WriteDACL cleanup must remove the ACE that was added and then undo the follow-on action. Removing the ACE is not enough if the attacker already reset a password, added a group member, changed Shadow Credentials, or granted DCSync rights.
Remove ACEs for a principal using dsacls:
dsacls "CN=Web Service,OU=Service Accounts,OU=OOTW Lab,DC=ootw,DC=local" /R "OOTW\ben.carter"
dsacls "CN=ACL Operators,OU=Groups,OU=OOTW Lab,DC=ootw,DC=local" /R "OOTW\ben.carter"
dsacls "DC=ootw,DC=local" /R "OOTW\ben.carter"
Remove an added member:
Remove-ADGroupMember -Identity 'ACL Operators' -Members 'alice.wright' -Confirm:$false
Review:
$Sid = ConvertTo-SID 'OOTW\ben.carter'
Get-DomainObjectAcl -Identity 'svc_web' -ResolveGUIDs |
Where-Object { $_.SecurityIdentifier -eq $Sid }
Get-DomainObjectAcl -Identity 'DC=ootw,DC=local' -ResolveGUIDs |
Where-Object { $_.SecurityIdentifier -eq $Sid }
Primary event:
4670 - Permissions on an object were changed
Supporting events:
4662 - Operation performed on object
5136 - Directory object modified
4724 - Password reset after DACL change
4728 / 4732 / 4756 - Group membership change after DACL change
4662 with replication GUIDs - DCSync rights used or modified
Remediation:
- remove unnecessary WriteDACL rights
- monitor sensitive DACL changes
- restrict delegation at OU level
- review inherited ACEs
- alert on DCSync rights granted outside DCs and approved replication principals
- require change control for object permission changes