerberos tickets from memory.

[‘Kerberos Tickets’]

Roberto Rodriguez @Cyb3rWard0g

2019/04/03

IKEEXT Remote Service DLL Hijack

This dataset represents adversaries copying a file remotely to replace a file which is executed by a service that is vulnerable to DLL hijack. This dataset includes

[‘Remote Service DLL Hijacking’, ‘RPC over SMB Svcctl’]

Roberto Rodriguez @Cyb3rWard0g

2019/03/19

Empire Userland Registry Run Keys

This dataset represents adversaries modifying local Run registry keys (i.e. HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Run) for persistence. It also captures the execution of the persistence mechanism.

[‘Local Registry Modification’, ‘Registry Run Keys’]

Roberto Rodriguez @Cyb3rWard0g

2019/03/19

Empire Net Local Administrators Group

This dataset represents adversaries enumerating members of the local Administratrors group via the net.exe utility

[‘Local Administrators Group Enumeration’]

Roberto Rodriguez @Cyb3rWard0g

2019/03/19

Empire Userland Scheduled Tasks

This dataset represents adversaries creating and/or executing local scheduled tasks to maintain persistence in an environment.

[‘Local Scheduled Tasks’]

Roberto Rodriguez @Cyb3rWard0g

2019/03/19

Rubeus Userland ASKTGT PTT

This dataset represents adversaries crafting raw AS-REQ (TGT request) traffic for a specific user and encryption key (/rc4, /aes128, /aes256, or /des) to request TGTs without touching lsass.

[‘Over-Pass-The-Hash’, ‘Not Touching LSASS’]

Roberto Rodriguez @Cyb3rWard0g

2019/03/19

Empire Over-Pass-The-Hash

This dataset represents adversaries taking a hash/key (rc4_hmac, aes256_cts_hmac_sha1, etc.) for a domain-joined user into a fully-fledged Kerberos TGT. In this case, an adversary can write the hash/key into an existing logon session (i.e. a sacrificial logon session) section in the memory content of LSASS and kick off the regular Kerberos authentication process.

[‘Over-Pass-The-Hash’, ‘Patching LSASS’]

Roberto Rodriguez @Cyb3rWard0g

2019/03/19

Empire Net Domain Users

This dataset represents adversaries enumerating all users that belong to a domain via RPC SAMR EnumDomainUsers.

[‘Domain Users Enumeration’, ‘RPC SAMR EnumDomainUsers’]

Roberto Rodriguez @Cyb3rWard0g

2019/03/19

Empire Net Local Users

This dataset represents adversaries enumerating all local users on an endpoint

[‘Local Users Enumeration’]

Roberto Rodriguez @Cyb3rWard0g

2019/03/19

Rubeus Elevated ASKTGT CreateNetOnly

This dataset represents adversaries crafting raw AS-REQ (TGT request) traffic for a specific user and encryption key (/rc4, /aes128, /aes256, or /des) to request TGTs without touching lsass.

[‘Over-Pass-The-Hash’, ‘Not Touching LSASS’]

Roberto Rodriguez @Cyb3rWard0g

2019/03/01

Empire DCSync

This dataset represents adversaries abusing Active Directory Replication services to retrieve secret domain data (i.e. NTLM hashes) from domain accounts.

[‘AD Replication services’, ‘RPC DRSUAPI DsGetNCChanges’]

Roberto Rodriguez @Cyb3rWard0g

2019/03/01

Empire Powerview Add-DomainObjectAcl

This datasets represent adversaries with enough permissions (i.e. domain admin) adding an access control entry (ACE) to the discretionary access control list (DACL) of an Active Directory object (i.e Root Domain). One example could be adversaries modifying the root domain DACL to allow a specific domain user, despite being in no privileged groups and not having local admin rights on the domain controller itself, to use Active Directory replication services and obtain secret domain data (i.e. Other user NTLM Hashes)

[‘AD Object Modification’, ‘AD Object nTSecurityDescriptor’, ‘LDAP ModifyRequest’]

Roberto Rodriguez @Cyb3rWard0g