GithubTwitter

ACLs

General

  • Access Control Entries (ACE) correspond to individual permission or audits access

  • Who has permission and what can be done on an object?

  • Two types:

    • DACL -> Defines the permissions trustees (a user or group) have on an object

    • SACL - Logs success and failure audit messages when an object is accessed

Enumerate ACLs without Resolving GUIDs

# AD Module
(Get-ACL 'CN=Domain Admins,CN=Users,DC=dc01,DC=dc02,DC=local').Access

Get the ACLs Associated with the Specified Object

# PowerView
Get-ObjectACL -SamAccountName "Users" -ResolveGUIDs

Get the ACLs Associated with the Specified Prefix to Be Used for Search

# PowerView
Get-ObjectACL -ADSPrefix 'CN=Administrator,CN=Users' -Verbose

Get the ACLs Associated with the Specified LDAP Path to Be Used for Search

Search for Interesting ACEs

Get the ACLs Associated with the Specified Path

Enumerate Who Has Rights to the 'matt' User in 'testlab.local', Resolving Rights GUIDs to Names

Grant User 'will' the Rights to Change 'matt's Password

Audit the Permissions of AdminSDHolder, Resolving GUIDs

Backdoor the ACLs of All Privileged Accounts with the 'matt' Account through AdminSDHolder Abuse

Retrieve most Users Who Can Perform DC Replication for dev.testlab.local (i.e. DCsync)

Enumerate Permissions for GPOs where Users with RIDs of > -1000 Have Some Kind of Modification/Control Rights

PreviousGPOsNextDomains

Last updated