GenericAll
Reset target user password.ForceChangePassword
AddMember
GenericWrite
Write a SPN to Kerberoast the target.WriteDACL
Grant DCSync rights to controlled user.WriteOwner
Take ownership then grant full control.AllExtendedRights
Reset target password.DCSync (GetChanges + GetChangesAll)
Dump all domain hashes.Unconstrained Delegation
Monitor for incoming TGTs (run on compromised host with unconstrained delegation).Constrained Delegation (S4U2Proxy)
Impersonate Domain Admin to target service.Resource-Based Constrained Delegation (RBCD)
Add attacker-controlled computer to target’smsDS-AllowedToActOnBehalfOfOtherIdentity.